What is the difference between Man-in-the-middle and replay attacks?

Could someone explain what is the difference between Man-in-the-middle and replay attacks?

TIA

Find more posts tagged with

Comments

Replay attack is actually a kind of man in the middle attack. Typically a man in the middle attack is just a catch all term for nearly any attack where the hacker is capturing traffic between two hosts. Man in the middle may just be someone sniffing packets off the wire. A replay attack is obviously where the attacker captures traffic, and stores or manipulates it before sending it on.

Psoasman

A replay attack is when the attacker is able to capture some of your data packets on their way to the intended destination. They will then try to re-use this information to attack your network. You can mitigate this by using strong session security and digital signatures.

Man in the middle attacks are similar to replay attacks. The attacker will sometimes try to intercept the data or just capture some to use later. They may try to make the sender think they are the legitimate receiver. They may also try to add new messages and pass them on.

Hope that helps.

abefroman

Thanks! Helps.

Darril

Just as Psoasman and LogicBomb508 state, a replay attack is a more specific type of man-in-the-middle attack. I view the biggest difference in the intent. In the man-in-the-middle attack the intent is simply to capture the data, but in a replay attack the intent is to reuse the data in an an attack.

A man-in-the-middle attack is a form of active interception or eavesdropping. An attacker can use a sniffer or protocol analyzer (such as Wireshark) to capture transmitted data. A wireless access point placed in a wireless closet and transmitting captured data to someone outside the building can be considered a man-in the middle attack.

In a replay attack the captured data is later used to formulate an attack using the trasmitted data. For example, if the captured data includes credentials, the attacker can use those credentials to impersonate the client with slightly modified data packets.

Kerberos prevents replay attacks by making sure that all clients are within 5 minutes of each other and rejecting traffic outside of this five minute timeframe. Five minutes simply isn't enough time to capture the data, crack the credentials, and rebuild the data packets.

HTH,

Darril Gibson
Author: CompTIA Security+: Get Certified Get Ahead
www.sy0-201.com
Security+ Blog
Security Plus: Get Certified Get Ahead
Security+ Tip of day Tweets
twitter.com/DarrilGibson

abefroman

Darril wrote: »

Just as Psoasman and LogicBomb508 state, a replay attack is a more specific type of man-in-the-middle attack. I view the biggest difference in the intent. In the man-in-the-middle attack the intent is simply to capture the data, but in a replay attack the intent is to reuse the data in an an attack.

A man-in-the-middle attack is a form of active interception or eavesdropping. An attacker can use a sniffer or protocol analyzer (such as Wireshark) to capture transmitted data. A wireless access point placed in a wireless closet and transmitting captured data to someone outside the building can be considered a man-in the middle attack.

In a replay attack the captured data is later used to formulate an attack using the trasmitted data. For example, if the captured data includes credentials, the attacker can use those credentials to impersonate the client with slightly modified data packets.

Kerberos prevents replay attacks by making sure that all clients are within 5 minutes of each other and rejecting traffic outside of this five minute timeframe. Five minutes simply isn't enough time to capture the data, crack the credentials, and rebuild the data packets.

HTH,

Darril Gibson
Author: CompTIA Security+: Get Certified Get Ahead
www.sy0-201.com
Security+ Blog
Security Plus: Get Certified Get Ahead
Security+ Tip of day Tweets
twitter.com/DarrilGibson

Thanks Darril!

teancum144

I realize this is an older thread, but I had the same question. Synthesizing Darril's comments and other research, I came up with the following:

Man-In-The-Middle: An attack in which communications between two hosts are routed through the attacker’s host. The attacker can observe, modify, and/or block selected traffic before relaying to the intended host. Communications between the target hosts appear normal.

Replay: An attack in which a copy of communications between two hosts is obtained by the attacker. The attacker retransmits selected portions of the copied communications at a later time for nefarious purposes such as creating duplicate transactions, circumventing authentication, etc.

TenaciousD

I thought this might also help.

Here's a simple non-security related analogy of both attacks:

Man-in-the-middle Attack: In action movies where an intruder will hack into the CCTV (Closed-circuit Television) system and be able to switch off cameras or insert their own video, record video or just watch whats going on.

Replay Attack: Where an intruder hacks into a CCTV system, and plays a looped video, fooling any people monitoring the cameras into thinking that the looped video is live when it was prerecorded and played again and again. (Although in real replay attacks the packet will need to be modified before they can be used in the attack)

Hope this helps!

Lokimax24

Wow, this post is super old. But, I had a question on the topic. I'm managing a handful of Polycom HDX 7000's codecs. In reading the admin guides and security literature I've found that they have defenses against Man in the middle attacks. Does defense against MITM attacks also defend against Replay attacks? I can't find anything specifically addressing Replay attacks through Polycom. I'm also managing some Cisco SX80's and their literature does specifically address Replay attacks. Just wondering if it's all sort of the same boat? Thanks in advance for any info!