CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [43]
FIGURE 2.3 A spoofing attack during logon
If communication between the server and user continues, what’s the harm of the software? The answer lies in whatever else the software is doing. The man-in-the-middle software may be recording information for someone to view later, altering it, or in some other way compromising the security of your system and session.
A man-in-the-middle attack is an active attack. Something is actively intercepting the data and may or may not be altering it. If it’s altering the data, the altered data masquerades as legitimate data traveling between the two hosts.
Figure 2.4 illustrates a man-in-the-middle attack. Notice how both the server and client assume that the system they’re talking to is the legitimate system. The man in the middle appears to be the server to the client, and it appears to be the client to the server.
In recent years, the threat of man-in-the-middle attacks on wireless networks has increased. Because it’s no longer necessary to connect to the wire, a malicious rogue can be outside the building intercepting packets, altering them, and sending them on. A common solution to this problem is to enforce a secure wireless authentication protocol such as WPA2.
FIGURE 2.4 A man-in-the-middle attack occurring between a client and a web server
An older term generically used for all man-in-the-middle attacks was TCP/IP hijacking. TCP/IP hijacking is addressed in detail later in this chapter.
Replay Attacks
Replay attacks are becoming quite common. They occur when information is captured over a network. A replay attack is a kind of access or modification attack. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it again later. This can also occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity.
Figure 2.5 shows an attacker presenting a previously captured certificate to a Kerberos-enabled system. In this example, the attacker gets legitimate information from the client and records it. Then, the attacker attempts to use the information to enter the system. The attacker later relays information to gain access.
FIGURE 2.5 A replay attack occurring
If this attack is successful, the attacker will have all the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp: If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.
Password-Guessing Attacks
Password-guessing attacks occur when an account is attacked repeatedly. This is accomplished by utilizing applications known as password crackers, which send possible passwords to the account in a systematic manner. The attacks are initially carried out to gain passwords for an access or modification attack. There are two types of password-guessing attacks:
Brute-force attack Abrute-force attack is an attempt to guess passwords until a successful guess occurs. This type of attack usually occurs over a long period. To make passwords more difficult to guess, they should be much longer than two or three characters (six should be the bare minimum), be complex, and have password lockout policies.
Dictionary attack A dictionary