This chapter covers replay attacks, a significant threat to network authentication and transaction integrity. Understanding replay attacks is essential for the SY0-701 exam, specifically under Domain 2 (Threats, Vulnerabilities, and Mitigations), Objective 2.3: Summarize various types of attacks. This chapter explains how replay attacks work, their variants, and the key countermeasures—including nonces, timestamps, and sequence numbers—that you need to know for the exam.
Jump to a section
Imagine you write a check to pay a $100 bill. You sign it, date it, and hand it to the payee. Now, suppose that payee takes a photocopy of the signed check. Later, they deposit that photocopy, claiming you owe them another $100. The bank sees your valid signature and processes the payment again. This is a replay attack: the attacker captures a legitimate signed message (the check) and reuses it to perform the same action again. In networking, the 'check' is a captured authentication packet or transaction request. The 'signature' is the cryptographic authentication data. The 'photocopy' is the attacker's retransmission. To prevent this, we add a unique, one-time-use element to each transaction—like a check number or a timestamp. The bank (server) remembers which check numbers have been cashed and rejects duplicates. In security protocols, this is achieved using nonces (numbers used once), timestamps, or sequence numbers. The attacker can copy the message, but without a fresh, unique element, the server knows it's a replay.
What Is a Replay Attack?
A replay attack occurs when an attacker intercepts a valid data transmission and fraudulently repeats or delays it. The attacker does not need to decrypt or alter the captured data; they simply retransmit it to trick the receiver into performing an unauthorized action, such as authenticating a session or authorizing a transaction. Replay attacks exploit the fact that a legitimate message, once captured, can be reused if there is no mechanism to detect its duplication.
Replay attacks are particularly dangerous in authentication protocols. For example, if a user sends a password hash to log in, an attacker who captures that hash can replay it to impersonate the user. Even if the password is never revealed, the hash itself becomes a credential.
How a Replay Attack Works Mechanically
Interception: The attacker places themselves on the communication path (e.g., via ARP spoofing, rogue access point, or network tap) and captures packets using a tool like Wireshark or tcpdump.
Extraction: The attacker identifies the relevant authentication or transaction packet. For example, a Kerberos TGT request or an NTLM authentication exchange.
Retransmission: The attacker sends the captured packet to the target server, often from their own machine, modifying only source IP/MAC if necessary to bypass basic filtering.
Reception: The server processes the packet as if it were new, performing the action requested (e.g., granting access, transferring funds).
Impact: The attacker gains unauthorized access or performs an unauthorized action without needing to know any secrets.
Key Components and Variants
Nonces (Number Used Once) are random or sequential numbers included in a message to ensure freshness. The receiver checks that a nonce has not been seen before. For example, in the Kerberos protocol, the client includes a nonce in the initial request, and the server includes it in the response to prevent replay of the response.
Timestamps are used to limit the validity window of a message. If the message's timestamp is outside an acceptable skew (e.g., ±5 minutes), the receiver rejects it. This requires synchronized clocks, often via NTP.
Sequence Numbers are monotonically increasing counters. The receiver tracks the last sequence number and rejects any packet with a number less than or equal to the last seen. This is common in TCP (sequence numbers) and IPSec (anti-replay window).
Challenge-Response Authentication inherently prevents replay: the server sends a random challenge (nonce), and the client must respond with a cryptographic operation (e.g., hash of challenge + secret). The captured response is useless for a different challenge.
Variants: - Reflection Attacks: The attacker captures a message and sends it back to the sender, tricking the sender into revealing information. - Replay in Cryptographic Protocols: Even encrypted messages can be replayed if the encryption doesn't include a unique identifier. For example, a captured TLS ClientHello with a session ID could be replayed to resume a session, though modern TLS uses session tickets with built-in replay protection.
How Attackers Exploit Replay Attacks
Attackers exploit replay attacks in several scenarios:
Authentication Bypass: Capturing a successful login packet (e.g., HTTP POST with credentials) and replaying it to gain access without knowing the password.
