If you can hear the password, you can repeat it. In this video, you’ll learn how replay attacks can be used to gain access to privileged information.
We are sending important information over a network all the time, and the bad guys know this. And if they can find information that might help them later, they will grab that data and be able to replay it later on. To be able to replay this information, the bad guys need access to the network packets. So they may install their own tap, they may find some third-party method to be able to gather those packets, or they may install malware on the victim’s computer to capture the information locally and then send it to the bad guys later on.
Once the attackers have this data, they can replay it across the network effectively making themselves look exactly like the original user. Although you could perform a man in the middle attack to capture the original packets, the actual replay attack does not require that you’re in the middle. In fact, the original user doesn’t even need to be on the network at all.
Here’s how this process would work. We’ve got a legitimate user communicating to his server and then we have the bad guy down here who has got the link off the existing switch to gain access to the data going across the network. The user sends the legitimate authentication request to the server. A copy of that information is sent to the bad guy’s workstation, and he captures that data.
Later on, the bad guy can decide that he would like to now pretend to be the original user, so he simply replays that information across the network, takes all of those packets and information that was previously copied, and sends it off to the server. As long as the username, and hash, and everything matches the original request, the server doesn’t know the difference and allows the bad guy access to the account. This would obviously be a significant vulnerability if this is something that anyone could do. Fortunately, most of our applications these days are salting the passwords so that they are different every time they go across the network, or all the information is encrypted to begin with. So even if somebody did manage to capture that encrypted information, they wouldn’t be able to send anything discernible back across the network.