The Database Hacker's Handbook: Defending Database Servers by

Finding Targets

This section covers the following:

• Scanning for MySQL
• MySQL version numbers
• Snooping authentication

Scanning for MySQL

If you're auditing your network for MySQL servers, the first thing you'll want to know is where they are. You can do this in a number of ways:

• By scanning the network for TCP port 3306 (the default MySQL port).
• By scanning Windows hosts in the network for the MySQL named pipe.
• By scanning Windows hosts for the HKEY_LOCAL_MACHINE\SOFTWARE\MySQL AB registry key.
• By examining ODBC data sources on hosts that you have access to and listing the MySQL servers they are connected to.
• By enumerating Services on Windows hosts and checking for MySQL.
• By enumerating daemons on Unix hosts and checking for MySQL.

Other ways exist, but this brief list should get you started. Many of these techniques can be scripted up into a general-purpose MySQL scanning script.

MySQL Version Numbers

The next thing you'll want to know, having identified which hosts are MySQL servers, is what versions of MySQL are running on those servers. This is relatively straightforward because MySQL sends a textual version string as a banner when anyone connects to it via TCP; this was touched on in the previous chapter. Most port scanners will capture the banner that is sent to them and report on it. If your port scanner doesn't support this behavior, you can use the excellent general-purpose network tool netcat to retrieve it for you:

nc -w 1 <hostname or IP> 3306

You will see a string ...