💾

MSSQL Honeypot

Detect unauthorized access attempts targeting Microsoft SQL Server.

1433

Default Port

TCP (TDS)

Protocol

Username

Detection

About Microsoft SQL Server

Microsoft SQL Server is the dominant database platform in Windows-based enterprise environments, powering ERP systems, CRM platforms, and business intelligence tools. MSSQL credentials are high-value targets because they often provide access to sensitive business data and can enable lateral movement through linked servers and xp_cmdshell.

What Gets Captured

When an attacker attempts to connect using your MSSQL honeypot credentials, Tripwires captures:

Username - The username from the TDS Login7 packet
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Application name - The client application identifier

Connection String Formats

MSSQL credentials can be planted in various formats depending on your tech stack:

Connection String

Server=mssql-xxx.gettripwires.com,1433;Database=master;User Id=sa;Password=password;

sqlcmd

sqlcmd -S mssql-xxx.gettripwires.com,1433 -U sa -P password

.NET/C#

var connectionString = "Server=mssql-xxx.gettripwires.com,1433;Database=master;User Id=sa;Password=password;";
using var connection = new SqlConnection(connectionString);

Python (pyodbc)

import pyodbc
conn = pyodbc.connect(
    'DRIVER={ODBC Driver 17 for SQL Server};'
    'SERVER=mssql-xxx.gettripwires.com,1433;'
    'DATABASE=master;UID=sa;PWD=password'
)

Strategic Placement Ideas

ERP System Configs

Leave as 'SAP/Dynamics database' connection in ERP configuration files.

SSRS/SSIS Packages

Add as 'reporting database' credentials in SQL Server Integration Services packages.

Web.config Files

Include as 'legacy application database' in ASP.NET configuration backups.