{ "id": "9a6a1c57-b1aa-46ef-bfaa-f75418f4b709", "created_at": "2026-04-06T00:17:46.546316Z", "updated_at": "2026-04-10T13:12:50.703478Z", "deleted_at": null, "sha1_hash": "91b6b9cd58eda3122d7fb9861abef41ca281f891", "title": "What is a replay attack?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199579, "plain_text": "What is a replay attack?\r\nBy Justin Schamotta\r\nPublished: 2022-10-28 · Archived: 2026-04-05 17:12:45 UTC\r\nIn the story Ali Baba and the Forty Thieves, the robber captain utters “Open Sesame!” to gain entrance to the cave\r\ncontaining the thieves’ stolen goods. After overhearing the phrase, Ali Baba reuses it to open the doorway to the\r\ncave himself, thus engaging in a replay attack.  \r\nIn computing, a replay attack occurs when transmitted authentication or access control information is intercepted\r\nand then re-transmitted to either produce an unauthorized effect or gain unauthorized access. \r\nReplay attacks are listed as entry 294 in the Common Weakness Enumeration (CWE), and described as:\r\n“[A] flaw [that] exists when the design of the software makes it possible for a malicious user to sniff\r\nnetwork traffic and bypass authentication by replaying it to the server in question to the same effect as\r\nthe original message.”\r\nReplay attacks are particularly concerning because the attacker doesn’t need to decrypt the intercepted messages\r\nto trick the receiver into acknowledging them as genuine. \r\nOverview: What is a replay attack?\r\nA replay attack — also known as a playback attack or repeat attack — typically begins with an attacker ‘sniffing’\r\nthe stream of small data packets being sent from one IP address to another. Replay attacks are a form of man-in-the-middle attack, with the ‘man’ being the packet sniffer. \r\nhttps://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nPage 1 of 5\n\nWhat are data packets?\r\nWhat might start off as a web page or email is split up into smaller pieces, sent through local networks or the\r\nwider internet, and reassembled into the original web page or email upon reaching the intended destination. \r\nWhile they travel through the internet, data packets pass through many traffic control devices, such as switches\r\nand routers. At these points, they can be intercepted and analyzed by a packet sniffer — this is a catch-all term for\r\nsmall pieces of software or hardware that can copy data to the attacker’s hard drive for subsequent examination. \r\nThe attacker can set the packet sniffer — also known as a protocol analyzer, packet analyzer, or network analyzer\r\n— to filter only packets that contain specific data elements that they are interested in. Wireshark is one of the most\r\npopular packet sniffers and is designed for use by legitimate IT professionals for network analysis.\r\nHow much usable data a packet sniffer captures depends on the strength of the network security protocols, but it\r\nmight include which websites a user visits and what is viewed while there, or the contents and destination of an\r\nemail. Or it might simply be a password hash.\r\nIn a replay attack, the attacker can make use of both encrypted and unencrypted data.\r\nUnencrypted data\r\nUnencrypted data is the easiest for an attacker to manipulate when captured. Let’s say Brad (B) sends a message to\r\nCharles (C) asking for $50. As Charles trusts Brad, he transfers the money. However, an attacker has captured the\r\ninitial transfer request from Brad and resent it (with altered bank details). Charles again thinks the request is from\r\nBrad, so again sends the money, but this time it goes to the attacker’s account.\r\nEncrypted data\r\nWhile capturing encrypted data might not seem particularly useful, it still has value to an attacker. All they need to\r\ndo is intercept and resend the entire package — message and key — to fool the receiving server into\r\nacknowledging them.\r\nSay that person A wishes to login to a website. They send their authentication data, which might consist of a\r\nsession ID, login credentials and password hash — all of which are encrypted. If our attacker, person B, intercepts\r\nthis data and then forwards it on to the intended server, they can sit back and receive whatever information that\r\nperson A’s authentication data has unlocked.  \r\nKey elements of a replay attack  \r\nReplay attacks typically involve the following stages:\r\nAttacker installs a packet sniffing tool on a network \r\nFiltered data is copied to attacker’s computer\r\nAttacker either immediately resends packets of interest, or manipulates them and then resends them\r\nAttacker receives response from the destination server, which now believes the attacker is the originator of\r\nthe message\r\nhttps://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nPage 2 of 5\n\nExamples of a replay attack\r\nIn September 2022, an offshoot of the Ethereum network — dubbed  ETHPoW — suffered a replay attack when\r\nattackers duplicated transactions on both ETHPoW and Ethereum chains, enabling them to harvest approximately\r\n200 ETHW.\r\nPrior to this, a Linden Lab vulnerability (CVE-2007-4961) enabled attackers to capture password hashes and\r\nreplay them to the Second Life authentication server in order to gain entry. \r\nEven Tor has been shown to be susceptible to replay attacks. By hijacking an entry and exit onion router, attackers\r\ncan copy a packet and send it along. When the packet reaches the now-compromised exit router, it’s rejected as a\r\nduplicate. However, this tells the attacker the destination and the source of the message, and negates the supposed\r\nanonymity of the connection.\r\nAccording to Microsoft’s Threat Intelligence team, one of the most dangerous financial criminal groups – Octo\r\nTempest – uses replay attacks with harvested tokens to bypass multi-factor authentication.\r\nMicrosoft also describes how attacks conducted by Midnight Blizzard — a Russian state-affiliated hacker group –\r\nin 2023 used session replay attacks so that they could gain initial access to cloud resources.