Monday, March 28, 2011

The Database Pillager (tool release)


The Database Pillager
(Usage Tutorial, Tool Release 0.1)


I coded up a Database Pillaging tool for multiple database types which can be downloaded below I would host this tool on some kind of code hosting site but they all seem to be a pain in my ass so it will stay in zip format until I find one that isn't a pain to use or doesn't just display all of my personal data.

UPDATED DOWNLOAD LINK v0.6:  Also updated post for new syntax added new features since htis post but updated the syntax on this post )
http://consolecowboys.org/pillager/pillage_0.6.zip

 
Why?
Since I have yet to find a post exploitation database tool that works well for me, I coded my own. This project was created to solve a reoccurring problem I have had searching and retrieving PCI/HIPPA data after I have compromised the domain or obtained local database credentials and I still need to prove that I have access to sensitive data.  I have found this tool useful for many reasons including finding session tokens, passwords and creditcards in databases. The Database Pillager (DBPillage) was created to fulfill the following goals and is still in active development by myself and other contributors. 






Goals:
-Automatically search Specified Tables and Database for PCI/HIPPA
-Validate found credit cards with Mod10 checks
-Browse and view data from specified Columns
-Rip through whole database for Compliance data
-Support multiple database types (Oracle, MSSQL, MYSQL, PostGreSQL)



Future Plans:
-Search based on database keywords
-Add reporting in multiple formats (Web / PDF / XML)
-LDAP/AD domain integration for MSSQL
-Possible integration with OpenDLP



Tested Platform:
BT4R2 with cxoracle and postgres python packages installed.
cx_oracle (cx-oracle.sourceforge.net)
psycopg2 (initd.org/psycopg/download/)


Overview: 
Below is a quick walkthrough on how I have used this tool effectively. I have included an oracle example and a mysql example, I would show MSSQL but I don't have one handy at the moment, dbpillage has been extensively tested on Oracle and Mysql, but should also be working just fine on MSSQL and PostgresSQL I just haven’t had as much access to MSSQL /PostGreSQL databases for testing. I am currently working on pillaging using domain credentials.



Oracle Run through on a few features: 
 
OracleTip:
When using oracle try different usernames/SID combinations as some users don’t have access to some data.

Command Format for Oracle:
python dbPillage -a Ipaddress -d databaseType  -u Username -p Password --limit


All options can be viewed by typing “python dbpillage” and last option "limit" is a patch my coworker Tim submitted for me, if you put a number at the end of the cmdline it will pull only that many tables, speeds up searches and is nice if you are using the tool to browse data rather than search data. I do need to however modify that to ignore NullValue tables. It’s on my ToDo list.

Note: If you just type python dbpillage.py you will also get the below help information!!!!

        [---]       The Database Pillager (DBPillage)          [---]
        [---]              Authors: Ficti0n,                               [---]
        [---]              Contributors: Steponequit                 [---]
        [---]                 Version: 0.3                                    [---]
        [---]         Find Me On Twitter: ficti0n                   [---]
       

        About:
        The Database Pillager is a multiplatform database tool for searching and browsing common database types encountered while penetration testing. DBPillage can be used to search for PCI/HIPAA data automatically or use DBPillage to browse and display data. DBpillage was designed as a post exploitation pillaging tool with a goal of targeted extraction of data without the use of database platform specific GUI based tools that are difficult to use and make my job harder.

        Supported Platforms:
        --------------------
        -Oracle
        -MSSQL
        -MYSQL
        -PostGreSQL

        Usage Examples:
        ************************************************************************
        For Mysql Postgres and MsSQL pillaging:
        ---------------------------------------
        python dbPillage -a
ipaddress -d databaseType -u Username -p Password

        For Oracle pillaging you need a SID connection string:
        ------------------------------------------------------
        python dbPillage -a
address/SID -d databaseType -u username -p Password

        Grab some hashes:
        -----------------
        python dbPillage -a
address -d databaseType  -u username  -p Password --hashes
        ************************************************************************
        Switch Options:
        ---------------------
        -# --hashes = grab database password hashes
        -l --limit  = limit the amount of rows that are searched or when displaying data (options = any number)
        -s --searchType = Type of data search you want to perform (options:pci, hipaa, all)
        -u --user = Database servers username
        -p --pass = Password for the database server
        -a --address = Ipaddress of the database server
        -d --database = The database type you are pillageing (options: mssql,mysql,oracle,postres)

        Prerequisites:
        -------------
        python v2  (Tested on Python 2.5.2 BT4 R2)
        cx_oracle (cx-oracle.sourceforge.net)
        psycopg2  (initd.org/psycopg/download/)
        MySQLdb   (should be on BT by default)
        pymssql   (should be on BT by default)



Example 1: Cowboy Search All mode (grab every DB and Table and search for CC numbers by default, use --s hippa or all for other datasearches ) 
 
Note: You can try this out with OracleOnVmware, that's what I used

root@bt:~/pillage# python dbPillage.py -a 192.168.1.12/XE -d oracle -u HR -p HR

Select a database user to pillage:
1: SYS
2: SYSTEM
3: OUTLN
4: DIP
5: TSMSYS
6: MDSYS
7: DBSNMP
8: FLOWS_020100
9: FLOWS_FILES
10: ANONYMOUS
11: CTXSYS
12: XDB
13: XDEV
14: HR
15: TEST
16: XDBA

Choose the database you want by typing the number next to your DB choice
Or rip through every database by typing "cowboy" to rape everything: cowboy
Parsing the the tables out of SYS database

Searching for CC cards in----Database:SYS| Table:DUAL
Searching for CC cards in----Database:SYS| Table:AUDIT_ACTIONS
Your current user doesnt have access to this table
Your current user doesnt have access to this table
Searching for CC cards in----Database:FLOWS_020100| Table:WWV_FLOW_LISTS_OF_VALUES$
Found: Mastercard:DeletedOutput
Found: Discover: DeletedOutput
Searching for CC cards in----Database:FLOWS_020100| Table:WWV_FLOW_LIST_OF_VALUES_DATA
Found: Mastercard:DeletedOutput
Found: Mastercard:DeletedOutput
Found: Visa:DeletedOutput
Found: Discover:DeletedOutput

Validating credit cards via mod-10 checksum method....

