NoSQL EXPLOITATION FRAMEWORK – Framework For NoSQL Scanning and Exploitation
Any database may include sensitive information such as usernames , passwords or users data. This makes a proper security assessment with whole architecture review is required for identifying security gaps that can be used by hackers to compromise the system.
NoSQL databases are now often used to store information and data. security assessment and penetest NoSQL databases in the testing environment is important to identify vulnerabilities or configuration issues with the DB. NoSQL Exploitation Framework is an open source tool that you can use to enumerate, scan or exploit NoSQL databases.
Currently the tool support Mongo, CouchDB, Redis, H-Base, Cassandra and there is an ongoing development to add more features such as improving the web application detection, supporting Neo4j, Web Interface attack and Fuzz Platform. Currently the tool have the following features:
- Enumeration NoSQL databases
- Dump NoSQL databases
- Support NoSQL Web Applications
- Payload list for JS Injection,Web application Enumeration
- Dictionary Attack Support for Mongo,Cocuh and Redis
- Shodan Query Feature
- MultiThreaded IP List Scanner
- Sniff for Mongo,Couch and Redis
Some usage commands are:
nosqlexp.py -ip localhost -scan
nosqlexp.py -ip localhost -dict mongo -file b.txt
nosqlexp.py -ip localhost -enum couch
nosqlexp.py -ip localhost -enum redis
nosqlexp.py -ip localhost -clone couch
nosqlexp.py -ip localhost -webapp “web_app_link”
This tool is authored by Francis Alexander and you can download the latest release on the following link: https://github.com/torque59/Nosql-Exploitation-Framework.