From the course: CompTIA Security+ (SY0-701) Cert Prep

Eavesdropping attacks

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Eavesdropping attacks

- [Instructor] If an attacker is able to gain physical or logical access to a network, they may be able to eavesdrop on communications between two systems on that network. These attacks can be especially dangerous if the attacker is able to decrypt encrypted communications and view confidential information without the center's knowledge or consent. All eavesdropping attacks requires some compromise of the communication path between a client and a server. This might include tapping into a network device or cable, or conducting a DNS or ARP poisoning attack to trick a system into sending traffic directly to the attacker instead of the intended recipient. In a moment, we'll take a look at a few different types of eavesdropping attacks, but before we do that, here's just a quick reminder of how web communications take place. A user running a web browser initiates a connection to a server located somewhere off in a data center, but the reality is that these communications travel over many different network connections along the way. Any one of the devices in the middle represents a possible point where an eavesdropper might listen in on that communication. Encryption, such as that used with https, prevents any of these intermediate devices from viewing or altering the communication. Since simple eavesdropping is easily defeated by encryption, attackers can use the man-in-the-middle attack to step up their game a bit. In this attack, the attacker tricks the sending system during the initial communication. This might be done by reconfiguring a network device or using DNS or ARP poisoning. Instead of establishing communications with a legitimate server, the user then connects directly to the attacker. The attacker in turn connects to the legitimate server, the user authenticates to the fake server set up by the attacker, and the attacker acts as a relay, the man in the middle, and can view all of the communications that take place between the client and the server. The attacker receives requests from the user, passes them onto the server, and then receives the real responses, reads them, and then replays them to the original user, who has no idea that there is a man in the middle intercepting those communications. A man-in-the-browser attack is a variation on the man-in-the- middle attack where the attacker compromises the user's web browser or a browser plugin to gain access to web communications. Together, man-in-the-middle attacks and man-in-the-browser attacks are described as on-path attacks because the attacker is on the path between the user and the service. If the attackers have the ability to capture network traffic, they may also be able to conduct a replay attack. A replay attack uses previously captured data such as an encrypted authentication token to create a separate connection to the server that's authenticated, but does not involve the real end user. If the attacker can resend the authentication sequence without the remote system noticing that as being replayed, the attacker can then use those credentials for his or her own purposes. In a replay attack, the attacker typically cannot see the actual credentials, but only has the encoded version of them available. Fortunately, replay attacks are defeated by using a simple session token or through the use of timestamps. Each session established with a remote system should use a new token that is chosen randomly and has a limited lifespan suitable to the length of time that the authenticated session should last, then when the attacker tries to replay that token, it's already expired and not valid. Timestamps work in a similar way by relying upon both systems, having their system time set properly to ensure that the packets they were sending were sent during a similar time window. Replay attacks can succeed during that short time window, but attacks at a later time will be rejected. Finally, SSL stripping is a variation on eavesdropping attacks and an SSL stripping attack. An attacker who has the ability to view a user's encrypted web communication exploits a vulnerability to trick the user's browser into reverting to unencrypted communications that can be easily viewed. You can imagine this as stripping the SSL or TLS protection off of the communication, exposing it to prying eyes.

Contents