Sniffing Password In SQL Server

A few days ago I talked about the risks of sending user passwords through the network without protecting these in Oracle. Today we are going to see the demonstration for SQL Server.

We run from an SSMS (in my case version 17.7 just installed) the next alter login against a SQL Server 2012.

alter login antonion with password =’newpass’

Previously we have activated a sniffer between the client and the server, in my case Microsof Message Analyzer (Wireshark is another tool that I recommend, this code is open and also free as Microsoft). If we focus on the payload of the TCP frame;


As always, be careful of what is sent over the network or encrypt the communication between client and server, either by using VPN or using native Microsoft encryption. In the following URL I indicate the documentation for 2008 R2 versions;

Encrypting Connections to 2008 R2



Released SQL Server Management Studio 17.7

Recently Microsoft has released the new version of its Sql Server Management Studio (SSMS), specifically version 17.7. You can download it for free in the url that I indicate below. It must be recognized that Microsoft in the database field is constantly improving.

Download SSMS 17.7

If you have a previous 17.x version you can upgrade to version 17.7 using the following link;

Upgrade SSMS from 17.x to 17.7




New Versions But Old Vices

In today’s post I want to talk about passwords in Oracle, from very old versions, it is very easy to “catch” password changesĀ using a sniffer. The recommendation of Oracle and that is given in many forums is to use the password command from sqlplus instead of executing an alter user. Currently the client should be smarter or at least give the option to encrypt this type of statements sql (alter)

Let’s go see an example. We connect using client 18 to a RDBMS 12.1 with user scott


Now we change he pass with alter user command like show below;

SQL> alter user scott identified by scott1234;

Using a sniffer (in this test Microsoft Message Analyzer) we can see the payload for tcp trame between my lagtop and the server in clear text;


Now using the password command from sqlplus. Show the tcp trame captured by the sniffer. Here you can not seeĀ  the text in clear;


How to minimize the risk

– First of all do not use “alter user”
– Use encrypted communications between the client and the database server (the Oracle native or a VPN), now from what I see, in this version (18) Oracle still does not protect the memory areas, the encryption in the The communications channel is partially distorted if there is access to the memory of the client computer. Windows DPAPI already implements in a fairly acceptable way memory encryption via CryptProtectMemory / ProtectedMemory



Oracle Java Serialization/Deserialization

Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle.

Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form.

The products affected by this type of attack are multiple, since JAVA is the basis of many solutions. Within the database there are several areas vulnerable to this type of attacks, the most significant services being REST type. They are defined as (from the Oracle documentation);

Oracle REST Data Services (ORDS) makes it easy to develop modern REST interfaces for relational data in the Oracle Database, Oracle Database 12c JSON Document Store, and Oracle NoSQL Database. A mid-tier Java application, ORDS maps HTTP (S) verbs (GET, POST, PUT, DELETE, etc.) to database transactions and returns any results formatted using JSON.