Database Forensic : Investigating Which Tables Were Dumped From Sqlmap Tools

I am using this blog post as a reminder if i have the similar case in the future regarding database forensic. There is a company contacted by attacker (this attacker is ‘you-can-say’ the hacker) and shows that he has confidential information about this company and shows several information about this confidential information. The information provided was very convincing and indicates that the information is data from the company stored in their database.

This company use nginx as their web server, and one of the artifact that we analyze is nginx log. at this point we have something interesting.

did you know that some of the “automated” tools that used for scanning or hacking has pattern and could identifed on web server logs? for example, Nessus, OpenVas, Nmap.

58.249.67.108 — — [03/Oct/2015:02:05:22 -0400] “GET / HTTP/1.1” 200 867 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"

same as sqlmap tools. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

at this point, we can see usage of sqlmap tools from webserver logs with characteristics from UserAgent.

nginx log format

while analyze the logs, we find something unique part of the logs contain some intersting string.

*this log has been redacted due to privacy

nginx log

and if we try to convert it with https://www.urldecoder.org/ it will be like pict below

log decoded with urldecoder.org

we find something interesting string “0x70656f706c655f6466780a” and we believed that this is a hex mode. and with help from https://onlinehextools.com/convert-hex-to-ascii we can convert it from hex to ascii.

hex to ascii converted

and have people_dfx table from database.

In real case there are more than 1 tables which were dumped from sqlmap tools, so you have to make sure which table of database that dumped from sqlmap tools.

fyi, this case is interesting, you may find or not find something like what I find in this medium from web server logs.

the conclusion from this experience is:

1. some automation scanning or red-team tools has its own pattern, so we can track which tools is used.
2. as if this web log, we find the tools is using sqlmap to dump database
3. we can know which database table is dumped from sqlmap tools by decode from hex to ascii (in this scenario)