An attacker can abuse an
authentication protocol susceptible to reflection attack in order to defeat it.
Doing so allows the attacker illegitimate access to the target system, without
possessing the requisite credentials. Reflection attacks are of great concern
to authentication protocols that rely on a challenge-handshake or similar
mechanism. An attacker can impersonate a legitimate user and can gain
illegitimate access to the system by successfully mounting a reflection attack
during authentication.
Attack
Execution Flow
·
The
attacker opens a connection to the target server and sends it a challenge
·
The server
responds by returning the challenge encrypted with a shared secret as well as
its own challenge to the attacker
·
Since the
attacker does not possess the shared secret, he initiates a second connection
to the server and sends it, as challenge, the challenge received from the server
on the first connection
·
The server
treats this as just another handshake and responds by encrypting the challenge
and issuing its own to the attacker
·
The
attacker now receives the encrypted challenge on the second connection and
sends it as response to the server on the first connection, thereby
successfully completing the handshake and authenticating to the server.
Attack Pattern 90
http://capec.mitre.org/data/index.html