PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: extracting MSSQL from a pcap

From: Robin Wood <robin () digininja org>
Date: Fri, 29 Nov 2013 10:54:43 +0000
On 28 November 2013 23:07, Robin Wood <robin () digininja org> wrote:

I didn't know it could run in Linux and I'll send the pcap into it and
see what it extracts.



I've loaded the pcap into NetworkMiner and it has found some TDS
traffic and is showing it in the sessions tab but I can't get it to
display the SQL. I've tried double clicking, right clicking. What do I
need to do to see it?

Robin


Thanks.

Robin

On 28 November 2013 20:00, Erik Hjelmvik <erik.hjelmvik () gmail com> wrote:

Hi Robin,

NetworkMiner parses MS-SQL from PCAP files and extracts all SQL
queries etc to the "Parameters" tab.
Login credentials are also extracted and displayed on the Credentials tab.

Btw. you do know that NetworkMiner runs fine in Linux as well, right?
http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono

/erik

2013/11/26 Robin Wood <robin () digininja org>:


On 26 Nov 2013 18:58, "c1b3rh4ck" <c1b3rh4ck () gmail com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 25/11/2013 06:09 p.m., Robin Wood escribió:

I've got a pcap which contains unencrypted MSSQL traffic, can
anyone recommend an app which will extract all the SQL?

I can see it in Wireshark but it isn't decoding it for some reason,
if I save the packets as text I can manipulate it into mostly
readable form by some simple replaces but would rather a nice clean
extraction, especially as I know this has usernames and passwords
in.

Robin _______________________________________________ Pauldotcom
mailing list Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main
Web Site: http://pauldotcom.com



Hi,
You can use  python libraries to parse the content,take a look at scapy :)
Best regards .


Does Scapy have a dissector for MSSQL/TDS?

Robin



- ------------------------------
Debian User
Penetration Testing
Colombian Security Enthusiast
Paranoid Security Addict
LinuxUser #506301
- ------------------------------------
Quien se infiltra en la oscuridad,es Quien encuentra la verdad .Lao Tse
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJSlOVJAAoJEH744K9jmDitVSEH+weDHbDNoNoJ3hgLrFPYvVuV
ZLymjMxLVaJH5OJRlQi+wIBhnJ1s5pmWXPAva57nGspO36rROIEylUCmYL/GAFvO
rj8QL/EvsWJaAMyo+kLeTwvVQ6l6q0GjStluaicOMT7SwOc8lRyjJ+LByUaCSM5I
nOXlKffvwOj3Y1WzA8Qviy3RAHCmWGDN7vI8mrTvb1tdXjt4ui+aDpcRwuysbLR2
BAoCMPtQMzr0Dq+Scw/suIfTVnP1JkHjL9XZlwuZLQHL5pRZ7bNu9jT1v2M9/zBH
vxgddslFYYsaXvht1C9AhaJNZMk4TcCOQY/57HfC+0VPi5UbFqwYRLzObZ3IbUU=
=OW3f
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: