Sniffing Password In SQL Server

A few days ago I talked about the risks of sending user passwords through the network without protecting these in Oracle. Today we are going to see the demonstration for SQL Server.

We run from an SSMS (in my case version 17.7 just installed) the next alter login against a SQL Server 2012.

alter login antonion with password =’newpass’

Previously we have activated a sniffer between the client and the server, in my case Microsof Message Analyzer (Wireshark is another tool that I recommend, this code is open and also free as Microsoft). If we focus on the payload of the TCP frame;

foto_sniffer_sqlserver_2

As always, be careful of what is sent over the network or encrypt the communication between client and server, either by using VPN or using native Microsoft encryption. In the following URL I indicate the documentation for 2008 R2 versions;

Encrypting Connections to 2008 R2

HTH – Antonio NAVARRO

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s