H4cking P@lace

DB-BRUTATOR the Multi Database scanner/auditing tool !!

2010-04-30T12:44:00.014+02:00

Hi there ,

I finally managed to take some time to release one of my tools:

db-brutator is a new database auditing tool written in Perl using JDBC drivers. It is very similar to oscanner for oracle databases but it does much more than just scanning for default accounts, it is designed to be flexible and easily customizable.

Why using it ? :

Because you want to audit all database servers with the same efficiency:

Because you want to check for specific configuration for let's say with 100 different accounts
Because you want to brute-force some of the accounts.
Because you like to retrieve all database user hashes.
Because you want to search for credentials in a huge database

Features:

Simple & efficient design
JDBC drivers => it means it can support every possible database system on the market
100 % command line interface to be able to automate
Custom SQL query
Easy database Hash extraction to john format
Specifics Word lists included
multi-threaded
Unique of his kind (to my knowledge there is no equivalent on the net)
Multi OS (OSX,Linux,Win32)
Oracle SID bruteforce
Can extract Database structure (DBS,tables,columns)
Can extract X first rows of data of each tables
Designed by a pentester for pentesters :-P
Already been tested in "real life" conditions
License: Hmm let's say it's GPL but the JDBC drivers are not

Performances:

It depends on the database, here are the results for each type of database:

Starting JDBC driver proxy on port: 63145 with driver: net.sourceforge.jtds.jdbc.Driver
Done !
Bruteforcing Password length: 1 for user: test
Bruteforcing Password length: 2 for user: test
Bruteforcing Password length: 3 for user: test
Stopping JDBC driver proxy on port: 63145
Done !
DB-brutator Scan Finished at 10/08/2009 16:21:45 duration: 2 minutes 23 seconds on host: NA on port: 1433
DB-brutator Scan Speed: 335 auth/sec
Starting JDBC driver proxy on port: 60007 with driver: com.mysql.jdbc.Driver
Done !
Bruteforcing Password length: 1 for user: test
Bruteforcing Password length: 2 for user: test
Bruteforcing Password length: 3 for user: test
Stopping JDBC driver proxy on port: 60007
Done !
DB-brutator Scan Finished at 10/08/2009 16:25:21 duration: 2 minutes 46 seconds on host: NA on port: 3306
DB-brutator Scan Speed: 288 auth/sec

Starting JDBC driver proxy on port: 64297 with driver: oracle.jdbc.driver.OracleDriver
Done !
Bruteforcing Password length: 1 for user: sys as sysdba
Bruteforcing Password length: 2 for user: sys as sysdba
Bruteforcing Password length: 3 for user: sys as sysdba
DB-brutator Scan Finished at 10/08/2009 16:47:58 duration: 18 minutes 28 seconds on host: NA on port: 1521
DB-brutator Scan Speed: 43 auth/sec

Example:

Here is a typical use to extract the most information from a database if an account (with priv ;-P) is discovered, db-brutator will list all database user, grab their hashes if possible dump all tables and columns and finally extract the 5 first rows of data of each tables:
user@host: ~$ db-brutator -ho 192.168.142.160 -port 3306 -sgbd mysql -logins /usr/local/db-brutator/dict/common_user.dic -dblist -hash -table -col -data 5 -th 1 | spc -c /usr/local/db-brutator/conf/spcrc
Result:

using supercat (spc) to colorize the log

Online Help:

Here is the help message when your launch the db-brutator without any parameter
Usage:

bin/db-brutator.pl

[-logins loginsfilename or login/passwordfilename]

[-host hostname/ip]

[-port port]

[-sgbd mysql|oracle|mssql|sybase]

(-passwords filename)

(-domain Windows Domain for NTLM auth)

(-dbname sid) => database name (only useful for oracle because a SID is required to connect), if this param is empty and the database type is oracle then a bruteforce will be performed on the SID.

(-thread x)

(-m maxqueuesize) => maximum size of queue to store in memory, it is very useful to prevent a memory leak when using huge word lists.

