• Stars
    star
    173
  • Rank 220,124 (Top 5 %)
  • Language
    C#
  • License
    Other
  • Created over 5 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DAFT: Database Audit Framework & Toolkit

DAFT: Database Audit Framework & Toolkit

This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL. Feel free to compile it yourself or download the release from here.

DAFT: Common Command Examples

Below are a few common command examples to get you started.

List non-default databases

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "database" -n

List table for a database

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -d "database" -m "tables"

Search for senstive data by keyword

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5

Search for senstive data by keyword and export results to json

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5 -j -o "sensative_data_discovered.json"

Check for default or weak password

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ServerLoginDefaultPw" -c -o "default_passwords_found.csv"

Execute command through SQL Server

DAFT.exe -i "Target\Instance" -m "OSCmd" -q "whoami"

DAFT: Help

Since we lack a proper wiki at the moment below is help output for the tool.

DAFT.exe -?

  _____              ______ _______
 |  __ \     /\     |  ____|__   __|
 | |  | |   /  \    | |__     | |
 | |  | |  / /\ \   |  __|    | |
 | |__| | / ____ \ _| |_      | |_
 |_____(_)_/    \_(_)_(_)     |_(_)
 Database Audit Framework & Toolkit

 A NetSPI Open Source Project
 @_nullbind, @0xbadjuju


=============================================================

=============================================================

  -a, --domaincontroller=VALUE
                             Domain Controller for LDAP Queries.
  -c, --csv                  CSV Output
  -d, --database=VALUE       Database Name
  -e, --dbcredentials=VALUE  Explict database credentials.
  -f, --filters=VALUE        Explict database credentials.
  -h, --hasaccess            Filter Database that are Accessible
  -i, --instance=VALUE       Instance Name
  -j, --json                 JSON Output
  -l, --inputlist=VALUE      Input Instance List
  -m, --module=VALUE         Module to Execute
  -n, --nodefaults           Filter Out Default Databases
  -o, --output=VALUE         Output CSV File.
  -q, --query=VALUE          Query/Command to Execute
  -r, --restorestate=VALUE   If server config is altered, return it to it's
                               original state
  -s, --sysadmin             Filter Database where SysAdmin Privileges
  -u, --credentials=VALUE    Credentials to Login With
  -v, --version=VALUE        Override version detection
  -x, --xml                  XML Output
  -?, --help                 Display this message and exit
      --SubsystemFilter=VALUE
                             Agent Job Subsystem Filter
      --KeywordFilter=VALUE  Agent Job and Stored Procedure Keyword Filter
      --UsingProxyCredFilter Agent Jobs using Proxy Credentials
      --ProxyCredentialFilter=VALUE
                             Agent Job using Specific Proxy
      --AssemblyNameFilter=VALUE
                             Assembly Name
      --ExportAssembly       Export Assemblies
      --ColumnFilter=VALUE   Exact Column Name Search Filter
      --ColumnSearchFilter=VALUE
                             Column Name Wildcard Search Filter
      --TableNameFilter=VALUE
                             Table Name to Retrieve Columns From
      --SearchKeywords=VALUE Column Name Search Keyword
      --ValidateCC           Validate Data Against Luhn Algorithm
      --SampleSize=VALUE     Number of Rows to Retrieve
      --PermissionNameFilter=VALUE
                             Permission Name Filter
      --PrincipalNameFilter=VALUE
                             Principal Name Filter
      --PermissionTypeFilter=VALUE
                             Database Permission Type Filter
      --RoleOwnerFilter=VALUE
                             Role Owner Filter
      --RolePrincipalNameFilter=VALUE
                             Role Principal Name Filter
      --SchemaFilter=VALUE   Database Schema Name Filter
      --DatabaseUserFilter=VALUE
                             Database UserName Filter
      --DatabaseLinkName=VALUE
                             Database Link Name Filter
      --StartId=VALUE        Fuzzing Start ID, Defaults to Zero
      --EndId=VALUE          Fuzzing End ID, Defaults to Five
      --CredentialNameFilter=VALUE
                             Database Link Name Filter
      --ProcedureNameFilter=VALUE
                             Database Link Name Filter
      --AutoExecFilter       Database Link Name Filter
      --ShowAllAssemblyFiles Database Link Name Filter
      --TriggerNameFilter=VALUE
                             Trigger Name Filter
      --CaptureUNCPath=VALUE UNC Path to Capture Hashes
      --AuditNameFilter=VALUE

      --AuditSpecificationFilter=VALUE
                             Agent Jobs using Proxy Credentials
      --AuditActionNameFilter=VALUE
                             Agent Job using Specific Proxy
=============================================================

Options per Method:

