dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
937
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

curiousity what if you recorded packets heading for a log in and played them

What if a person recorded the packets for a banktransaction and log in and then played those packets back? I don't see this as a threat vector but just something i got curious about last night as i found a old radio frequency recorder and player i use to play with my rc car stuff back in the day. What i would do is drive my rc cars around recording the radio waves and then play it back and have the car do the very same actions.

This got me thinking about the recording of packets encrypted or other wise then playing back those very same packets over the net. Example lets say i have a pnc bank account. I then run a packet capturing tool to capture all the packets. Now not even attempting to decrypt them if i played them back would the banks server see me as logged in similar to how my rc car would run a pre programmed course from the recorded radio waves.

Again just curiosity here. Im assuming that the keys would change each time etc.

Yes i know i did not actually record the radio i did build the unit used. I recorded the converted signal to the device then reconvert to radio waves.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran

Premium Member

SSL prevents this from being an attack vector.

It would however work against non-SSL applications.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Yeh i don't think any thing could come of it attack wise other than proof of concepts. Mostly as what would be the point?To edit the packets you would have to decrypt them then re encrypt and transmit. Far easier ways to get the result of steeling account info.
Hence why more a question of being curious. I had tons of fun with my little black box back in the day.It would also act as a macro device for a wireless keyboard as it could remotely record them. That was the more nefarious purpose it could be used for. I think i may have made a post here about the dangers of early wireless keyboards because of my little gadgets ability to record keystrokes remotely with out software. It was literally a remote hardware key-logger.

What was funny is i made it before the first gen wireless keyboards hit the market. Then i realized how dangerous the gadget could be and shelved it. It could also record things like walkietalkies old cordless phones baby monitors etc. Basically any thing from 10mhz to 900+ mhz cold be captured by it and played back. What was interesting is putting it near a computer that had a cpu in the same range. You could record the sound from your cpu memory vid card etc. It was allot of beeps and chirping sounds fairly eerie with a background of low hissing. From mechanical stuff such as fans etc.

I started fooling with the idea in the mid 90s with dialup modems and recording the tones then playing them back over the phone line. Turns out i was able to in some cases log in to my dialup accounts or BBS systems. Fun but mostly useless.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 edits

Blackbird

Premium Member

said by Nanaki:

... I had tons of fun with my little black box back in the day. ... Basically any thing from 10mhz to 900+ mhz cold be captured by it and played back. ...

I'm curious... what media did you record the signals on, especially those up in the "900+ mhz" range? Or are you saying that you recorded and played back the detected modulation from the signal?
lawsoncl
join:2008-10-28
Spirit Lake, ID

1 recommendation

lawsoncl to Nanaki

Member

to Nanaki

What you're describing is called a replay attack conducted by a man-in-the-middle, and many older authentication schemes were vulnerable to that. Assuming the website is using HTTPS, then part of the initial negotiation and encrypted channel setup involves information that isn't transmitted over the wire that an eavesdropped would not know.

dslcreature
Premium Member
join:2010-07-10
Seattle, WA

dslcreature to Nanaki

Premium Member

to Nanaki
When recording packets from conversation with secure website part of the secure handshake is mutual exchange of random data generated by both parties. When you replay a secure conversation the server will be expecting your response to be based on its *new* set of random data. When it sees *old* data it will ignore you as invalid. Random data is mixed in with encryption so you can't just change part of it without invalidating the whole message.

There usually are also safeguards implemented at the application layer separate from security where transactions start off by allocating a single use authorization token that would cease to be valid after initial use so even if by some miracle you fool the security system to accept your replayed message when the application sees the same message it may reject it as a duplicate. Browsers can normally resend the same request under certain conditions and so most systems that deal with important information have separate safeguards to prevent it from causing trouble.

"Replay attacks" rarely ever work and certainly not against anything resembling modern security technology yet sadly I can still think of systems in production use today susceptible in limited ways to just this sort of problem.
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to sivran

Member

to sivran

I often wondered the same thing about CABLE TV and these addressable converters.... IF YOU RECORD THE STREAM WHEN YOU ORDERED A PAY CHANNEL AND THEN PLAYED IT BACK SOMEHOW INTO THE BOX,WOULD YOU GET IT AGAIN??

