Skip to content
DAFT: Database Audit Framework & Toolkit
C#
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
DAFT
.gitignore Create .gitignore Apr 30, 2019
DAFT.sln Initial Commit Apr 30, 2019
LICENSE Create LICENSE Apr 26, 2019
readme.md Update readme.md Jul 16, 2019

readme.md

DAFT: Database Audit Framework & Toolkit

This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL. Feel free to compile it yourself or download the release from here.

DAFT: Common Command Examples

Below are a few common command examples to get you started.

List non-default databases

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "database" -n

List table for a database

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -d "database" -m "tables"

Search for senstive data by keyword

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5

Search for senstive data by keyword and export results to json

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ColumnSampleData" --SearchKeywords="password,licence,ssn" --SampleSize=5 -j -o "sensative_data_discovered.json"

Check for default or weak password

DAFT.exe -i "TEST-SYSTEM\SQLEXPRESS" -m "ServerLoginDefaultPw" -c -o "default_passwords_found.csv"

Execute command through SQL Server

DAFT.exe -i "Target\Instance" -m "OSCmd" -q "whoami"

DAFT: Help

Since we lack a proper wiki at the moment below is help output for the tool.

DAFT.exe -?

  _____              ______ _______
 |  __ \     /\     |  ____|__   __|
 | |  | |   /  \    | |__     | |
 | |  | |  / /\ \   |  __|    | |
 | |__| | / ____ \ _| |_      | |_
 |_____(_)_/    \_(_)_(_)     |_(_)
 Database Audit Framework & Toolkit

 A NetSPI Open Source Project
 @_nullbind, @0xbadjuju


=============================================================

=============================================================

  -a, --domaincontroller=VALUE
                             Domain Controller for LDAP Queries.
  -c, --csv                  CSV Output
  -d, --database=VALUE       Database Name
  -e, --dbcredentials=VALUE  Explict database credentials.
  -f, --filters=VALUE        Explict database credentials.
  -h, --hasaccess            Filter Database that are Accessible
  -i, --instance=VALUE       Instance Name
  -j, --json                 JSON Output
  -l, --inputlist=VALUE      Input Instance List
  -m, --module=VALUE         Module to Execute
  -n, --nodefaults           Filter Out Default Databases
  -o, --output=VALUE         Output CSV File.
  -q, --query=VALUE          Query/Command to Execute
  -r, --restorestate=VALUE   If server config is altered, return it to it's
                               original state
  -s, --sysadmin             Filter Database where SysAdmin Privileges
  -u, --credentials=VALUE    Credentials to Login With
  -v, --version=VALUE        Override version detection
  -x, --xml                  XML Output
  -?, --help                 Display this message and exit
      --SubsystemFilter=VALUE
                             Agent Job Subsystem Filter
      --KeywordFilter=VALUE  Agent Job and Stored Procedure Keyword Filter
      --UsingProxyCredFilter Agent Jobs using Proxy Credentials
      --ProxyCredentialFilter=VALUE
                             Agent Job using Specific Proxy
      --AssemblyNameFilter=VALUE
                             Assembly Name
      --ExportAssembly       Export Assemblies
      --ColumnFilter=VALUE   Exact Column Name Search Filter
      --ColumnSearchFilter=VALUE
                             Column Name Wildcard Search Filter
      --TableNameFilter=VALUE
                             Table Name to Retrieve Columns From
      --SearchKeywords=VALUE Column Name Search Keyword
      --ValidateCC           Validate Data Against Luhn Algorithm
      --SampleSize=VALUE     Number of Rows to Retrieve
      --PermissionNameFilter=VALUE
                             Permission Name Filter
      --PrincipalNameFilter=VALUE
                             Principal Name Filter
      --PermissionTypeFilter=VALUE
                             Database Permission Type Filter
      --RoleOwnerFilter=VALUE
                             Role Owner Filter
      --RolePrincipalNameFilter=VALUE
                             Role Principal Name Filter
      --SchemaFilter=VALUE   Database Schema Name Filter
      --DatabaseUserFilter=VALUE
                             Database UserName Filter
      --DatabaseLinkName=VALUE
                             Database Link Name Filter
      --StartId=VALUE        Fuzzing Start ID, Defaults to Zero
      --EndId=VALUE          Fuzzing End ID, Defaults to Five
      --CredentialNameFilter=VALUE
                             Database Link Name Filter
      --ProcedureNameFilter=VALUE
                             Database Link Name Filter
      --AutoExecFilter       Database Link Name Filter
      --ShowAllAssemblyFiles Database Link Name Filter
      --TriggerNameFilter=VALUE
                             Trigger Name Filter
      --CaptureUNCPath=VALUE UNC Path to Capture Hashes
      --AuditNameFilter=VALUE

      --AuditSpecificationFilter=VALUE
                             Agent Jobs using Proxy Credentials
      --AuditActionNameFilter=VALUE
                             Agent Job using Specific Proxy
=============================================================

