PaulDotCom mailing list archives
Re: extracting MSSQL from a pcap
From: Ron Gula <rgula () tenable com>
Date: Tue, 3 Dec 2013 13:28:35 +0000
Hi there, Tenable's Passive Vulnerability Scanner can read PCAPs and convert 100s of protocols into a log file or stream the syslog to your log collector including SQL queries. Here are some example sanitized logs: <36>Dec 02 14:44:17 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server (W.X.Y.Z): SELECT [ExternalRequests].[ID], [ExternalRequests].[WebPlatformConfigId], [ExternalRequests].[MappingName], [ExternalRequests].[TransactionNumber], [ExternalRequests].[ExternalId], [ExternalRequests].[State], [ExternalRequests].[Response] FROM [ExternalRequests] WHERE TransactionNumber = @0 ORDER BY ID DESC||NONE <36>Dec 02 15:09:31 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server W.X.Y.Z): SELECT * FROM EmailRouting||NONE <36>Dec 02 14:50:22 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command logging|PVS has observed the following command from a database client to the database server (W.X.Y.Z): SELECT * FROM Transactions t JOIN Users u ON (t.Username = u.Username) WHERE TransactionNumber = @TransactionNumber;||NONE There is a post here about how to analyze the recent PHP malware attack PCAP from Barracuda Labs which has a good example of how to create the logs from the pcap. It doesn't show SQL, but you get the jist of what PVS can do to create logs: https://discussions.nessus.org/docs/DOC-1044 The PVS finds applications and vulns in network traffic to produce a Nessus style report as well as realtime logs. Tenable offers a free evaluation of the PVS, which runs on Windows and Linux, at this link: http://www.tenable.com/products/passive-vulnerability-scanner It's also part of our SecurityCenter Continuous View solution which lets you put as many Nesssus and PVS sensors on your network that you need to ensure you have enough realtime monitoring of your network. Ron Gula, CEO Tenable Network Security On 11/25/13 6:09 PM, "Robin Wood" <robin () digininja org> wrote:
I've got a pcap which contains unencrypted MSSQL traffic, can anyone recommend an app which will extract all the SQL? I can see it in Wireshark but it isn't decoding it for some reason, if I save the packets as text I can manipulate it into mostly readable form by some simple replaces but would rather a nice clean extraction, especially as I know this has usernames and passwords in. Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: extracting MSSQL from a pcap, (continued)
- Re: extracting MSSQL from a pcap Erik Hjelmvik (Nov 29)
- Re: extracting MSSQL from a pcap Robin Wood (Dec 02)
- Re: extracting MSSQL from a pcap Robin Wood (Dec 02)
- Re: extracting MSSQL from a pcap Erik Hjelmvik (Dec 04)
- Recommendations for a Linux tool-writing approach? Glen Roberts (Dec 02)
- Re: Recommendations for a Linux tool-writing approach? Robin Wood (Dec 03)
- Re: Recommendations for a Linux tool-writing approach? Frank Michael (Dec 04)
- Re: Recommendations for a Linux tool-writing approach? Jason Drury (Dec 10)
- Re: Recommendations for a Linux tool-writing approach? Jamil Ben Alluch (Dec 03)
- Re: Recommendations for a Linux tool-writing approach? xgermx (Dec 03)