DAFT: Database Audit Framework & Toolkit
This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL. Feel free to compile it yourself or download the release from here.
DAFT: Common Command Examples
Below are a few common command examples to get you started.
List non-default databases
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "database" -n
List table for a database
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -d "database" -m "tables"
Search for senstive data by keyword
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5
Search for senstive data by keyword and export results to json
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5 -j -o "sensative_data_discovered.json"
Check for default or weak password
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ServerLoginDefaultPw" -c -o "default_passwords_found.csv"
Execute command through SQL Server
DAFT.exe -i "Target\Instance" -m "OSCmd" -q "whoami"
DAFT: Help
Since we lack a proper wiki at the moment below is help output for the tool.
DAFT.exe -? _____ ______ _______ | __ \ /\ | ____|__ __| | | | | / \ | |__ | | | | | | / /\ \ | __| | | | |__| | / ____ \ _| |_ | |_ |_____(_)_/ \_(_)_(_) |_(_) Database Audit Framework & Toolkit A NetSPI Open Source Project @_nullbind, @0xbadjuju ============================================================= ============================================================= -a, --domaincontroller=VALUE Domain Controller for LDAP Queries. -c, --csv CSV Output -d, --database=VALUE Database Name -e, --dbcredentials=VALUE Explict database credentials. -f, --filters=VALUE Explict database credentials. -h, --hasaccess Filter Database that are Accessible -i, --instance=VALUE Instance Name -j, --json JSON Output -l, --inputlist=VALUE Input Instance List -m, --module=VALUE Module to Execute -n, --nodefaults Filter Out Default Databases -o, --output=VALUE Output CSV File. -q, --query=VALUE Query/Command to Execute -r, --restorestate=VALUE If server config is altered, return it to it's original state -s, --sysadmin Filter Database where SysAdmin Privileges -u, --credentials=VALUE Credentials to Login With -v, --version=VALUE Override version detection -x, --xml XML Output -?, --help Display this message and exit --SubsystemFilter=VALUE Agent Job Subsystem Filter --KeywordFilter=VALUE Agent Job and Stored Procedure Keyword Filter --UsingProxyCredFilter Agent Jobs using Proxy Credentials --ProxyCredentialFilter=VALUE Agent Job using Specific Proxy --AssemblyNameFilter=VALUE Assembly Name --ExportAssembly Export Assemblies --ColumnFilter=VALUE Exact Column Name Search Filter --ColumnSearchFilter=VALUE Column Name Wildcard Search Filter --TableNameFilter=VALUE Table Name to Retrieve Columns From --SearchKeywords=VALUE Column Name Search Keyword --ValidateCC Validate Data Against Luhn Algorithm --SampleSize=VALUE Number of Rows to Retrieve --PermissionNameFilter=VALUE Permission Name Filter --PrincipalNameFilter=VALUE Principal Name Filter --PermissionTypeFilter=VALUE Database Permission Type Filter --RoleOwnerFilter=VALUE Role Owner Filter --RolePrincipalNameFilter=VALUE Role Principal Name Filter --SchemaFilter=VALUE Database Schema Name Filter --DatabaseUserFilter=VALUE Database UserName Filter --DatabaseLinkName=VALUE Database Link Name Filter --StartId=VALUE Fuzzing Start ID, Defaults to Zero --EndId=VALUE Fuzzing End ID, Defaults to Five --CredentialNameFilter=VALUE Database Link Name Filter --ProcedureNameFilter=VALUE Database Link Name Filter --AutoExecFilter Database Link Name Filter --ShowAllAssemblyFiles Database Link Name Filter --TriggerNameFilter=VALUE Trigger Name Filter --CaptureUNCPath=VALUE UNC Path to Capture Hashes --AuditNameFilter=VALUE --AuditSpecificationFilter=VALUE Agent Jobs using Proxy Credentials --AuditActionNameFilter=VALUE Agent Job using Specific Proxy ============================================================= Options per Method: ============================================================= AgentJob: -i InstanceName --SubsystemFilter=SUBSYSTEM --KeywordFilter=KEYWORD --UsingProxyCredentials --ProxyCredentials=CREDENTIALS AssemblyFile: -i InstanceName --AssemblyNameFilter=ASSEMBLY --ExportAssembly AuditDatabaseSpec: -i InstanceName AuditPrivCreateProcedure: -i InstanceName AuditPrivDbChaining: -i InstanceName AuditPrivServerLink: -i InstanceName AuditPrivTrustworthy: -i InstanceName AuditPrivXpDirTree: -i InstanceName AuditPrivXpFileExists: -i InstanceName AuditRoleDbOwner: -i InstanceName AuditServerSpec: -i InstanceName --AuditNameFilter=NAME --AuditSpecificationFilter=SPECIFICATION --AuditActionNameFilter=ACTION AuditSQLiSpExecuteAs: -i InstanceName AuditSQLiSpSigned: -i InstanceName Column: -i InstanceName -d DatabaseName -n -h -s --ColumnFilter=FILTER --ColumnSearchFilter=WILDCARD_FILTER ColumnSampleData: -i InstanceName -d DatabaseName -n -h -s --SearchKeywords=KEYWORDS --SampleSize=SIZE --ValidateCC Connection: -i InstanceName Database: -i InstanceName -d DatabaseName -n -h -s DatabasePriv: -i InstanceName -d DatabaseName -n --PermissionNameFilter=PERMISSION --PrincipalNameFilter=PRINCIPAL --PermissionTypeFilter=PERMISSION DatabaseRole: -i InstanceName -d DatabaseName -n --RoleOwnerFilter=OWNER --RolePrincipalNameFilter=PRINCIPAL DatabaseSchema: -i InstanceName -d DatabaseName -n --SchemaFilter=SCHEMA DatabaseUser: -i InstanceName -d DatabaseName -n --DatabaseUserFilter=USER --PrincipalNameFilter=NAME FuzzDatabaseName: -i InstanceName -StartId=0 --EndId=5 FuzzDomainAccount: -i InstanceName -StartId=0 --EndId=5 FuzzObjectName: -i InstanceName -StartId=0 --EndId=5 FuzzServerLogin: -i InstanceName --EndId=5 OleDbProvider: -i InstanceName OSCmd: -i InstanceName -q COMMAND --RestoreState OSCmdAgentJob: -i InstanceName -q COMMAND OSCmdOle: -i InstanceName -q COMMAND --RestoreState OSCmdPython: -i InstanceName -q COMMAND --RestoreState OSCmdR: -i InstanceName -q COMMAND --RestoreState Query: -i InstanceName -q QUERY ServerConfiguration: -i InstanceName ServerCredential: -i InstanceName --CredentialNameFilter=CREDENTIAL ServerInfo: -i InstanceName ServerLink: -i InstanceName --DatabaseLinkName=LINK ServerLinkCrawl: -i InstanceName -q QUERY ServerLogin: -i InstanceName --PrincipalNameFilter=NAME ServerLoginDefaultPw: -i InstanceName ServerPasswordHash: -i InstanceName ServerPriv: -i InstanceName --PermissionNameFilter=PERMISSION ServerRole: -i InstanceName --RoleOwnerFilter=ROLE --RolePrincipalNameFilter=NAME ServerRoleMember: -i InstanceName --PrincipalNameFilter=NAME ServiceAccount: -i InstanceName Session: -i InstanceName --PrincipalNameFilter=NAME StoredProcedure: -i InstanceName --ProcedureNameFilter=NAME --KeywordFilter=KEYWORD --AutoExecFilter StoredProcedureAutoExec: -i InstanceName --ProcedureNameFilter=NAME --KeywordFilter=KEYWORD StoredProcedureCLR: -i InstanceName -d DatabaseName -n -h -s --ShowAllAssemblyFiles StoredProcedureXP: -i InstanceName -d DatabaseName -n -h -s --ProcedureNameFilter=NAME SysAdminCheck: -i InstanceName Tables: -i InstanceName -d DatabaseName -n -h -s TriggerDdl: -i InstanceName -d DatabaseName -n -h -s --TriggerNameFilter=TRIGGER TriggerDml: -i InstanceName -d DatabaseName -n -h -s --TriggerNameFilter=TRIGGER UncPathInjection: -i InstanceName --UNCPath=\\IP\PATH View: -i InstanceName -d DatabaseName -n -h --TableNameFilter=TABLE
Authors
- Alexander Leary (@0xbadjuju) and Scott Sutherland (@_nullbind)
License
- BSD 3-Clause