DAFT: Database Audit Framework & Toolkit
This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL. Feel free to compile it yourself or download the release from here.
DAFT: Common Command Examples
Below are a few common command examples to get you started.
List non-default databases
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "database" -n
List table for a database
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -d "database" -m "tables"
Search for senstive data by keyword
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5
Search for senstive data by keyword and export results to json
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5 -j -o "sensative_data_discovered.json"
Check for default or weak password
DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ServerLoginDefaultPw" -c -o "default_passwords_found.csv"
Execute command through SQL Server
DAFT.exe -i "Target\Instance" -m "OSCmd" -q "whoami"
DAFT: Help
Since we lack a proper wiki at the moment below is help output for the tool.
DAFT.exe -?
_____ ______ _______
| __ \ /\ | ____|__ __|
| | | | / \ | |__ | |
| | | | / /\ \ | __| | |
| |__| | / ____ \ _| |_ | |_
|_____(_)_/ \_(_)_(_) |_(_)
Database Audit Framework & Toolkit
A NetSPI Open Source Project
@_nullbind, @0xbadjuju
=============================================================
=============================================================
-a, --domaincontroller=VALUE
Domain Controller for LDAP Queries.
-c, --csv CSV Output
-d, --database=VALUE Database Name
-e, --dbcredentials=VALUE Explict database credentials.
-f, --filters=VALUE Explict database credentials.
-h, --hasaccess Filter Database that are Accessible
-i, --instance=VALUE Instance Name
-j, --json JSON Output
-l, --inputlist=VALUE Input Instance List
-m, --module=VALUE Module to Execute
-n, --nodefaults Filter Out Default Databases
-o, --output=VALUE Output CSV File.
-q, --query=VALUE Query/Command to Execute
-r, --restorestate=VALUE If server config is altered, return it to it's
original state
-s, --sysadmin Filter Database where SysAdmin Privileges
-u, --credentials=VALUE Credentials to Login With
-v, --version=VALUE Override version detection
-x, --xml XML Output
-?, --help Display this message and exit
--SubsystemFilter=VALUE
Agent Job Subsystem Filter
--KeywordFilter=VALUE Agent Job and Stored Procedure Keyword Filter
--UsingProxyCredFilter Agent Jobs using Proxy Credentials
--ProxyCredentialFilter=VALUE
Agent Job using Specific Proxy
--AssemblyNameFilter=VALUE
Assembly Name
--ExportAssembly Export Assemblies
--ColumnFilter=VALUE Exact Column Name Search Filter
--ColumnSearchFilter=VALUE
Column Name Wildcard Search Filter
--TableNameFilter=VALUE
Table Name to Retrieve Columns From
--SearchKeywords=VALUE Column Name Search Keyword
--ValidateCC Validate Data Against Luhn Algorithm
--SampleSize=VALUE Number of Rows to Retrieve
--PermissionNameFilter=VALUE
Permission Name Filter
--PrincipalNameFilter=VALUE
Principal Name Filter
--PermissionTypeFilter=VALUE
Database Permission Type Filter
--RoleOwnerFilter=VALUE
Role Owner Filter
--RolePrincipalNameFilter=VALUE
Role Principal Name Filter
--SchemaFilter=VALUE Database Schema Name Filter
--DatabaseUserFilter=VALUE
Database UserName Filter
--DatabaseLinkName=VALUE
Database Link Name Filter
--StartId=VALUE Fuzzing Start ID, Defaults to Zero
--EndId=VALUE Fuzzing End ID, Defaults to Five
--CredentialNameFilter=VALUE
Database Link Name Filter
--ProcedureNameFilter=VALUE
Database Link Name Filter
--AutoExecFilter Database Link Name Filter
--ShowAllAssemblyFiles Database Link Name Filter
--TriggerNameFilter=VALUE
Trigger Name Filter
--CaptureUNCPath=VALUE UNC Path to Capture Hashes
--AuditNameFilter=VALUE
