[prev in list] [next in list] [prev in thread] [next in thread]
List: pauldotcom
Subject: Re: [Pauldotcom] extracting MSSQL from a pcap
From: Erik Hjelmvik <erik.hjelmvik () gmail ! com>
Date: 2013-12-04 15:57:19
Message-ID: CAJEFHciRLmiamJKm-yCuxfv5_S3=--FDuUSTwDBj9AymhrTD4w () mail ! gmail ! com
[Download RAW message or body]
MS SQL queries for the TDS protocol should show up in NetworkMiner's
"Parameters" tab. One SQL query per line.
If the queries don't show up there then the issue might be one of the following:
1. The start of the TCP session hasn't been captured in your PCAP.
Make sure you have the 3 way handshake for the TDS session
2. MS SQL server+client are configured to use encryption
3. You've found a bug in NetworkMiner that I'd like to investigate!
/erik
2013/11/29 Robin Wood <robin@digininja.org>:
> On 28 November 2013 23:07, Robin Wood <robin@digininja.org> wrote:
>> I didn't know it could run in Linux and I'll send the pcap into it and
>> see what it extracts.
>
>
> I've loaded the pcap into NetworkMiner and it has found some TDS
> traffic and is showing it in the sessions tab but I can't get it to
> display the SQL. I've tried double clicking, right clicking. What do I
> need to do to see it?
>
> Robin
>
>> Thanks.
>>
>> Robin
>>
>> On 28 November 2013 20:00, Erik Hjelmvik <erik.hjelmvik@gmail.com> wrote:
>>> Hi Robin,
>>>
>>> NetworkMiner parses MS-SQL from PCAP files and extracts all SQL
>>> queries etc to the "Parameters" tab.
>>> Login credentials are also extracted and displayed on the Credentials tab.
>>>
>>> Btw. you do know that NetworkMiner runs fine in Linux as well, right?
>>> http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono
>>>
>>> /erik
>>>
>>> 2013/11/26 Robin Wood <robin@digininja.org>:
>>>>
>>>> On 26 Nov 2013 18:58, "c1b3rh4ck" <c1b3rh4ck@gmail.com> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> El 25/11/2013 06:09 p.m., Robin Wood escribió:
>>>>> > I've got a pcap which contains unencrypted MSSQL traffic, can
>>>>> > anyone recommend an app which will extract all the SQL?
>>>>> >
>>>>> > I can see it in Wireshark but it isn't decoding it for some reason,
>>>>> > if I save the packets as text I can manipulate it into mostly
>>>>> > readable form by some simple replaces but would rather a nice clean
>>>>> > extraction, especially as I know this has usernames and passwords
>>>>> > in.
>>>>> >
>>>>> > Robin _______________________________________________ Pauldotcom
>>>>> > mailing list Pauldotcom@mail.pauldotcom.com
>>>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main
>>>>> > Web Site: http://pauldotcom.com
>>>>> >
>>>>>
>>>>> Hi,
>>>>> You can use python libraries to parse the content,take a look at scapy :)
>>>>> Best regards .
>>>>
>>>> Does Scapy have a dissector for MSSQL/TDS?
>>>>
>>>> Robin
>>>>
>>>>>
>>>>> - ------------------------------
>>>>> Debian User
>>>>> Penetration Testing
>>>>> Colombian Security Enthusiast
>>>>> Paranoid Security Addict
>>>>> LinuxUser #506301
>>>>> - ------------------------------------
>>>>> Quien se infiltra en la oscuridad,es Quien encuentra la verdad .Lao Tse
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v2.0.22 (MingW32)
>>>>>
>>>>> iQEcBAEBAgAGBQJSlOVJAAoJEH744K9jmDitVSEH+weDHbDNoNoJ3hgLrFPYvVuV
>>>>> ZLymjMxLVaJH5OJRlQi+wIBhnJ1s5pmWXPAva57nGspO36rROIEylUCmYL/GAFvO
>>>>> rj8QL/EvsWJaAMyo+kLeTwvVQ6l6q0GjStluaicOMT7SwOc8lRyjJ+LByUaCSM5I
>>>>> nOXlKffvwOj3Y1WzA8Qviy3RAHCmWGDN7vI8mrTvb1tdXjt4ui+aDpcRwuysbLR2
>>>>> BAoCMPtQMzr0Dq+Scw/suIfTVnP1JkHjL9XZlwuZLQHL5pRZ7bNu9jT1v2M9/zBH
>>>>> vxgddslFYYsaXvht1C9AhaJNZMk4TcCOQY/57HfC+0VPi5UbFqwYRLzObZ3IbUU=
>>>>> =OW3f
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> Pauldotcom mailing list
>>>>> Pauldotcom@mail.pauldotcom.com
>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>>> Main Web Site: http://pauldotcom.com
>>>>
>>>>
>>>> _______________________________________________
>>>> Pauldotcom mailing list
>>>> Pauldotcom@mail.pauldotcom.com
>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> Main Web Site: http://pauldotcom.com
>>>
>>>
>>>
>>> --
>>> blog: http://www.netresec.com/?page=Blog
>>> twitter: http://twitter.com/netresec
--
blog: http://www.netresec.com/?page=Blog
twitter: http://twitter.com/netresec
_______________________________________________
Pauldotcom mailing list
Pauldotcom@mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic