Chapter 49 Β· Concepts

Replay Attack Concepts

Attack mechanics, replay vs. on-path comparison, pass-the-hash flow, session hijacking mechanics, and the defense stack in structured reference format.

Replay Attack vs. On-Path Attack β€” Key Differences

PropertyOn-Path AttackReplay Attack
Attacker PositionMust remain between victims during the attackCaptures data once; replays later β€” no ongoing positioning required
TimingReal-time β€” intercepts communication as it happensAsynchronous β€” capture and replay are separate events, potentially hours or days apart
Original Connection Required?Yes β€” attack operates on the live connectionNo β€” replay can happen after the original session ends, with the original victim offline
What Is CapturedAll traffic in both directionsSpecific valuable data: auth credentials, session tokens, transaction data
Modification CapabilityCan read and modify traffic in transitReplays original captured data β€” no modification (the data is valid as-is)
RelationshipOften used as the capture method for a replay attackOften uses on-path capture as its data gathering phase
Primary DefenseDAI, network segmentation, HTTPSEncryption (deny capture), salting/nonces (invalidate replayed tokens)

Replay Attack β€” General Flow

1. Target identification β€” attacker identifies valuable network traffic to target: authentication exchanges, session token transmissions, or financial transaction requests
2. Data capture β€” attacker obtains raw network data using: network tap (physical), ARP poisoning (redirects traffic through attacker), or malware on victim's device (captures locally before transmission)
3. Data extraction β€” attacker identifies the valuable component from the captured traffic: password hash, session ID, transaction token
4. Storage β€” attacker stores the captured credential; the original session may have ended, the victim may be offline β€” the replayed credential is stored independently
5. Replay β€” attacker retransmits the captured data to the target server, impersonating the original sender; server has no mechanism to distinguish fresh credential from replayed one and grants access
6. Access β€” attacker operates on the server with the victim's authentication level; the victim is unaware their credential has been replayed

Pass-the-Hash β€” Step by Step

1. Normal user authentication begins β€” victim's client computer prepares an authentication request; the password is hashed locally (e.g., NTLM hash), and the username + hash are transmitted to the server
2. Attacker intercepts the exchange β€” during transmission, attacker captures a copy of the authentication exchange (via ARP poisoning, network tap, or malware); attacker receives: username + hashed password β€” identical to what the server receives
3. Legitimate authentication completes β€” the real user's username + hash reaches the server; server verifies the hash matches its stored hash; authentication succeeds; victim is now logged in
4. Attacker stores the hash β€” attacker now holds a valid username + hash pair; the plaintext password is unknown and irrelevant; the hash is the functional credential
5. Replay authentication β€” attacker sends their own authentication request to the server containing the captured username + hash; server receives a valid username/hash pair; no mechanism to detect the replay; authentication succeeds
6. Attacker has server access β€” attacker is now authenticated as the victim; full access to whatever the victim's account can reach on the server

Why Pass-the-Hash Works: The Hash IS the Credential

In authentication systems that transmit hashed passwords (such as NTLM), the hash is what the server actually validates. The server stores a hash of the password and compares incoming hashes against it. The server never sees the plaintext password during authentication β€” only the hash.

This means the hash is functionally equivalent to the password for authentication purposes. You don't need to reverse the hash (which is computationally infeasible for strong hash functions) β€” you just need to present the hash directly. The server cannot tell whether the hash was generated from a password typed by the real user, or extracted from captured network traffic by an attacker.

The fix β€” salting with nonces: The server issues a unique challenge value (nonce/salt) for each authentication attempt. The client incorporates this nonce into the hash computation. Even if the attacker captures the resulting hash, it is only valid for that specific nonce β€” which the server never issues again. Replaying the hash in a new authentication attempt fails because the new authentication will have a different nonce, and the old hash doesn't match it.

