CAPEC-65: Sniff Application Code

Description
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Severity :

High

Possibility :

Low

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-37: Retrieve Embedded Sensitive Data Retrieve Embedded Sensitive Data CAPEC-157: Sniffing Attacks Sniffing Attacks
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The attacker must have the ability to place themself in the communication path between the client and server.
  • The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.
  • The attacker must be able to employ a sniffer on the network without being detected.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Network Sniffing
Resources required

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-311: Missing Encryption of Sensitive Data

CWE-318: Cleartext Storage of Sensitive Information in Executable

CWE-319: Cleartext Transmission of Sensitive Information

CWE-693: Protection Mechanism Failure

Visit http://capec.mitre.org/ for more details.