Combining passive and active attacks - Replay Attacks
Theory
A combined cyber attack leverages both passive and active techniques to compromise a system or gain unauthorized access to sensitive information.
Here are some examples of how passive and active attacks can be combined:
Man-in-the-Middle (MITM) Attack: A MITM attack involves intercepting and eavesdropping on data transmissions between two parties, while also actively altering the data being transmitted. This allows the attacker to not only listen to the conversation but also manipulate it in real-time. For example, an attacker could intercept login credentials being sent over an unsecured network, and then alter the credentials to gain unauthorized access to a system.
Password Cracking: Password cracking involves trying to guess or crack a user's password to gain access to their account or system. In a combined attack, an attacker could use a passive attack like eavesdropping to intercept a user's login credentials, and then use an active attack like brute force password cracking to guess the user's password.
Phishing: Phishing involves tricking a user into providing sensitive information, such as login credentials or financial information. In a combined attack, an attacker could use a passive attack like eavesdropping to intercept a user's login credentials, and then use an active attack like phishing to trick the user into providing additional sensitive information.
To protect against combined attacks, it's important to implement multiple layers of security, such as using encryption to protect data transmissions, using multi-factor authentication to verify user identity, and implementing security awareness training to educate users on how to identify and avoid phishing attacks.
A replay attack is a type of attack that combines both passive and active attacks. In this type of attack, an attacker intercepts and records a data transmission between two parties and then replays the data transmission at a later time to impersonate one of the parties and gain unauthorized access.
Here is an example of a replay attack:
Suppose Alice sends a message to Bob asking for his password to access a particular system. Bob, thinking that Alice is authorized to access the system, sends his password to her. An attacker, Eve, intercepts the message between Alice and Bob and records the password. Later on, Eve replays the same message to gain access to the system using Bob's credentials.
In this scenario, Eve is using a combination of a passive attack (eavesdropping) and an active attack (replaying the message) to gain unauthorized access to the system. By replaying the intercepted message, Eve is able to impersonate Bob and gain access to the system using his credentials.
To prevent replay attacks, various security measures can be implemented. These include:
- Cryptographic Protocols: Use protocols that provide message authentication to verify the source and integrity of messages.
- Nonces: Implement nonces (random numbers used only once) in communications to prevent attackers from replaying old messages.
- Timestamps: Add timestamps to messages to ensure they are not accepted if they are outside a valid time window.
Technical Details of Replay Attacks
A replay attack typically occurs in two phases:
Phase 1 – Interception (Passive)
- The attacker eavesdrops on the communication
- Records sensitive data such as:
- Login requests
- Authentication tokens
- Session IDs
- Payment confirmations
Phase 2 – Replay (Active)
- The attacker replays the recorded data to the server to:
- Gain unauthorized access
- Duplicate transactions
- Bypass authentication
- Often targets protocols that lack freshness checks like timestamps or unique session tokens
- The attacker replays the recorded data to the server to:
Common Examples of Replay Attacks
| Example | Target | Attack Goal |
|---|---|---|
| Replaying login request | Web Authentication | Bypass password without knowing it |
| Reusing a payment confirmation | Online Transaction | Duplicate payment without authorization |
| Repeating OTP or token | Banking Apps | Gain unauthorized access or transfer funds |
Replay Attack Flow
Step 1: Legitimate Communication
+--------+ +--------+
| Client | -------- Request (Login) ---> | Server |
+--------+ +--------+
Step 2: Attacker Listens and Captures
|
v
+--------------------+
| Attacker |
| (Interception Tool)|
+--------------------+
Step 3: Replays the Same Request
+--------+ +--------+
| Attacker (Impersonates Client) ------> | Server |
| (Replay Saved Request) | |
+--------+ +--------+
Result:
Server believes it's the original client!