A few days ago I talked about the risks of sending user passwords through the network without protecting these in Oracle. Today we are going to see the demonstration for SQL Server.
We run from an SSMS (in my case version 17.7 just installed) the next alter login against a SQL Server 2012.
alter login antonion with password =’newpass’
Previously we have activated a sniffer between the client and the server, in my case Microsof Message Analyzer (Wireshark is another tool that I recommend, this code is open and also free as Microsoft). If we focus on the payload of the TCP frame;
As always, be careful of what is sent over the network or encrypt the communication between client and server, either by using VPN or using native Microsoft encryption. In the following URL I indicate the documentation for 2008 R2 versions;
HTH – Antonio NAVARRO