Session Hijacking β€” Web Session Flow

1. User authenticates β€” victim provides username and password to the web server; server verifies credentials
2. Server creates session ID β€” server generates a unique, random session identifier (e.g., "3B80027A38FDF37C..."); stores it server-side as representing an authenticated session for this user
3. Session ID delivered to browser β€” server sends the session ID to the browser in an HTTP Set-Cookie header; browser stores it as a cookie
4. Browser uses session ID for subsequent requests β€” every subsequent HTTP request the browser makes to this site automatically includes the Cookie header with the session ID; server looks up the session ID and responds as the authenticated user
5. Attacker captures session ID β€” if the session ID is transmitted over unencrypted HTTP, the attacker passively captures it from network traffic; tools: Wireshark, Kismet, Firesheep; XSS can also steal it from within the browser
6. Attacker replays session ID β€” attacker crafts HTTP requests including the stolen session ID in the Cookie header; server recognizes valid session ID; responds as if attacker were the authenticated victim

Data Capture Methods Compared

MethodHow It WorksRequiresDetectable?
Network TapPhysical hardware device copies all traffic from a cable segment to the attackerPhysical access to network cabling/equipmentVery difficult β€” produces no network traffic; hardware-only detection
ARP PoisoningCorrupts ARP caches to redirect victim's traffic through attacker's deviceSame subnet as victim; no passwordYes β€” anomalous ARP traffic in packet capture; DAI will block it
Malware on VictimSoftware on victim's computer captures data before/during transmissionMalware delivery (phishing, drive-by); local device accessEndpoint detection; behavioral analysis
Passive Wi-Fi CaptureMonitor mode adapter captures all traffic on open/shared Wi-FiPhysical proximity to Wi-Fi networkDifficult β€” passive only; no transmission required from attacker
Cross-Site ScriptingInjected script steals cookie from inside the victim's browserXSS vulnerability on target site; victim visits pageRequires server-side detection of XSS; CSP can block script execution

Header Manipulation Tools

ToolTypeWhat It Does
WiresharkPacket capture (passive)Captures and analyzes all network packets; displays HTTP headers, cookie values, session tokens in plaintext from unencrypted traffic
KismetWireless packet capture (passive)Captures wireless traffic; identifies devices, APs, and unencrypted communications including session cookies on open Wi-Fi
FiresheepBrowser extension (session capture)Automated session cookie capture on shared Wi-Fi; one-click session hijacking against sites using HTTP; now largely ineffective due to HTTPS-everywhere
TamperBrowser extension (request modification)Intercepts and modifies browser HTTP requests; allows manual editing of headers and cookies before they are sent to the server
ScapyPacket manipulation library (Python)Constructs arbitrary network packets from scratch; used to forge HTTP requests with stolen session tokens in Cookie headers
Cookies Manager+Firefox add-on (cookie editing)Allows direct viewing and editing of all stored browser cookies; used to inject stolen session ID values for replay

Defense Stack

ControlAttack AddressedHow
HTTPS / TLS (end-to-end)Session ID capture via network monitoringEncrypts all traffic including cookie headers; attacker captures only ciphertext; session IDs are never transmitted in plaintext
VPN (end-to-somewhere)Session ID capture on untrusted networksEncrypts traffic from device to VPN concentrator; protects the most vulnerable segment (public Wi-Fi); partial coverage only
Salting / Nonce-based authPass-the-hash replayEach authentication uses a unique challenge; hash is valid only for that challenge; previously captured hashes cannot be replayed
HTTPOnly cookie flagXSS-based session cookie theftPrevents JavaScript from reading cookie values; injected scripts cannot extract session IDs even if XSS succeeds
Secure cookie flagSession ID exposure over HTTPBrowser only transmits cookie over HTTPS; prevents accidental exposure if HTTP version of site is visited
Short session lifetimesSession ID replaySession IDs expire quickly; reduces window during which a captured session ID remains valid for replay
Session binding (IP/UA)Session ID replay from different deviceServer ties session to originating IP or user-agent; replaying from a different device triggers invalidation or re-authentication
Encryption of auth trafficPass-the-hashIf authentication exchange is encrypted, attacker captures ciphertext rather than usable username/hash pairs