Options

What is the difference between Man-in-the-middle and replay attacks?

abefromanabefroman Banned Posts: 278
in Security+
Could someone explain what is the difference between Man-in-the-middle and replay attacks?

TIA
· Share on FacebookShare on Twitter

Comments

  • Options
    L0gicB0mb508L0gicB0mb508 Member Posts: 538
    Replay attack is actually a kind of man in the middle attack. Typically a man in the middle attack is just a catch all term for nearly any attack where the hacker is capturing traffic between two hosts. Man in the middle may just be someone sniffing packets off the wire. A replay attack is obviously where the attacker captures traffic, and stores or manipulates it before sending it on.
    I bring nothing useful to the table...
    · Share on FacebookShare on Twitter
  • Options
    PsoasmanPsoasman Member Posts: 2,687 ■■■■■■■■■□
    A replay attack is when the attacker is able to capture some of your data packets on their way to the intended destination. They will then try to re-use this information to attack your network. You can mitigate this by using strong session security and digital signatures.

    Man in the middle attacks are similar to replay attacks. The attacker will sometimes try to intercept the data or just capture some to use later. They may try to make the sender think they are the legitimate receiver. They may also try to add new messages and pass them on.

    Hope that helps.
    · Share on FacebookShare on Twitter
  • Options
    abefromanabefroman Banned Posts: 278
    Thanks! Helps.
    · Share on FacebookShare on Twitter
  • Options
    DarrilDarril Member Posts: 1,588
    Just as Psoasman and LogicBomb508 state, a replay attack is a more specific type of man-in-the-middle attack. I view the biggest difference in the intent. In the man-in-the-middle attack the intent is simply to capture the data, but in a replay attack the intent is to reuse the data in an an attack.

    A man-in-the-middle attack is a form of active interception or eavesdropping. An attacker can use a sniffer or protocol analyzer (such as Wireshark) to capture transmitted data. A wireless access point placed in a wireless closet and transmitting captured data to someone outside the building can be considered a man-in the middle attack.

    In a replay attack the captured data is later used to formulate an attack using the trasmitted data. For example, if the captured data includes credentials, the attacker can use those credentials to impersonate the client with slightly modified data packets.

    Kerberos prevents replay attacks by making sure that all clients are within 5 minutes of each other and rejecting traffic outside of this five minute timeframe. Five minutes simply isn't enough time to capture the data, crack the credentials, and rebuild the data packets.

    HTH,

    Darril Gibson
    Author: CompTIA Security+: Get Certified Get Ahead
    www.sy0-201.com
    Security+ Blog
    Security Plus: Get Certified Get Ahead
    Security+ Tip of day Tweets
    twitter.com/DarrilGibson
    Darril Gibson
    CompTIA A+, Network+, Security+ Blogs
    Daily Network+ and Security+ Test Taking Tips on Twitter
    · Share on FacebookShare on Twitter
  • Options
    abefromanabefroman Banned Posts: 278
    Darril wrote: »
    Just as Psoasman and LogicBomb508 state, a replay attack is a more specific type of man-in-the-middle attack. I view the biggest difference in the intent. In the man-in-the-middle attack the intent is simply to capture the data, but in a replay attack the intent is to reuse the data in an an attack.

    A man-in-the-middle attack is a form of active interception or eavesdropping. An attacker can use a sniffer or protocol analyzer (such as Wireshark) to capture transmitted data. A wireless access point placed in a wireless closet and transmitting captured data to someone outside the building can be considered a man-in the middle attack.

    In a replay attack the captured data is later used to formulate an attack using the trasmitted data. For example, if the captured data includes credentials, the attacker can use those credentials to impersonate the client with slightly modified data packets.

    Kerberos prevents replay attacks by making sure that all clients are within 5 minutes of each other and rejecting traffic outside of this five minute timeframe. Five minutes simply isn't enough time to capture the data, crack the credentials, and rebuild the data packets.

    HTH,

    Darril Gibson
    Author: CompTIA Security+: Get Certified Get Ahead
    www.sy0-201.com
    Security+ Blog
    Security Plus: Get Certified Get Ahead
    Security+ Tip of day Tweets
    twitter.com/DarrilGibson

    Thanks Darril!
    · Share on FacebookShare on Twitter
  • Options
    teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    I realize this is an older thread, but I had the same question. Synthesizing Darril's comments and other research, I came up with the following:

    Man-In-The-Middle: An attack in which communications between two hosts are routed through the attacker’s host. The attacker can observe, modify, and/or block selected traffic before relaying to the intended host. Communications between the target hosts appear normal.

    Replay: An attack in which a copy of communications between two hosts is obtained by the attacker. The attacker retransmits selected portions of the copied communications at a later time for nefarious purposes such as creating duplicate transactions, circumventing authentication, etc.
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
    · Share on FacebookShare on Twitter
  • Options
    TenaciousDTenaciousD Registered Users Posts: 3 ■□□□□□□□□□
    I thought this might also help.

    Here's a simple non-security related analogy of both attacks:

    Man-in-the-middle Attack: In action movies where an intruder will hack into the CCTV (Closed-circuit Television) system and be able to switch off cameras or insert their own video, record video or just watch whats going on.

    Replay Attack: Where an intruder hacks into a CCTV system, and plays a looped video, fooling any people monitoring the cameras into thinking that the looped video is live when it was prerecorded and played again and again. (Although in real replay attacks the packet will need to be modified before they can be used in the attack)

    Hope this helps!
    · Share on FacebookShare on Twitter
  • Options
    Lokimax24Lokimax24 Member Posts: 1 ■■□□□□□□□□
    Wow, this post is super old.  But, I had a question on the topic.  I'm managing a handful of Polycom HDX 7000's codecs.  In reading the admin guides and security literature I've found that they have defenses against Man in the middle attacks.  Does defense against MITM attacks also defend against Replay attacks?  I can't find anything specifically addressing Replay attacks through Polycom.  I'm also managing some Cisco SX80's and their literature does specifically address Replay attacks.  Just wondering if it's all sort of the same boat?  Thanks in advance for any info!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.