(-v verbose)

(-deb debug)

(-delay delay between authentication)

(-o outputfilename)

(-u list user account)

(-dba list dba user account)

(-dblist list databases)

(-hash list user hashes)

(-sql execute custom SQL query)
(-cmd execute custom system command via xp_cmdshell MSSQL/SYBASE only)

(-table list database tables)

(-column list databases)

(-data N list the N first rows of data)

(-b bruteforce) => brute force mode using the default charset file

(-len max passwd length for bruteforce)

(-char bruteforce charset file)

Important Note:

Take care of the account lockout policy on Oracle Databases (this does not affect SYS account ...)

Known Bugs or limitations:

In bruteforce mode some JDBC drivers (JTDS) do not close properly the connection, it means that after some time you will reach the limit of the max open connection on your system.

TODO:

Implement a threadsafe print Queue
Add a regexp to extract credit card number (PCI compliance check)
write a nmap script to launch db-brutator once a known database service is found

Download:
source
debian package
package using repository

Please leave comments/bugs and share if you write any improvement on it.

Enjoy Database scanning !!

Syn 'N Destroy ! (Update new version)

2009-01-02T18:22:00.015+01:00

It's time to introduce Synator a new Ultra Fast TCP Port Scanner based on the Syn Scan technique (You have already guessed that by the name right ?). It is very similar to Synscan (http://www.bindshell.net/tools/synscan) but a lot easier to use and require no compilation, it uses the libraries from SinFP (http://www.gomor.org/bin/view/Sinfp) to handle all the low level network interaction.

Why using it ? :

Now why would you use this tool instead of the widely used nmap port scanner ?

Because you don't like to wait
Because when nmap receives his acknowledgments a bit slowly (slow network or slow server) it reduces the scan speed (it takes sometime 10 minutes or more).
Because you have a huge IP range to scan and you want to be able to scan 65535 ports on all IP in a reasonable delay.

Features:

Simple & efficient design
Service identification using amap
Source Port option
Fast scan based on Nmap Top port
Fexible Slow scan to avoid scan detection (-d and -m option)

Performances:

On a good LAN network it takes approximately 2m30 sec to scan all open ports of a host.
On Internet it is quite variable but tends to settle around 2 minutes (from 1m20 sec to 2m40) when using a high speed connection against a Fast server (ideal conditions ...).

Online Help:

Here is the help message when your launch the synator without any parameter

Usage: bin/Synator2v1.pl
[-h IP]
[-s tcp|udp]
[-f OutputFilename]
(-p Destination PortNumber)
(-S Source PortNumber)
(-b Service Banner Grabbing)
(-c ShowClosedPort)
(-d DelayInSeconds)
(-m maxSynPacketBeforeDelay)
Options -p support multiple value separated by ',' and '-' ie 21,80 or 1-100.

Important Note:

Using a hostname instead of an IP address is not supported yet (is it really useful ?)
Avoid scanning with a wifi card
Avoid using synator inside a Virtual Machine, there is a high performance drop !

Known Bugs or limitations:

Synator does not work with some wifi card like the WPN311, this is bug due to libdnet that is unable to get the network configuration from the card "addr_net: undef input".

TODO:

Perform DNS resolution when a hostname is given as IP

Screenshots:

using supercat to colorize the log

Download:
source
debian package
package using repository

Introducing the Debian Repository

2009-01-02T17:46:00.003+01:00

To use the Debian package from the repository just add theses 2 lines to your /etc/apt/sources.list

deb http://ppa.launchpad.net/thr3atseek3r/ubuntu hardy main
deb-src http://ppa.launchpad.net/thr3atseek3r/ubuntu hardy main

For those using a non Debian based system I recommend retrieving the source directly using any HTTP client (who's said wget ?). Once extracted the tools should be usable right away !

PS: Don't worry if you don't have Ubuntu hardy it will work anyway as long as your distro use debian packages.

Searching for Threats ?

2009-01-02T17:09:00.007+01:00

It's the first post on my new security blog, this blog focuses on the security tools I've been using during pentest or on those that I've written specifically for certain tasks.

For all the tools I've made the common features are:

written in perl
few dependencies as possible
portability when possible
flexibility
preferred OS is Ubuntu Linux hardy but they should work on other Debian based distro as well (I'll make win32 version of some if there is a huge demand for this)
a debian package and a repository are provided

If some of you wants to give an hand to improve the tools or to contribute to this site feel free to contact me.