Code Monkey home page Code Monkey logo

database-security-audit's Introduction

Database security audit and penetration testing

Training course materials and research notes that I created to teach how to perform a technical security assessment / penetration test of :
➤ Relational databases: MS SQL, Oracle, MySQL, Sybase and PostgreSQL.
➤ NoSQL databases: MongoDB, Redis.

Content

➤ [Audit & Pentest] Reminder/General information (definitions)
➤ [Pentest] Database Penetration Testing (black box, grey box) - List of attacks 
➤ [Pentest] How to perform a network ports scan to locate a database
➤ [Pentest] How to perform brute-force & password spray attacks to identify valid database credentials (logins & passwords)
➤ [Pentest] How to check if a database is prone to known and unpatched vulnerabilities (e.g. obsolete database version, missing security patches)
➤ [Pentest] How to log into a database using valid credentials  
➤ [Audit & Pentest] How to identify and exploit database and OS privileges escalation vulnerabilities (including configuration review)
➤ [Audit & Pentest] How to dump and crack database password hashes

Useful tools (DB penetration testing)

➤ NMAP - Network port scanner and (NSE) scripts (https://nmap.org)
➤ Database command-line clients (i.e. sql*plus, sqlcmd, mysql, psql, mongo, redis-cli, isql)
➤ Database GUI clients (e.g. DBvis (https://dbvis.com), Toad (https://www.quest.com/toad/))
➤ ODAT - Oracle Database Attacking Tool (https://github.com/quentinhardy/odat) 
➤ PowerUPsql - PowerShell Toolkit for Attacking SQL Server (https://github.com/NetSPI/PowerUpSQL)
➤ NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool (https://github.com/codingo/NoSQLMap)
➤ Nosql-Exploitation-Framework - A FrameWork For NoSQL Scanning and Exploitation Framework (https://github.com/torque59/Nosql-Exploitation-Framework)
➤ Metasploit penetration testing framework (https://www.metasploit.com) 
➤ 'John the Ripper' - Password cracker (https://www.openwall.com/john/)
➤ Various scripts (source:kali/Github/your owns)

Audit scripts (DB configuration review)

Security audit scripts that collect the main database configuration settings such as the list of DB accounts and their roles/privileges, the password hashes, the database server version, the audit log settings, ...

➤ MSSQL-Audit-Script.bat
➤ Oracle-Audit-Script.sql
➤ PostgreSQL-Audit-Script.sh
➤ MySQL-Audit-Script.sh

database-security-audit's People

Contributors

jean-francois-c avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.