Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: extracting MSSQL from a pcap
From: Ron Gula <rgula () tenable com>
Date: Tue, 3 Dec 2013 13:28:35 +0000

Hi there, 

Tenable's Passive Vulnerability Scanner can read PCAPs and convert 100s
of protocols into a log file or stream the syslog to your log collector
including SQL queries.

Here are some example sanitized logs:

<36>Dec 02 14:44:17 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command
logging|PVS has observed the following command from a database client to
the database server (W.X.Y.Z):  SELECT [ExternalRequests].[ID],
[ExternalRequests].[WebPlatformConfigId],
[ExternalRequests].[MappingName], [ExternalRequests].[TransactionNumber],
[ExternalRequests].[ExternalId], [ExternalRequests].[State],
[ExternalRequests].[Response] FROM [ExternalRequests] WHERE
TransactionNumber = @0 ORDER BY ID DESC||NONE

<36>Dec 02 15:09:31 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command
logging|PVS has observed the following command from a database client to
the database server W.X.Y.Z):  SELECT * FROM EmailRouting||NONE

<36>Dec 02 14:50:22 pvs: A.B.C.D:1433|W.X.Y.Z:1433|6|7019|Database command
logging|PVS has observed the following command from a database client to
the database server (W.X.Y.Z):  SELECT * FROM Transactions t JOIN Users u
ON (t.Username = u.Username) WHERE TransactionNumber =
@TransactionNumber;||NONE


There is a post here about how to analyze the recent PHP malware attack
PCAP 
from Barracuda Labs which has a good example of how to create the logs from
the pcap. It doesn't show SQL, but you get the jist of what PVS can do to
create logs: 
https://discussions.nessus.org/docs/DOC-1044


The PVS finds applications and vulns in network traffic to produce a Nessus
style report as well as realtime logs. Tenable offers a free evaluation of
the PVS, which runs on Windows and Linux, at this link:

http://www.tenable.com/products/passive-vulnerability-scanner


It's also part of our SecurityCenter Continuous View solution which lets
you
put as many Nesssus and PVS sensors on your network that you need to ensure
you have enough realtime monitoring of your network.


Ron Gula, CEO 
Tenable Network Security







On 11/25/13 6:09 PM, "Robin Wood" <robin () digininja org> wrote:

I've got a pcap which contains unencrypted MSSQL traffic, can anyone
recommend an app which will extract all the SQL?

I can see it in Wireshark but it isn't decoding it for some reason, if
I save the packets as text I can manipulate it into mostly readable
form by some simple replaces but would rather a nice clean extraction,
especially as I know this has usernames and passwords in.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]