SQLViking is a post exploitation tool written in Python focused on leveraging unencrypted connections between database and web servers. It is comprised of two pieces: one passive and one active. The passive piece, dubbed Scout, sits on the wire and silently collects information passed between database servers and clients. The active piece, Pillage, leverages TCP injection to run arbitrary queries against a database without credentials or man in the middling. SQLViking was designed with extensibility in mind allowing the open source community to easily add support for new databases without needing to touch any of the actual logic of the tool itself via Python's abstract base classes. This talk will cover how the tool works from a functional perspective as well as existing and future features. It will also discuss the root issue which allows this tool to work and how to protect yourself against such an attack.