| skipped 269 lines |
| 270 | 270 | | except: |
| 271 | 271 | | pass |
| 272 | 272 | | |
| | 273 | + | def ParseSqlClearTxtPwd(Pwd): |
| | 274 | + | Pwd = map(ord,Pwd.replace('\xa5','')) |
| | 275 | + | Pw = [] |
| | 276 | + | for x in Pwd: |
| | 277 | + | Pw.append(hex(x ^ 0xa5)[::-1][:2].replace("x","0").decode('hex')) |
| | 278 | + | return ''.join(Pw) |
| | 279 | + | |
| | 280 | + | def ParseMSSQLPlainText(data): |
| | 281 | + | UsernameOffset = struct.unpack('<h',data[48:50])[0] |
| | 282 | + | PwdOffset = struct.unpack('<h',data[52:54])[0] |
| | 283 | + | AppOffset = struct.unpack('<h',data[56:58])[0] |
| | 284 | + | PwdLen = AppOffset-PwdOffset |
| | 285 | + | UsernameLen = PwdOffset-UsernameOffset |
| | 286 | + | PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen]) |
| | 287 | + | UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le') |
| | 288 | + | return "MSSQL Username: %s Password: %s"%(UserName, PwdStr) |
| | 289 | + | |
| 273 | 290 | | def Decode_Ip_Packet(s): |
| 274 | 291 | | d={} |
| 275 | 292 | | d['version']=(ord(s[0]) & 0xf0) >> 4 |
| skipped 47 lines |
| 323 | 340 | | FTPPass = re.findall('(?<=PASS )[^\r]*', decoded['data']) |
| 324 | 341 | | HTTPNTLM2 = re.findall('(?<=WWW-Authenticate: NTLM )[^\\r]*', decoded['data']) |
| 325 | 342 | | HTTPNTLM3 = re.findall('(?<=Authorization: NTLM )[^\\r]*', decoded['data']) |
| | 343 | + | NTLMSSP1 = re.findall('NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data']) |
| 326 | 344 | | NTLMSSP2 = re.findall('NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data']) |
| 327 | 345 | | NTLMSSP3 = re.findall('NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) |
| 328 | 346 | | if activate_cc: |
| skipped 14 lines |
| 343 | 361 | | except: |
| 344 | 362 | | pass |
| 345 | 363 | | |
| | 364 | + | if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0: |
| | 365 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| | 366 | + | Message = ParseMSSQLPlainText(decoded['data'][20:]) |
| | 367 | + | if PrintPacket(Filename,Message): |
| | 368 | + | l.warning(HeadMessage) |
| | 369 | + | l.warning(Message) |
| | 370 | + | print HeadMessage+'\n'+Message |
| | 371 | + | |
| 346 | 372 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp': |
| 347 | 373 | | Message = ParseMSKerbv5TCP(decoded['data'][20:]) |
| 348 | 374 | | if Message: |
| skipped 66 lines |
| 415 | 441 | | l.warning(HeadMessage) |
| 416 | 442 | | l.warning(Message) |
| 417 | 443 | | print HeadMessage+'\n'+Message |
| 418 | | - | #print filter(lambda x: x in string.printable, decoded['data']) |
| 419 | 444 | | except: |
| 420 | 445 | | pass |
| 421 | 446 | | |
| skipped 233 lines |
| 655 | 680 | | raise |
| 656 | 681 | | |
| 657 | 682 | | Run() |
| | 683 | + | |
| 658 | 684 | | |
| 659 | 685 | | |