=============================================================

AgentJob:
        -i InstanceName
        --SubsystemFilter=SUBSYSTEM
        --KeywordFilter=KEYWORD
        --UsingProxyCredentials 
        --ProxyCredentials=CREDENTIALS

AssemblyFile:
        -i InstanceName
        --AssemblyNameFilter=ASSEMBLY
        --ExportAssembly 

AuditDatabaseSpec:
        -i InstanceName

AuditPrivCreateProcedure:
        -i InstanceName

AuditPrivDbChaining:
        -i InstanceName

AuditPrivServerLink:
        -i InstanceName

AuditPrivTrustworthy:
        -i InstanceName

AuditPrivXpDirTree:
        -i InstanceName

AuditPrivXpFileExists:
        -i InstanceName

AuditRoleDbOwner:
        -i InstanceName

AuditServerSpec:
        -i InstanceName
        --AuditNameFilter=NAME
        --AuditSpecificationFilter=SPECIFICATION
        --AuditActionNameFilter=ACTION

AuditSQLiSpExecuteAs:
        -i InstanceName

AuditSQLiSpSigned:
        -i InstanceName

Column:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 
        --ColumnFilter=FILTER
        --ColumnSearchFilter=WILDCARD_FILTER

ColumnSampleData:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 
        --SearchKeywords=KEYWORDS
        --SampleSize=SIZE
        --ValidateCC 

Connection:
        -i InstanceName

Database:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 

DatabasePriv:
        -i InstanceName -d DatabaseName
        -n 
        --PermissionNameFilter=PERMISSION
        --PrincipalNameFilter=PRINCIPAL
        --PermissionTypeFilter=PERMISSION

DatabaseRole:
        -i InstanceName -d DatabaseName
        -n 
        --RoleOwnerFilter=OWNER
        --RolePrincipalNameFilter=PRINCIPAL

DatabaseSchema:
        -i InstanceName -d DatabaseName
        -n 
        --SchemaFilter=SCHEMA

DatabaseUser:
        -i InstanceName -d DatabaseName
        -n 
        --DatabaseUserFilter=USER
        --PrincipalNameFilter=NAME

FuzzDatabaseName:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzDomainAccount:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzObjectName:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzServerLogin:
        -i InstanceName
        --EndId=5

OleDbProvider:
        -i InstanceName

OSCmd:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdAgentJob:
        -i InstanceName -q COMMAND

OSCmdOle:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdPython:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdR:
        -i InstanceName -q COMMAND --RestoreState 

Query:
        -i InstanceName -q QUERY

ServerConfiguration:
        -i InstanceName

ServerCredential:
        -i InstanceName
        --CredentialNameFilter=CREDENTIAL

ServerInfo:
        -i InstanceName

ServerLink:
        -i InstanceName
        --DatabaseLinkName=LINK

ServerLinkCrawl:
        -i InstanceName -q QUERY

ServerLogin:
        -i InstanceName
        --PrincipalNameFilter=NAME

ServerLoginDefaultPw:
        -i InstanceName

ServerPasswordHash:
        -i InstanceName

ServerPriv:
        -i InstanceName
        --PermissionNameFilter=PERMISSION

ServerRole:
        -i InstanceName
        --RoleOwnerFilter=ROLE
        --RolePrincipalNameFilter=NAME

ServerRoleMember:
        -i InstanceName
        --PrincipalNameFilter=NAME

ServiceAccount:
        -i InstanceName

Session:
        -i InstanceName
        --PrincipalNameFilter=NAME

StoredProcedure:
        -i InstanceName
        --ProcedureNameFilter=NAME
        --KeywordFilter=KEYWORD
        --AutoExecFilter 

StoredProcedureAutoExec:
        -i InstanceName
        --ProcedureNameFilter=NAME
        --KeywordFilter=KEYWORD

StoredProcedureCLR:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --ShowAllAssemblyFiles 

StoredProcedureXP:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --ProcedureNameFilter=NAME

SysAdminCheck:
        -i InstanceName

Tables:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 

TriggerDdl:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --TriggerNameFilter=TRIGGER

TriggerDml:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --TriggerNameFilter=TRIGGER

UncPathInjection:
        -i InstanceName         --UNCPath=\\IP\PATH

View:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        --TableNameFilter=TABLE
  

Authors

  • Alexander Leary (@0xbadjuju) and Scott Sutherland (@_nullbind)

License

  • BSD 3-Clause

More Repositories

1

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
PowerShell
2,444
star
2

MicroBurst

A collection of scripts for assessing Microsoft Azure security
PowerShell
1,982
star
3

SQLInjectionWiki

A wiki focusing on aggregating and documenting various SQL injection methods
HTML
727
star
4