Session Hijacking: Capturing a session cookie or token and replaying it to assume an authenticated session.
Transaction Fraud: Capturing a financial transaction request (e.g., a wire transfer) and replaying it to initiate another transfer.
Kerberos Attacks: Capturing a Kerberos TGT (Ticket Granting Ticket) and replaying it to obtain service tickets. Microsoft's MS14-068 (CVE-2014-6324) was a vulnerability that allowed forging and replaying Kerberos tickets.
Countermeasures and Their Implementation
Nonces:
Used in Challenge-Handshake Authentication Protocol (CHAP) for PPP. The server sends a challenge (nonce), and the client responds with MD5(challenge + password). The server compares with its own calculation.
In Kerberos, the client includes a nonce in the AS-REQ, and the KDC includes it in the AS-REP. This prevents replay of the AS-REP.
Timestamps:
Used in Kerberos authenticators. The client includes a timestamp encrypted with the session key. The server checks that the timestamp is within a small window (default 5 minutes).
Used in NTP authentication (symmetric key) and in some API authentication schemes (e.g., AWS Signature Version 4).
Sequence Numbers:
Used in IPSec ESP and AH. Each packet has a monotonically increasing sequence number. The receiver maintains a sliding window (default 64 packets) and rejects packets with sequence numbers outside the window or already received.
Used in TCP to prevent replay of segments, though TCP's sequence numbers are predictable if the initial sequence number (ISN) is guessed.
Challenge-Response:
Used in CHAP, MS-CHAP, and many VPN protocols.
Example: In EAP-TLS, the server sends a random nonce, and the client signs it with its private key.
Session Tokens with Context:
Include client IP, user agent, or other context in the token so that replay from a different machine fails.
One-Time Passwords (OTP):
Time-based (TOTP) or event-based (HOTP) OTPs are valid only once, making replay useless.
Real Command/Tool Examples
Capturing with tcpdump:
sudo tcpdump -i eth0 -w capture.pcap port 88 or port 389This captures Kerberos (port 88) and LDAP (port 389) traffic for potential replay.
Replaying with Scapy (Python):
from scapy.all import *
packets = rdpcap('capture.pcap')
sendp(packets[0], iface='eth0')This sends the first captured packet onto the network.
Testing replay with netcat:
# On attacker: listen and store
nc -l -p 1234 > captured.bin
# On attacker: replay
nc target 1234 < captured.binStandards and RFCs
RFC 4120 (Kerberos) defines the use of nonces and timestamps for replay protection.
RFC 4303 (IPSec ESP) defines the anti-replay window using sequence numbers.
RFC 5246 (TLS 1.2) uses a random nonce in the ClientHello and ServerHello to prevent replay of handshake messages.
RFC 6238 (TOTP) and RFC 4226 (HOTP) define one-time password algorithms that are inherently replay-resistant.
Attacker intercepts legitimate traffic
The attacker gains a position on the network path between client and server, often through ARP spoofing, setting up a rogue access point, or compromising a switch. Using packet capture tools like Wireshark or tcpdump, they capture all traffic. They filter for specific protocols, such as authentication packets (e.g., Kerberos AS-REQ, NTLM Type 1/2/3, HTTP POST with credentials). The attacker saves these packets to a file for later replay. At this stage, they have not altered any data; they simply have a copy of a valid exchange.
Attacker identifies replayable packet
The attacker examines the captured packets to find one that, when replayed, will grant access or perform an action. They look for packets that contain authentication tokens (e.g., Kerberos TGT, NTLM hash, session cookie) or transaction requests (e.g., HTTP POST to /transfer). They note the source and destination IPs and ports. The attacker may need to modify the source IP to match their own machine if the server checks source addresses. They also check timestamps: if the packet includes a timestamp, the attacker must ensure it is still within the acceptable window or adjust their system clock.