Options per Method:

=============================================================

AgentJob:
        -i InstanceName
        --SubsystemFilter=SUBSYSTEM
        --KeywordFilter=KEYWORD
        --UsingProxyCredentials 
        --ProxyCredentials=CREDENTIALS

AssemblyFile:
        -i InstanceName
        --AssemblyNameFilter=ASSEMBLY
        --ExportAssembly 

AuditDatabaseSpec:
        -i InstanceName

AuditPrivCreateProcedure:
        -i InstanceName

AuditPrivDbChaining:
        -i InstanceName

AuditPrivServerLink:
        -i InstanceName

AuditPrivTrustworthy:
        -i InstanceName

AuditPrivXpDirTree:
        -i InstanceName

AuditPrivXpFileExists:
        -i InstanceName

AuditRoleDbOwner:
        -i InstanceName

AuditServerSpec:
        -i InstanceName
        --AuditNameFilter=NAME
        --AuditSpecificationFilter=SPECIFICATION
        --AuditActionNameFilter=ACTION

AuditSQLiSpExecuteAs:
        -i InstanceName

AuditSQLiSpSigned:
        -i InstanceName

Column:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 
        --ColumnFilter=FILTER
        --ColumnSearchFilter=WILDCARD_FILTER

ColumnSampleData:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 
        --SearchKeywords=KEYWORDS
        --SampleSize=SIZE
        --ValidateCC 

Connection:
        -i InstanceName

Database:
        -i InstanceName -d DatabaseName
        -n 
        -h 
        -s 

DatabasePriv:
        -i InstanceName -d DatabaseName
        -n 
        --PermissionNameFilter=PERMISSION
        --PrincipalNameFilter=PRINCIPAL
        --PermissionTypeFilter=PERMISSION

DatabaseRole:
        -i InstanceName -d DatabaseName
        -n 
        --RoleOwnerFilter=OWNER
        --RolePrincipalNameFilter=PRINCIPAL

DatabaseSchema:
        -i InstanceName -d DatabaseName
        -n 
        --SchemaFilter=SCHEMA

DatabaseUser:
        -i InstanceName -d DatabaseName
        -n 
        --DatabaseUserFilter=USER
        --PrincipalNameFilter=NAME

FuzzDatabaseName:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzDomainAccount:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzObjectName:
        -i InstanceName
        -StartId=0
        --EndId=5

FuzzServerLogin:
        -i InstanceName
        --EndId=5

OleDbProvider:
        -i InstanceName

OSCmd:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdAgentJob:
        -i InstanceName -q COMMAND

OSCmdOle:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdPython:
        -i InstanceName -q COMMAND --RestoreState 

OSCmdR:
        -i InstanceName -q COMMAND --RestoreState 

Query:
        -i InstanceName -q QUERY

ServerConfiguration:
        -i InstanceName

ServerCredential:
        -i InstanceName
        --CredentialNameFilter=CREDENTIAL

ServerInfo:
        -i InstanceName

ServerLink:
        -i InstanceName
        --DatabaseLinkName=LINK

ServerLinkCrawl:
        -i InstanceName -q QUERY

ServerLogin:
        -i InstanceName
        --PrincipalNameFilter=NAME

ServerLoginDefaultPw:
        -i InstanceName

ServerPasswordHash:
        -i InstanceName

ServerPriv:
        -i InstanceName
        --PermissionNameFilter=PERMISSION

ServerRole:
        -i InstanceName
        --RoleOwnerFilter=ROLE
        --RolePrincipalNameFilter=NAME

ServerRoleMember:
        -i InstanceName
        --PrincipalNameFilter=NAME

ServiceAccount:
        -i InstanceName

Session:
        -i InstanceName
        --PrincipalNameFilter=NAME

StoredProcedure:
        -i InstanceName
        --ProcedureNameFilter=NAME
        --KeywordFilter=KEYWORD
        --AutoExecFilter 

StoredProcedureAutoExec:
        -i InstanceName
        --ProcedureNameFilter=NAME
        --KeywordFilter=KEYWORD

StoredProcedureCLR:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --ShowAllAssemblyFiles 

StoredProcedureXP:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --ProcedureNameFilter=NAME

SysAdminCheck:
        -i InstanceName

Tables:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 

TriggerDdl:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --TriggerNameFilter=TRIGGER

TriggerDml:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        -s 
        --TriggerNameFilter=TRIGGER

UncPathInjection:
        -i InstanceName         --UNCPath=\\IP\PATH

View:
        -i InstanceName         -d DatabaseName
        -n 
        -h 
        --TableNameFilter=TABLE
  

Authors

  • Alexander Leary (@0xbadjuju) and Scott Sutherland (@_nullbind)

License

  • BSD 3-Clause
You can’t perform that action at this time.