In a recent pen test, the Windows Packet Editor became our unlikely tool of choice to perform a replay attack.
While testing a web application recently, we observed that it was sending a hash value of the password during login. Since a password is hashed to the same value on each login, we guessed that the application would be vulnerable to password replay attacks. But to show this we had to intercept and modify the data. For HTTP traffic, this is generally done using application proxies like Burp Proxy that we discussed a few weeks ago.
However, we could not use Burp Proxy in this application as the application was using a java applet for sending the data to a non HTTP port. The applet was establishing a direct socket connection to the server. The web proxy tool was unable to capture any data as it was not going via the browser, but directly from the applet via the socket. There was no place to configure the applet to send the data via a proxy.
We then took a different approach and decided to use a TCP packet editor such as Windows Packet Editor (WpePro). WpePro allows modification of data at TCP level. Using WpePro one can select a running process from the memory and modify the data sent by it before it reaches the destination.
For testing our application we began by defining a filter in WpePro (filters are defined in WpePro to modify data at TCP level). In the filter the hexadecimal value of an incorrect password was replaced by the value of a correct password. The filter was then applied and WpePro was configured to modify data generated by the applet.
After this, we entered the incorrect password in the application. The applet created a hash of the incorrect password and sent it to the server. But WpePro replaced the hash value of incorrect password with the hash value of correct password as defined in the filter and we logged into the application, proving the application was vulnerable to a real replay attack.
WpePro could be a useful tool for testing thick client applications or web applications which use applets to establish socket connections on non http ports. There's a lot more about WpePro here.