Attacker replays the packet to the target
Using tools like Scapy, hping3, or custom scripts, the attacker sends the captured packet to the target server. They may need to adjust the IP header (source IP) to avoid being filtered by ACLs. The attacker sends the packet from their own machine. The server receives the packet and begins processing it as if it were a new request. If the protocol lacks replay protection, the server will accept the packet and perform the action (e.g., authenticate the session, process a transaction).
Server processes replayed packet
The server checks the packet's format and, if valid, proceeds. For example, if it's a Kerberos AS-REQ, the KDC will generate a TGT and send it back. If it's an HTTP request with a session cookie, the server will validate the cookie and execute the requested action. The server does not detect that this packet is a duplicate because there is no nonce, timestamp, or sequence number check. The attacker then receives the server's response, which may contain new credentials or confirm the action.
Attacker achieves unauthorized access or action
The attacker uses the response from the server (e.g., a TGT, a new session cookie) to impersonate the victim. They can now access resources or perform actions as the victim. The victim may not notice anything unusual, as their own session remains intact. The attacker can continue to replay the same packet multiple times until the server's replay protection kicks in (if any) or until the credentials expire. This step demonstrates the impact: the attacker gains unauthorized privileges without ever knowing the victim's password.
Scenario 1: Kerberos Replay Attack in a Windows Domain
A security analyst monitors Active Directory domain controller logs and sees Event ID 4768 (Kerberos TGT requested) for the same user account from two different source IP addresses within seconds. One IP is the user's workstation; the other is an unknown IP. The analyst suspects a replay attack. They check the Kerberos pre-authentication timestamp: if the timestamp is outside the allowed skew, the KDC should reject it. However, the attacker may have synchronized their clock. The correct response is to enable Kerberos armoring (FAST) and enforce strict timestamp checking. The analyst also implements network segmentation to prevent ARP spoofing. A common mistake is to assume the user's account is compromised and reset the password, but that does not stop replay of already captured TGTs. The analyst must also revoke existing tickets and enforce replay protection mechanisms.
Scenario 2: Replay of OAuth Tokens in a Web Application
A web developer implements OAuth 2.0 for API authentication. They use bearer tokens without nonces or timestamps. An attacker captures an access token via a man-in-the-middle attack on a public Wi-Fi network. The attacker replays the token to access the API and exfiltrate user data. The API server logs show multiple identical requests from different IPs with the same token. The correct response is to implement token binding (e.g., include client IP or use mTLS) and short token lifetimes. The developer should also use OAuth 2.0 Proof Key for Code Exchange (PKCE) to prevent authorization code interception. A common mistake is to rely solely on TLS, which protects against interception but not replay if the attacker already captured the token. The analyst should implement rate limiting and anomaly detection to flag repeated token usage.
Scenario 3: Replay of DNS Queries for Cache Poisoning
An attacker captures a valid DNS query for a legitimate domain and replays it to a recursive resolver, hoping to poison the cache with a forged response. The resolver checks the DNS ID (a 16-bit random number) to match queries and responses. The attacker must guess or capture the correct ID. With a captured ID, they can replay the query and inject a spoofed response. The correct defense is to use DNSSEC (RFC 4033-4035) to authenticate responses and enable source port randomization (RFC 5452) to make replay harder. A common mistake is to rely solely on the DNS ID, which is only 16 bits and can be brute-forced. The analyst should monitor for unusual query/response pairs and enable BIND's rate-limit feature to mitigate replay.
What SY0-701 Tests on Replay Attacks
For Objective 2.3, the exam expects you to:
Define a replay attack and describe its mechanism.
Identify scenarios where replay attacks are possible (e.g., authentication, session hijacking, transaction replay).
Recognize countermeasures: nonces, timestamps, sequence numbers, challenge-response, and one-time passwords.
Understand that replay attacks do not require decryption or modification of the original message.
Know specific protocols that implement replay protection: Kerberos (timestamps, nonces), IPSec (sequence numbers), TLS (random nonces), CHAP (challenge-response).