--AuditSpecificationFilter=VALUE
Agent Jobs using Proxy Credentials
--AuditActionNameFilter=VALUE
Agent Job using Specific Proxy
=============================================================
Options per Method:
=============================================================
AgentJob:
-i InstanceName
--SubsystemFilter=SUBSYSTEM
--KeywordFilter=KEYWORD
--UsingProxyCredentials
--ProxyCredentials=CREDENTIALS
AssemblyFile:
-i InstanceName
--AssemblyNameFilter=ASSEMBLY
--ExportAssembly
AuditDatabaseSpec:
-i InstanceName
AuditPrivCreateProcedure:
-i InstanceName
AuditPrivDbChaining:
-i InstanceName
AuditPrivServerLink:
-i InstanceName
AuditPrivTrustworthy:
-i InstanceName
AuditPrivXpDirTree:
-i InstanceName
AuditPrivXpFileExists:
-i InstanceName
AuditRoleDbOwner:
-i InstanceName
AuditServerSpec:
-i InstanceName
--AuditNameFilter=NAME
--AuditSpecificationFilter=SPECIFICATION
--AuditActionNameFilter=ACTION
AuditSQLiSpExecuteAs:
-i InstanceName
AuditSQLiSpSigned:
-i InstanceName
Column:
-i InstanceName -d DatabaseName
-n
-h
-s
--ColumnFilter=FILTER
--ColumnSearchFilter=WILDCARD_FILTER
ColumnSampleData:
-i InstanceName -d DatabaseName
-n
-h
-s
--SearchKeywords=KEYWORDS
--SampleSize=SIZE
--ValidateCC
Connection:
-i InstanceName
Database:
-i InstanceName -d DatabaseName
-n
-h
-s
DatabasePriv:
-i InstanceName -d DatabaseName
-n
--PermissionNameFilter=PERMISSION
--PrincipalNameFilter=PRINCIPAL
--PermissionTypeFilter=PERMISSION
DatabaseRole:
-i InstanceName -d DatabaseName
-n
--RoleOwnerFilter=OWNER
--RolePrincipalNameFilter=PRINCIPAL
DatabaseSchema:
-i InstanceName -d DatabaseName
-n
--SchemaFilter=SCHEMA
DatabaseUser:
-i InstanceName -d DatabaseName
-n
--DatabaseUserFilter=USER
--PrincipalNameFilter=NAME
FuzzDatabaseName:
-i InstanceName
-StartId=0
--EndId=5
FuzzDomainAccount:
-i InstanceName
-StartId=0
--EndId=5
FuzzObjectName:
-i InstanceName
-StartId=0
--EndId=5
FuzzServerLogin:
-i InstanceName
--EndId=5
OleDbProvider:
-i InstanceName
OSCmd:
-i InstanceName -q COMMAND --RestoreState
OSCmdAgentJob:
-i InstanceName -q COMMAND
OSCmdOle:
-i InstanceName -q COMMAND --RestoreState
OSCmdPython:
-i InstanceName -q COMMAND --RestoreState
OSCmdR:
-i InstanceName -q COMMAND --RestoreState
Query:
-i InstanceName -q QUERY
ServerConfiguration:
-i InstanceName
ServerCredential:
-i InstanceName
--CredentialNameFilter=CREDENTIAL
ServerInfo:
-i InstanceName
ServerLink:
-i InstanceName
--DatabaseLinkName=LINK
ServerLinkCrawl:
-i InstanceName -q QUERY
ServerLogin:
-i InstanceName
--PrincipalNameFilter=NAME
ServerLoginDefaultPw:
-i InstanceName
ServerPasswordHash:
-i InstanceName
ServerPriv:
-i InstanceName
--PermissionNameFilter=PERMISSION
ServerRole:
-i InstanceName
--RoleOwnerFilter=ROLE
--RolePrincipalNameFilter=NAME
ServerRoleMember:
-i InstanceName
--PrincipalNameFilter=NAME
ServiceAccount:
-i InstanceName
Session:
-i InstanceName
--PrincipalNameFilter=NAME
StoredProcedure:
-i InstanceName
--ProcedureNameFilter=NAME
--KeywordFilter=KEYWORD
--AutoExecFilter
StoredProcedureAutoExec:
-i InstanceName
--ProcedureNameFilter=NAME
--KeywordFilter=KEYWORD
StoredProcedureCLR:
-i InstanceName -d DatabaseName
-n
-h
-s
--ShowAllAssemblyFiles
StoredProcedureXP:
-i InstanceName -d DatabaseName
-n
-h
-s
--ProcedureNameFilter=NAME
SysAdminCheck:
-i InstanceName
Tables:
-i InstanceName -d DatabaseName
-n
-h
-s
TriggerDdl:
-i InstanceName -d DatabaseName
-n
-h
-s
--TriggerNameFilter=TRIGGER
TriggerDml:
-i InstanceName -d DatabaseName
-n
-h
-s
--TriggerNameFilter=TRIGGER
UncPathInjection:
-i InstanceName --UNCPath=\\IP\PATH
View:
-i InstanceName -d DatabaseName
-n
-h
--TableNameFilter=TABLE
Authors
- Alexander Leary (@0xbadjuju) and Scott Sutherland (@_nullbind)
License
- BSD 3-Clause