\r\nOutside of the online world, replay attacks have been used to compromise chip-on-card and voice recognition\r\nsystems. They’ve also been successful in tricking car and garage doors into opening.\r\nHow to prevent replay attacks\r\nThere’s no one solution to preventing replay attacks. Instead, you must incorporate several strategies:\r\nCreate random session keys \r\nIn a two-way conversation, sender and receiver should establish a completely random session key. A session key is\r\na string of characters used within an encryption algorithm to make it appear as if it were random, and only used\r\nduring a particular session. Because it is only valid for the duration of the session, its usefulness to an attacker is\r\nlimited.\r\nWebsites supporting TLS (transport layer security) generate session keys at the start of any communication session\r\nbetween the client and the server. This occurs during what is known as the TLS handshake. \r\nOne-time passwords \r\nThese are similar to session IDs in that they either expire after initial use, or after a limited period of time. They\r\ncan be used to authenticate individual transactions, as well as sessions. They are often used by banks to\r\nauthenticate customers. \r\nTimestamping\r\nhttps://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nPage 3 of 5\n\nYou can timestamp messages to ensure that a particular request can’t be used more than once. Servers receiving\r\nthose falling outside an established threshold – which might be a few hundred milliseconds – will reject them. \r\nThe Kerberos protocol – used by Windows 2000 and later versions – includes the use of time stamps to limit the\r\neffectiveness of replay attacks. Messages which are past the “time to live (TTL)” limit are discarded.\r\nA timestamp forms part of a strong digital signature. These are used to confirm that information has originated\r\nfrom the signer and has not been altered. They are essentially encrypted stamps of authentication used for emails\r\nor electronic documents. \r\nRepeat messages\r\nInstruct servers to refuse to accept repeat messages. The Windows Communication Foundation (WCF), which\r\nprovides a framework for building service-oriented applications, uses this type of defense measure. Servers with\r\nan updated Replay Cache can limit the number of messages they will accept. \r\nSequencing\r\nBy sequentially numbering legitimate messages, the receiving server can reject packets which don’t arrive in\r\norder. \r\nReplay attack FAQs\r\nWhat other methods can attackers use to intercept data?\r\nARP poisoning is a type of cyberattack that abuses weaknesses in the Address Resolution Protocol (ARP) to\r\nredirect network traffic. It can be used to initially capture the data for a replay attack, but will only work with\r\nnetworks using ARP.\r\nARP is designed to translate between Media Access Control (MAC) addresses (at the data link layer) and IP\r\naddresses (at the network layer). It lets devices on a network find out which devices are assigned particular IP\r\naddresses. The results are stored and used to create a list of current MAC-to-IP mappings.\r\nAny device on the network can answer an ARP request, so an attacker who wants to attack computer A can\r\nrespond to an ARP request with their own device’s IP address, thus poisoning the ARP cache with a false entry.\r\nTraffic sent to the original IP address is now steered to the attacker’s device, where they can initiate a replay\r\nattack. \r\nCan I detect packet sniffers on my network?\r\nIf packet sniffing software has been installed on a device within your network, then yes. To work to its full\r\npotential the packet sniffing software requires that the host computer’s network interface controller is set to\r\n‘promiscuous mode’. \r\nThis means that it can pick up all network traffic rather than just that sent to its MAC address. However, this can\r\nbe detected by sending a Ping with the right IP address, but the wrong MAC address for each computer on the\r\nhttps://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nPage 4 of 5\n\nnetwork.\r\nUnfortunately, most attackers will implement a packet sniffer as a stand-alone device that acts as a test access\r\npoint (TAP) for the network. These are designed to be undetectable.  \r\nWhat is a password hash?\r\nReplay attacks can involve the forwarding of captured password hashes – but what exactly are these?\r\nPassword hashing involves putting a password through a one-way encryption algorithm that transforms it into a\r\nrandom string of numbers and letters with a fixed length. The most common algorithm used to do this is the SHA\r\n(Secure Hash Algorithm). \r\nThe current standard in use is SHA-2, which is a family of two hash functions with differing word sizes: SHA-256\r\nuses 32-bit words where SHA-512 uses 64-bit words. Use this calculator if you’d like to see the output for any\r\nword fed into SHA-256.\r\nWebsites and apps never store passwords in their original plain text format (or at least they shouldn’t). Instead,\r\nthey just store the encrypted hashes of passwords. When you type in your password on a login page, the text is\r\nhashed and compared with the original password hash stored on the server. If the two hashes match, the user is\r\nlogged in.\r\nWithout proper precautions, a replay attack can occur in which an encrypted hash is intercepted and sent again by\r\nthe attacker, granting them access to the victim’s account.\r\nSource: https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nhttps://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/" ], "report_names": [ "what-is-a-replay-attack" ], "threat_actors": [ { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91b6b9cd58eda3122d7fb9861abef41ca281f891.pdf", "text": "https://archive.orkl.eu/91b6b9cd58eda3122d7fb9861abef41ca281f891.txt", "img": "https://archive.orkl.eu/91b6b9cd58eda3122d7fb9861abef41ca281f891.jpg" } }