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 recommendation

Bill_MI to Nanaki

MVM

to Nanaki

Re: curiousity what if you recorded packets heading for a log in and played them

Congratulations! You've exactly rediscovered, by your own thought experiment, one of the major parts of a good secure algorithm - defending against a replay attack as lawsoncl See Profile and dslcreature See Profile mentions. Luckily, those into security already have been-there-done-that.

A problem occurs when someone develops a security system without the complexity needed for all the combinations of vulnerabilities like this. One of the best examples of this is WEP and I believe replay attack was a portion of the problems WEP has.
Bill_MI

Bill_MI to dslcreature

MVM

to dslcreature
said by dslcreature:

"Replay attacks" rarely ever work and certainly not against anything resembling modern security technology yet sadly I can still think of systems in production use today susceptible in limited ways to just this sort of problem.

I recall an old web login where the user password was trivially translated (possibly a weak hash) that anyone else could easily replay to become that person. Some logged-in cookies had the same problem. I hope we're way beyond that, now.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to 19579823

Member

to 19579823

Re: ‏

At least back in the day they were not encrypted just scrambled. Basically the signal was taken apart at the source and put back together in a pseudo random way. Sense the box knows the way it was scrambled it would work at least pre digital cable. Recording the signal in todays world would be simple and playing it back in to the box not much harder. Obviously a pretty useless thing to do as you could have simply recorded the show on vhs. But just because it is useless does not mean it would not be fun to do
Nanaki

Nanaki (banned) to Bill_MI

Member

to Bill_MI

Re: curiousity what if you recorded packets heading for a log in and played them

I once with a partner hacked a website that we were low level admins for. We did not have full access though. But we was able to figure out how to climb over each other to the next highest level of access by figuring out the hash that was shown in the url for the users password. It took maybe 2 hours to figure it out and gain full access to not only the chats system but also the servers directory structure even to the os level.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Nanaki

MVM

to Nanaki
said by Nanaki:

What if a person recorded the packets for a banktransaction and log in and then played those packets back?

...as stated before -- »en.wikipedia.org/wiki/Re ··· y_attack

Regards
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to Nanaki

Member

to Nanaki

Ahhhhhh I see,thank you for that tidbit!
voxframe
join:2010-08-02

voxframe to Nanaki

Member

to Nanaki

Re: curiousity what if you recorded packets heading for a log in and played them

The world of Software Defined Radios makes all of this lots of fun

"Replay" style attacks have some pretty useful/dangerous applications in the RF world where encryption and such is still pretty piss poor. Or the ability to properly use that encryption is so costly that it actually doesn't get implemented.

Simple case, the police in our area have a "Crypto" radio system they call it. Well they got cheap and didn't want to actually pay for the encryption boards. So they normally transmit analog, but when they want "super secret mode" they go digital, but it's a base digital modulation, with no actual encryption running on it since they were too cheap to buy the modules. So you just flip over to a digital decoder (Not Decrypt!) and voila, there it is.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by voxframe:

... Simple case, the police in our area have a "Crypto" radio system they call it. Well they got cheap and didn't want to actually pay for the encryption boards. So they normally transmit analog, but when they want "super secret mode" they go digital, but it's a base digital modulation, with no actual encryption running on it since they were too cheap to buy the modules. So you just flip over to a digital decoder (Not Decrypt!) and voila, there it is.

More than likely, it was the local municipal council that opted for "cheap"... they, not the police, must face the taxpayers at election time. Things like this have traditionally not been procured on the basis of "secure", but instead on the basis of "good enough" - and that based on the opinion of the one council member known to have actually set up his own wireless home-media system, or some "consultant" with slightly better credentials (like the part-time guy who maintains the county police radio net).
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to voxframe

Member

to voxframe
Right because it is not encryption but digital scrambling. There's lots of methods to scramble. Such as splitting the voice channel up in to 2 or more parts and switching those parts around.

In text it would look like the below

thi
bled
s is
scra

Pretty easy to de scramble

In general it is good enough even for swat in the middle of a very hot situation where the target/s of swat might be trying to listen in. Simply put by the time they can de scramble it it is already over with. after the fact they could not care any less who hears it.