Finding root accounts with an empty password in MySQL servers
New system administrators, auto-installed software, and distracted users often make the mistake of leaving the root account of a MySQL server with no password. This is a blatant security vulnerability that could be exploited by attackers. Penetration testers and system administrators need to detect these vulnerable installations before a real attacker does.
This recipe will show you how to use Nmap to check for empty root passwords in MySQL servers.
How to do it...
Open a terminal and enter the following command:
$ nmap -p3306 --script mysql-empty-password <target>
If the root
or anonymous
accounts have an empty password, it will be shown in the script results:
| mysql-empty-password: |_Â Â Â Â root account has empty password
How it works...
The -p3306 --script mysql-empty-password
options make Nmap launch the mysql-empty-password
NSE script if a MySQL server is found running...