Insecure configurations in databases could be abused by attackers. The Center for Internet Security (CIS) publishes a security benchmark for MySQL, and Nmap can use this to audit the security configurations of a MySQL server.
This recipe shows how to detect insecure configurations in MySQL servers by using Nmap.
To detect insecure configurations in MySQL servers, enter the following command:
$ nmap -p3306 --script mysql-audit --script-args 'mysql-audit.username="<username>",mysql-audit.password="<password>",mysql-audit.filename=/usr/local/share/nmap/nselib/data/mysql-cis.audit' <target>
Each control will be reviewed and a legend of PASS, FAIL, or REVIEW will be included in the results:
PORT STATE SERVICE 3306/tcp open mysql | mysql-audit: | CIS MySQL Benchmarks v1.0.2 | 3.1: Skip symbolic links => PASS | 3.2: Logs not on system partition => PASS | 3.2: Logs not on database partition => PASS | 4.1: Supported version of MySQL => REVIEW | Version: 5.1.41-3ubuntu12.10 | 4.4: Remove test database => PASS | 4.5: Change admin account name => FAIL | 4.7: Verify Secure Password Hashes => PASS | 4.9: Wildcards in user hostname => PASS | 4.10: No blank passwords => PASS | 4.11: Anonymous account => PASS | 5.1: Access to mysql database => REVIEW | Verify the following users that have access to the MySQL database | user host | root localhost | root builder64 | root 127.0.0.1 | debian-sys-maint localhost | 5.2: Do not grant FILE privileges to non Admin users => PASS | 5.3: Do not grant PROCESS privileges to non Admin users => PASS | 5.4: Do not grant SUPER privileges to non Admin users => PASS | 5.5: Do not grant SHUTDOWN privileges to non Admin users => PASS | 5.6: Do not grant CREATE USER privileges to non Admin users => PASS | 5.7: Do not grant RELOAD privileges to non Admin users => PASS | 5.8: Do not grant GRANT privileges to non Admin users => PASS | 6.2: Disable Load data local => FAIL | 6.3: Disable old password hashing => PASS | 6.4: Safe show database => FAIL | 6.5: Secure auth => FAIL | 6.6: Grant tables => FAIL | 6.7: Skip merge => FAIL | 6.8: Skip networking => FAIL | 6.9: Safe user create => FAIL | 6.10: Skip symbolic links => FAIL | |_ The audit was performed using the db-account: root
The script arguments -p3306 --script mysql-audit tell Nmap to initiate the NSE script mysql-audit if a MySQL server is found running on port 3306.
The script mysql-audit was developed by Patrik Karlsson and it checks for insecure configurations by using parts of the benchmark CIS MySQL. It is also very flexible and allows custom checks by specifying alternate rules.
If your MySQL server has administrative accounts other than root and debian-sys-maint, you should locate the following line in $ nmap_path/nselib/data/mysql-cis.audit and add them to set up the script:
local ADMIN_ACCOUNTS={"root", "debian-sys-maint". "web"} Remember that you can write your own rules in a separate file and use the script argument mysql-audit.fingerprintfile to reference this. Audit rules look something like the following:
test { id="3.1", desc="Skip symbolic links", sql="SHOW variables WHERE Variable_name = 'log_error' AND Value IS NOT NULL", check=function(rowstab)
return { status = not(isEmpty(rowstab[1])) }
end
} MySQL servers may run on a non-standard port. Use Nmap's service detection (-sV) or set the port manually by specifying the port argument (-p):
$ nmap -sV --script mysql-brute <target>$ nmap -p1234 --script mysql-brute <target>