| skipped 269 lines |
270 | 270 | | except: |
271 | 271 | | pass |
272 | 272 | | |
| 273 | + | def ParseSqlClearTxtPwd(Pwd): |
| 274 | + | Pwd = map(ord,Pwd.replace('\xa5','')) |
| 275 | + | Pw = [] |
| 276 | + | for x in Pwd: |
| 277 | + | Pw.append(hex(x ^ 0xa5)[::-1][:2].replace("x","0").decode('hex')) |
| 278 | + | return ''.join(Pw) |
| 279 | + | |
| 280 | + | def ParseMSSQLPlainText(data): |
| 281 | + | UsernameOffset = struct.unpack('<h',data[48:50])[0] |
| 282 | + | PwdOffset = struct.unpack('<h',data[52:54])[0] |
| 283 | + | AppOffset = struct.unpack('<h',data[56:58])[0] |
| 284 | + | PwdLen = AppOffset-PwdOffset |
| 285 | + | UsernameLen = PwdOffset-UsernameOffset |
| 286 | + | PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen]) |
| 287 | + | UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le') |
| 288 | + | return "MSSQL Username: %s Password: %s"%(UserName, PwdStr) |
| 289 | + | |
273 | 290 | | def Decode_Ip_Packet(s): |
274 | 291 | | d={} |
275 | 292 | | d['version']=(ord(s[0]) & 0xf0) >> 4 |
| skipped 47 lines |
323 | 340 | | FTPPass = re.findall('(?<=PASS )[^\r]*', decoded['data']) |
324 | 341 | | HTTPNTLM2 = re.findall('(?<=WWW-Authenticate: NTLM )[^\\r]*', decoded['data']) |
325 | 342 | | HTTPNTLM3 = re.findall('(?<=Authorization: NTLM )[^\\r]*', decoded['data']) |
| 343 | + | NTLMSSP1 = re.findall('NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data']) |
326 | 344 | | NTLMSSP2 = re.findall('NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data']) |
327 | 345 | | NTLMSSP3 = re.findall('NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) |
328 | 346 | | if activate_cc: |
| skipped 14 lines |
343 | 361 | | except: |
344 | 362 | | pass |
345 | 363 | | |
| 364 | + | if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0: |
| 365 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 366 | + | Message = ParseMSSQLPlainText(decoded['data'][20:]) |
| 367 | + | if PrintPacket(Filename,Message): |
| 368 | + | l.warning(HeadMessage) |
| 369 | + | l.warning(Message) |
| 370 | + | print HeadMessage+'\n'+Message |
| 371 | + | |
346 | 372 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp': |
347 | 373 | | Message = ParseMSKerbv5TCP(decoded['data'][20:]) |
348 | 374 | | if Message: |
| skipped 66 lines |
415 | 441 | | l.warning(HeadMessage) |
416 | 442 | | l.warning(Message) |
417 | 443 | | print HeadMessage+'\n'+Message |
418 | | - | #print filter(lambda x: x in string.printable, decoded['data']) |
419 | 444 | | except: |
420 | 445 | | pass |
421 | 446 | | |
| skipped 233 lines |
655 | 680 | | raise |
656 | 681 | | |
657 | 682 | | Run() |
| 683 | + | |
658 | 684 | | |
659 | 685 | | |