Here are all the validated credit cards found, buy me something pretty YAY
['DeletedOutput ']

These are all the possible card values found, maybe you can still sell them LOL
['DeletedOutput ']

Review the following Database:Tables pairs for sensitive data
[['FLOWS_020100', 'WWV_FLOW_LISTS_OF_VALUES$'], ['FLOWS_020100', 'WWV_FLOW_LIST_OF_VALUES_DATA']]


Example Summary: 
 
A bunch of output will be displayed I cut most of it out for clarity because its not necessary in this example, but you get the idea, lots of output and info and then a small little summary at the end… The end summary contains the validated cards, all the cards, and what tables and databases have sensitive data. This was all done with the single command “cowboy” to search every single db that user had access to. I will be adding reporting to future releases of this tool.





Example 2: Data browsing with Result Limits of 2 records
root@bt:~/pillage# python dbPillage.py -a 192.168.1.12/XE -d oracle -u HR -p HR --limit 2
Select a database user to pillage:
1: SYS
2: SYSTEM
3: OUTLN
4: DIP
5: TSMSYS
6: MDSYS
7: DBSNMP
8: FLOWS_020100
9: FLOWS_FILES
10: ANONYMOUS
11: CTXSYS
12: XDB
13: XDEV
14: HR
15: TEST
16: XDBA

Choose the database you want by typing the number next to your DB choice
Or rip through every database by typing "cowboy" to rape everything: 14
HR

Select a table to rape and pillage:
1: REGIONS
2: COUNTRIES
3: LOCATIONS
4: DEPARTMENTS
5: JOBS
6: EMPLOYEES
7: JOB_HISTORY

Choose the number next to the table you want to search
Or you can type "all" to search every table in your chosen database: 6
You chose EMPLOYEES for pillaging

Would you like to display the data in the table or search for sensitive data??
"search" or "display" table contents:display
Searching for CC cards in----Database:HR| Table:EMPLOYEES

100
Steven
King
SKING
515.123.4567
1987-06-17 00:00:00
AD_PRES
24000.0
None
None
90
101
Neena
Kochhar
NKOCHHAR
515.123.4568
1989-09-21 00:00:00
AD_VP
17000.0
None
100
90



Example Summary:
 
In this example I browsed around the database till I found a table I with some data I wanted to view. Because I set the Rate Limit to two records I pulled back 2 full employee records and posted all of the data to the screen. This kicks serious ass if you have had the unfortunate experience of using sqlserver management console or other horrible GUI’s in windows to view or search for data. Oh and I just noticed that the display is saying its searching when its actually displaying LOL… need to change that.






Example 3: MYSQL Run at the Table Level rather then DB.
Note: just used the default BT mysql database and added in random data
root@bt:~/pillage# python dbPillage.py -a 127.0.0.1 -d mysql -u root -p toor

Select a database to pillage:
1: information_schema
2: PCItest
3: msf3
4: mysql

Choose the database you want by typing the number next to your DB choice
Or rip through every database by typing "cowboy" to rape everything: 3
msf3

Select a table to rape pillage:
1: attachments
2: attachments_email_templates
3: campaigns
4: clients
5: creds
6: email_addresses
7: email_templates
8: events
9: exploited_hosts
10: hosts
11: imported_creds
12: loots
13: notes
14: project_members
15: refs
16: report_templates
17: reports
18: schema_migrations
19: services
20: tasks
21: users
22: vulns
23: vulns_refs
24: web_forms
25: web_pages
26: web_sites
27: web_templates
28: web_vulns
29: wmap_requests
30: wmap_targets
31: workspaces

Choose the number next to the table you want to search
Or you can type "all" to search every table in your chosen database: all
Searching for CC cards in----Database:msf3| Table:wmap_targets
Searching for CC cards in----Database:msf3| Table:workspaces
etc
etc
……………
Validating credit cards via mod-10 checksum method....
Here are all the validated credit cards found, buy me something pretty
['DeletedOutput ']
These are all the found regex card matches..
['DeletedOutput ']

Review the following Database:Table pairs for sensitive data
[['msf3', 'email_addresses'], ['msf3', 'email_templates']]


Example Summary: 
In this example I chose a database and then decided I wanted to search every table in that database for credit cards. So after selecting the database I just typed “all” and let it rip. This is useful if you see databases with names that strike your interest. Soon I will add in other requested features that search for certain fields such as passwords and specified interesting names and rips data out of them.


If you have any comments or suggestions please let me know, I have been working on this on and off to save myself time with pillaging on penetration tests.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Real World Social Engineering Part 2: Integrating SE With Stealth Badge Readers Tips and Tricks

 Below is a video on using stealth readers with social engineering to gain access to physical targets on your penetration tests..   This is ...