Skip to content

Usage

Jump to bottom Edit New page
Francis Alexander edited this page Aug 8, 2016 · 14 revisions

Usage

usage: nosqlframework.py [options]

Python NoSQL Exploitation Framework V2.0.1

optional arguments:
  -h, --help    show this help message and exit

Scan Options Target:
  -ip           Target to Scan
  -port         Specify Port
  -scan         Scan
  -enum         Enumerate DBs : Specify mongo,couch,redis,hbase,cassandra
  -auth         Authenticate with Credentials (username:password)
  -file         Specify File name
  -authall      Authenticate with Credentials For the Entire DB
                (username:password)
  -write        Write to file
  -screen       Enable Screenshots for the Rest Interfaces

General Database Enumeration:
  -db           Specify Database/Collection
  -c            Specify Column
  -dump         Dumps Collection/Column Data
  -limit LIMIT  Specify Limit to be Displayed
  -post         Post Phase Enumeration (enable/disable)

Utilities:
  -shodan       Shodan Search Specify port number
  -mass         Mass Scanner
  -dict         Dictionary Attack (mongo,couch,redis) + Filename
  -clone        Clone's DB
  -sniff        Sniff on Couch DB

Web Attack Enumeration:
  -data         Post Parameters
  -webapp       Scan Web App | input required if specified is the URL
  -param        Specify Params with commas (username,password)

Redis Enumeration:
  -filecheck    System File Enumerator (Specify Testfile Path)
  -exhaust      Exhaust Attacks on Redis(2.6+)
  -remotecheck  Checks if vulnerable to RCE(Lua Sandbox Bypass)

Scan Options

IP Address

Option -ip : IP address or domain name of the host to be scanned is given.This option is usually combined with the enumeration (enum) option

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum DB_TYPE

Port To Specify

Option -port : NoSQL Exploitation framework by default uses the ports on which the databases are usually configured.You can specify the port you want the framework to scan for.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -port PORT_NO -enum DB_TYPE

eg: python nosqlframework.py -ip 127.0.0.1 -port 27016 -enum mongo

Scan for All Database's

Option -scan : This option goes and scans the target against known databases and its ports and determines whether it is available for enumeration

eg: python nosqlframework.py -ip TARGET_IP_ADDR [-port PORT_NO] -scan

eg: python nosqlframework.py -ip 127.0.0.1 -scan

Enumeration Type

Option -enum : This option is used to specify the database type to enumerate rather than the framework going around and detecting, the DB type.

Different options currently available are: mongo couch redis cassandra

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum DB_TYPE

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum redis

Authentication Module

Option -auth: The option is used to authenticate against the databases for various other possible enumeration.This option varies according to different database's

  • For Mongo: The database authenticates as the database you have specified in the -db option and not as the entire database user, Hence enumerating the Mongo depends on the privileges the DB user has.

  • For Couch: The same applies , enumeration depends entirely upon the privileges assigned to the corresponding user.

  • For Redis: Redis has the concept of single user, single password hence the password given if a success should be able to enumerate through the entire Redis store.

  • For Cassandra: Cassandra implements user privileges such as WRITE,ALTER for different users and depending on the privileges the credentials has, the framework should be able to enumerate through given circumstances.

eg:

Redis -> ` python nosqlframework.py -ip TARGET_IP_ADDR -enum redis -auth admin`

Mongo -> ` python nosqlframework.py -ip TARGET_IP_ADDR -enum mongo -db admin -auth username:password `

Couch -> ` python nosqlframework.py -ip TARGET_IP_ADDR -enum couch -auth username:password `

General Database Enumeration

Database Option

Option -db: The option is used to specify the database to retrieve information from, it can be further determined to get details like columns and DB details.

The option is used with different databases depending on the context's:

  • MongoDB : Mongo uses the mapping concept of Database to Database and table to Collections as compared to normal SQL databases,the data is stored in JSON format and the database can be enumerated using the -db option

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum mongo -db admin

  • CouchDB : It uses the concept of Database which has Keys and the keys are associated to different fields,which stores data in the JSON format.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum couch -db _user

  • RedisDB: It uses the concept of Key-Value store and hence -db cannot be used here.

  • Cassandra: Relies on the concept of Database mapped to 'Keyspace' and rest the same as table and column concept in SQL database's.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum cassandra -db system

Column/Collection Option

Option -c: The option is used to determine which column/collection to dump the data, it is used often with the -dump option.

  • MongoDB: The option is used to select which Collection to get the data from.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum mongo -db admin -c system.users -dump

  • CouchDB: The option is used to select the Key which you want to enumerate the fields for.It gets the data along with the fields.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum couch -db _users -c _design/_auth

  • Redis: The option cannot be used here

  • Cassandra: The option can be used here to get the data from the Keyspace, table and column name mentioned as parameters.This goes and get's the data for the specified column.

Option -t: Just for cassandra, since it has tables concept which is different from Mongo,Couch

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum cassandra -db system_auth -t roles -c salted_hash

Redis Enumeration

Redis File Check

Option -filecheck: The option is used to enumerate files available on the redis instance. The 'filecheck' relies on the Redis do(file) vulnerability.It takes along the files list (Framework uses the Dirbuster file's list to enumerate through different available files)

eg:

python nosqlframework.py -ip TARGET_IP_ADDR -enum redis -file payloads/files_enum.txt -filecheck

Exhaust (DOS) Attack

Option -exhaust: This option must not be used until, you want to test against a hotfix or patch deployed against 'SCRIPTS' used in Redis, as it could eat up the redis resources.

Remote RCE for Redis

The remotecheck option checks whether the redis instance is vulnerable to a redis LUA sandbox bypass which could lead to RCE, Currently versions 2.6 - 3.0.1 are vulnerable.

Lua Sandbox Bypass

Option -remotecheck: The option enable's to check whether the Redis instance is vulnerable to the exploit.

eg: python nosqlframework.py -ip TARGET_IP_ADDR -enum redis -remotecheck

Add a custom footer
Add a custom sidebar
Clone this wiki locally