Name |
Sniff Application Code |
|
Likelyhood of attack |
Typical severity |
Low |
High |
|
Summary |
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server. |
Prerequisites |
The attacker must have the ability to place themself in the communication path between the client and server. The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts. The attacker must be able to employ a sniffer on the network without being detected. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Set up a sniffer] The adversary sets up a sniffer in the path between the server and the client and watches the traffic. |
- The adversary sets up a sniffer in the path between the server and the client.
|
2 |
Exploit |
[Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code. |
- adversary loads the sniffer to capture the application code bound during a dynamic update.
- The adversary proceeds to reverse engineer the captured code.
|
|
Solutions | Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-311 |
Missing Encryption of Sensitive Data |
CWE-318 |
Cleartext Storage of Sensitive Information in Executable |
CWE-319 |
Cleartext Transmission of Sensitive Information |
CWE-693 |
Protection Mechanism Failure |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-37 |
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. |
CAPEC-157 |
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves. |
|
Taxonomy: ATTACK |
Entry ID
|
Entry Name
|
1040 |
Network Sniffing |
|