Common Wrong Answers and Why Candidates Choose Them
"Replay attacks require the attacker to decrypt the packet." Candidates confuse replay with decryption attacks. Replay simply retransmits the captured data as-is; no decryption is needed.
"Using encryption prevents replay attacks." Encryption protects confidentiality, but a replayed encrypted packet is still valid if the receiver decrypts it successfully. Replay protection requires freshness mechanisms, not just encryption.
"A man-in-the-middle attack is the same as a replay attack." MITM involves real-time interception and modification, while replay can be offline and delayed. They are distinct.
"Replay attacks only work against unencrypted traffic." Even encrypted traffic can be replayed if the encryption doesn't include a nonce or timestamp. For example, a replayed TLS handshake could cause a server to resume a session if session tickets are used without proper validation.
Specific Terms and Values for the Exam
Nonce: A number used once; random or sequential.
Timestamp: Must be within a skew (e.g., 5 minutes for Kerberos).
Sequence number: Used in IPSec anti-replay window (default 64 packets).
CHAP: Challenge-Handshake Authentication Protocol; uses challenge-response to prevent replay.
Kerberos: Uses timestamps and nonces; pre-authentication timestamp is encrypted.
IPSec AH/ESP: Anti-replay using sequence numbers.
TLS 1.3: Uses random nonces in ClientHello and ServerHello; also uses session tickets with ticket age to prevent replay.
Common Trick Questions
Question: "An attacker captures a user's login packet and replays it to gain access. What type of attack?" Correct: Replay. Wrong: Pass-the-hash (which involves using a hash to authenticate, not necessarily replay).
Question: "Which mechanism prevents replay attacks?" Correct: Nonces. Wrong: Encryption (confuses confidentiality with integrity).
Question: "What is the best defense against replay attacks in a wireless network?" Correct: Use WPA3 (which includes SAE with anti-replay). Wrong: Use WPA2 (which is vulnerable to replay if TKIP is used).
Decision Rule for Eliminating Wrong Answers
On scenario questions, first identify if the attack involves retransmission of captured data. If the answer mentions decryption, modification, or man-in-the-middle during real-time, it's likely not replay. Look for keywords like "captured", "repeated", "duplicate", "retransmitted". The correct countermeasure will include "nonce", "timestamp", "sequence number", or "challenge-response". If the answer suggests only encryption or hashing, it's wrong.
A replay attack retransmits captured valid data to perform unauthorized actions; no decryption or modification is needed.
Nonces (number used once) are random or sequential values included in messages to ensure freshness.
Timestamps require synchronized clocks and a defined skew (e.g., 5 minutes) to prevent replay.
Sequence numbers provide anti-replay protection in protocols like IPSec, using a sliding window (default 64 packets).
Challenge-response authentication inherently prevents replay by using a server-issued nonce.
Kerberos uses both timestamps and nonces for replay protection; pre-authentication timestamps are encrypted.
IPSec ESP/AH use monotonically increasing sequence numbers with a sliding window to detect duplicates.
TLS 1.3 uses random nonces in the handshake and session ticket age to prevent replay of session resumptions.
One-time passwords (TOTP/HOTP) are valid only once, making replay attacks ineffective.
Encryption alone does not prevent replay; freshness mechanisms must be included in the protocol design.
Common exam wrong answers: confusing replay with MITM, believing encryption prevents replay, or thinking strong passwords stop replay.
These come up on the exam all the time. Here's how to tell them apart.
Nonce-based replay protection
Uses a random or sequential number that is valid only once.
Does not require synchronized clocks.
Receiver must store all used nonces or use a large enough space to avoid collisions.
Common in challenge-response protocols like CHAP and Kerberos.
Provides strong protection against replay if nonces are truly random and unpredictable.
Timestamp-based replay protection
Uses the current time as a freshness indicator.