PESecurity

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
PowerShell
593
star
5

PowerHuntShares

PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
PowerShell
555
star
6

xssValidator

This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
Java
399
star
7

NetblockTool

Find netblocks owned by a company
Python
336
star
8

PowerShell

NetSPI PowerShell Scripts
PowerShell
300
star
9

ESC

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.
C#
278
star
10

WebLogicPasswordDecryptor

PowerShell script and Java code to decrypt WebLogic passwords
Java
240
star
11

sshkey-grab

Grab ssh keys from ssh-agent
Python
217
star
12

JavaSerialKiller

Burp extension to perform Java Deserialization Attacks
Java
205
star
13

django.nV

Vulnerable Django Application
JavaScript
197
star
14

Wsdler

WSDL Parser extension for Burp
Java
189
star
15

Swift.nV

Security Training Tool that demonstrates common mobile application vulnerabilities using Swift in iOS
Swift
180
star
16

aws_consoler

A utility to convert your AWS CLI credentials into AWS console access.
Python
178
star
17

Powershell-Modules

PowerShell
158
star
18

Burp-Extensions

Central Repo for Burp extensions
Java
141
star
19

BurpCollaboratorDNSTunnel

A DNS tunnel utilizing the Burp Collaborator
Java
97
star
20

BetaFast

Vulnerable thick client applications used as examples in the Introduction to Hacking Desktop Applications blog series
C#
89
star
21

BurpExtractor

A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
Java
89
star
22

AWSSigner

Burp Extension for AWS Signing
Java
86
star
23

AutoDirbuster

Automatically run and save ffuf scans for multiple IPs
Python
74
star
24

SQLC2

SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
PowerShell
72
star
25

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.
PowerShell
61
star
26

FuncoPop

Tools for attacking Azure Function Apps
PowerShell
60
star
27

MonkeyWorks

C#
58
star
28

cmdsql

ASP.NET
54
star
29

heapdump-ios

Dump IOS application heap space from memory
Shell
50
star
30

SpoofSpotter

A tool to catch spoofed NBNS responses.
Python
49
star
31

skl

strace keylogger PoC
44
star
32

grails-nV

Vulnerable Grails application
JavaScript
43
star
33

JSONBeautifier

JSON Beautifier for Burp written in Java
Java
36
star
34

asa_tools

Verification tools for CVE-2016-1287
Python
32
star
35

MoneyX

MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
Java
30
star
36

JIG

Jira Information Gatherer
Python
29
star
37

httpillage

Java
26
star
38

HTTPScrapers

NetSPI HTTP Scrapers
Python
25
star
39

binrev

Shell
24
star
40

crossdomainscanner

Python tool for expired domain discovery in crossdomain.xml files
Python
23
star
41

goat.js

Tutorial for Node.js security
CSS
20
star
42

PS_Reflector

PowerShell
19
star
43

PS_MultiCrack

A powershell script for cracking halfLMchall password hashes
PowerShell
19
star
44

PS_CC_Checker

PowerShell
17
star
45

DataLoc

Scan MSSQL databases for payment card data without relying on key words
AutoIt
16
star
46

silkwasm

HTML Smuggling with Web Assembly
Go
15
star
47

Pin

Intel pin tools
C++
12
star
48

ruby_apk_unpack

Ruby Gem to Unpack APK(s)
Ruby
12
star
49

SVNentriesParser

A powershell script to parse SVN entries files into an HTML directory listing
PowerShell
9
star
50

Dekrypto

Ruby
8
star
51

JSWS

JavaScript Web Service Proxy Burp Plugin
Java
7
star
52

gppdecrypt

Stand alone script to decrypt GPP cpassword.
Go
7
star
53

TapJacking-Demo

Java
6
star
54

WCF

C#
6
star
55

PycroBurst

Python implementation of select MicroBurst scripts.
Python
6
star
56

Custom-Passive-Scanner

Define custom findings for Burp's Passive Scanner using regex.
Java
5
star
57

doctordocker

Docker Doctor - Automated upgrading of libraries through Docker deployments.
Ruby
5
star
58

osint_scripts

Collection of Scripts of Open Source Intelligence Gathering
Ruby
5
star
59

npm-deps-parser

Parses, summarizes, and prints "npm audit" json output to markdown for nVision reports
Python
4
star
60

DetectionRules

This is a single location to store detection rules of various types.
4
star
61

Scheduled-Task

Native Binary for Creating a Scheduled Task
C++
2
star
62

rails-scope

scoping gem for rails application
Ruby
2
star
63

CollegePresentation

2
star
64

edge-cases-in-web

PHP
1
star
65

brigade-security-scripts

Brigade scripts to perform common Kubernetes and container-level security checks triggered by events.
1
star
66

WikiJekyllTheme

Wiki theme for various NetSPI wikis
HTML
1
star