Network sniffing

Sniffing JDBC™ network traffic is one possibility for intruders to compromise database applications. This requires physical access to either of:

  • Server host

  • Client host

  • intermediate hub, switch or router.

Figure 872. Sniffing a JDBC™ connection by an intruder. Slide presentation

We demonstrate a possible attack by analyzing the network traffic between our application shown in Figure 858, “JDBC™ backed data insert ” and the Mysql database server. Prior to starting the application we set up Wireshark for filtered capturing:

Figure 873. Setting up Wireshark Slide presentation
  • Database server and JDBC client on same machine.

  • Connecting to the loopback (lo) interface only.

    (Sufficient since client connects to localhost)

  • Capture packets of type TCP having port number 3306.

Setting up Wireshark

Figure 874. Capturing results Slide presentation
[...
5.5.24-0ubuntu0.12.04.1.%...X*e?I1ZQ...................e,F[yoA5$T[N.mysql_native_password.
 A...........!.......................hdmuser ❶......U.>S.%..~h...!.xhdm............j..../*

 ... INSERT INTO Person VALUES('Jim', 'jim@foo.org') ❷6...
  .&.#23000Duplicate entry 'jim@foo.org' for key 'email' 

username initiating database connection.

INSERT(...) statement.

Resulting error message sent back to the client.

Password?


Figure 875. Mysql security Slide presentation

What about the missing password?

Making MySQL Secure Against Attackers:

When you connect to a MySQL server, you should use a password.

The password is not transmitted in clear text over the connection.


So regarding our (current) Mysql implementation the impact of this attack type is somewhat limited but still severe: All data being transmitted between client and server may be disclosed. This typically comprises sensible data as well. Possible solutions:

Figure 876. Mysql security Slide presentation
  • Data exchange client to server nearly fully disclosed.

  • Mysql mitigates the attack type's severity

  • Possible solutions:

  • Irrelevant e.g. within DMZ.