Requires synchronized clocks (e.g., via NTP) and a defined time skew (e.g., 5 minutes).
Receiver checks if the timestamp is within the acceptable window; no need to store past timestamps.
Common in Kerberos authenticators and AWS Signature Version 4.
Vulnerable to replay if the attacker can manipulate the system clock or if the time window is too large.
Mistake
Replay attacks only work on unencrypted traffic.
Correct
Encrypted traffic can also be replayed if the encryption does not include a unique identifier like a nonce or timestamp. The receiver will decrypt and process the replayed message as valid.
Mistake
A replay attack is the same as a man-in-the-middle attack.
Correct
A MITM attack intercepts and may modify traffic in real time. A replay attack captures traffic for later retransmission, often without the need for real-time interception.
Mistake
Using a strong password prevents replay attacks.
Correct
Replay attacks reuse captured credentials, not the password itself. Even a strong password is vulnerable if its hash or token is captured and replayed.
Mistake
Replay attacks require the attacker to be on the same network segment as the victim.
Correct
The attacker can capture traffic anywhere along the path, including on a remote network via a compromised router or via a VPN tunnel. They do not need to be on the same LAN.
Mistake
Replay attacks are prevented by hashing the message.
Correct
Hashing ensures integrity but does not prevent replay. An attacker can replay the hash along with the message. A nonce or timestamp must be included in the hash to ensure freshness.
A replay attack is a network attack where a valid data transmission is captured and fraudulently repeated or delayed. The attacker does not need to decrypt or modify the data; they simply retransmit it to trick the receiver into performing an unauthorized action, such as authenticating a session or processing a transaction. For example, capturing a login packet and replaying it to gain access without knowing the password. Prevention mechanisms include nonces, timestamps, sequence numbers, and challenge-response protocols.
A nonce (number used once) is a random or sequential value included in a message to ensure freshness. The receiver checks that the nonce has not been used before. If an attacker replays a message, the nonce will already be in the receiver's list of used nonces, and the message will be rejected. Nonces are used in challenge-response protocols like CHAP and in Kerberos. For the exam, remember that nonces do not require synchronized clocks but require storage of used nonces.
A replay attack involves retransmitting a captured packet in its entirety. A pass-the-hash attack specifically uses a captured password hash to authenticate, often by injecting the hash into a local authentication process. While both reuse captured credentials, replay attacks focus on network-level retransmission, while pass-the-hash is a local authentication bypass. On the exam, pass-the-hash is a variant of replay, but they are distinct in implementation.
TLS itself provides replay protection for the handshake by using random nonces (ClientHello.random and ServerHello.random). However, TLS does not inherently protect against replay of application data after the handshake. For session resumption, TLS 1.3 uses session tickets with a ticket age field to prevent replay. In general, replay protection must be built into the application protocol, not just the transport layer.
Yes. If the encryption does not include a freshness mechanism (nonce, timestamp, sequence number), an attacker can replay the encrypted packet. The receiver will decrypt it and process it as valid. For example, a replayed TLS ClientHello could cause a server to initiate a new handshake. However, modern protocols like TLS include random nonces to prevent this. The exam expects you to know that encryption alone is insufficient against replay.
A reflection attack is a type of replay attack where the attacker sends a captured message back to the sender. For example, if a server sends a challenge, the attacker captures it and sends it back to the server, tricking the server into responding to its own challenge. This can be used to bypass authentication if the server trusts its own messages. Reflection attacks are prevented by using different keys for different directions or by including a direction identifier.
Kerberos uses two main mechanisms: timestamps and nonces. The client includes an encrypted timestamp in the authenticator, which the server checks to be within a small time window (default 5 minutes). Additionally, the initial AS-REQ includes a nonce, and the KDC includes that nonce in the AS-REP to prevent replay of the response. Kerberos also uses sequence numbers for session keys. For the exam, know that Kerberos replay protection relies on time synchronization and nonces.
You've just covered Replay Attacks and Prevention — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?