PaulDotCom mailing list archives
Re: extracting MSSQL from a pcap
From: Erik Hjelmvik <erik.hjelmvik () gmail com>
Date: Wed, 4 Dec 2013 16:57:19 +0100
MS SQL queries for the TDS protocol should show up in NetworkMiner's "Parameters" tab. One SQL query per line. If the queries don't show up there then the issue might be one of the following: 1. The start of the TCP session hasn't been captured in your PCAP. Make sure you have the 3 way handshake for the TDS session 2. MS SQL server+client are configured to use encryption 3. You've found a bug in NetworkMiner that I'd like to investigate! /erik 2013/11/29 Robin Wood <robin () digininja org>:
On 28 November 2013 23:07, Robin Wood <robin () digininja org> wrote:I didn't know it could run in Linux and I'll send the pcap into it and see what it extracts.I've loaded the pcap into NetworkMiner and it has found some TDS traffic and is showing it in the sessions tab but I can't get it to display the SQL. I've tried double clicking, right clicking. What do I need to do to see it? RobinThanks. Robin On 28 November 2013 20:00, Erik Hjelmvik <erik.hjelmvik () gmail com> wrote:Hi Robin, NetworkMiner parses MS-SQL from PCAP files and extracts all SQL queries etc to the "Parameters" tab. Login credentials are also extracted and displayed on the Credentials tab. Btw. you do know that NetworkMiner runs fine in Linux as well, right? http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono /erik 2013/11/26 Robin Wood <robin () digininja org>:On 26 Nov 2013 18:58, "c1b3rh4ck" <c1b3rh4ck () gmail com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 25/11/2013 06:09 p.m., Robin Wood escribió:I've got a pcap which contains unencrypted MSSQL traffic, can anyone recommend an app which will extract all the SQL? I can see it in Wireshark but it isn't decoding it for some reason, if I save the packets as text I can manipulate it into mostly readable form by some simple replaces but would rather a nice clean extraction, especially as I know this has usernames and passwords in. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.comHi, You can use python libraries to parse the content,take a look at scapy :) Best regards .Does Scapy have a dissector for MSSQL/TDS? Robin- ------------------------------ Debian User Penetration Testing Colombian Security Enthusiast Paranoid Security Addict LinuxUser #506301 - ------------------------------------ Quien se infiltra en la oscuridad,es Quien encuentra la verdad .Lao Tse -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJSlOVJAAoJEH744K9jmDitVSEH+weDHbDNoNoJ3hgLrFPYvVuV ZLymjMxLVaJH5OJRlQi+wIBhnJ1s5pmWXPAva57nGspO36rROIEylUCmYL/GAFvO rj8QL/EvsWJaAMyo+kLeTwvVQ6l6q0GjStluaicOMT7SwOc8lRyjJ+LByUaCSM5I nOXlKffvwOj3Y1WzA8Qviy3RAHCmWGDN7vI8mrTvb1tdXjt4ui+aDpcRwuysbLR2 BAoCMPtQMzr0Dq+Scw/suIfTVnP1JkHjL9XZlwuZLQHL5pRZ7bNu9jT1v2M9/zBH vxgddslFYYsaXvht1C9AhaJNZMk4TcCOQY/57HfC+0VPi5UbFqwYRLzObZ3IbUU= =OW3f -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- blog: http://www.netresec.com/?page=Blog twitter: http://twitter.com/netresec
-- blog: http://www.netresec.com/?page=Blog twitter: http://twitter.com/netresec _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- extracting MSSQL from a pcap Robin Wood (Nov 26)
- Re: extracting MSSQL from a pcap c1b3rh4ck (Nov 26)
- Re: extracting MSSQL from a pcap Robin Wood (Nov 27)
- Re: extracting MSSQL from a pcap c1b3rh4ck (Nov 28)
- Re: extracting MSSQL from a pcap Erik Hjelmvik (Nov 29)
- Re: extracting MSSQL from a pcap Robin Wood (Dec 02)
- Re: extracting MSSQL from a pcap Robin Wood (Dec 02)
- Re: extracting MSSQL from a pcap Erik Hjelmvik (Dec 04)
- Re: extracting MSSQL from a pcap Robin Wood (Nov 27)
- Recommendations for a Linux tool-writing approach? Glen Roberts (Dec 02)
- Re: Recommendations for a Linux tool-writing approach? Robin Wood (Dec 03)
- Re: Recommendations for a Linux tool-writing approach? Frank Michael (Dec 04)
- Re: Recommendations for a Linux tool-writing approach? Jason Drury (Dec 10)
- Re: extracting MSSQL from a pcap c1b3rh4ck (Nov 26)
- Re: Recommendations for a Linux tool-writing approach? Jamil Ben Alluch (Dec 03)
- Re: Recommendations for a Linux tool-writing approach? xgermx (Dec 03)