An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Description
Attack Execution Flow
2
1
Step 1
Explore[Set up a sniffer] The adversary sets up a sniffer in the path between the server and the client and watches the traffic.
The adversary sets up a sniffer in the path between the server and the client.
AI Translation
[Configurare un sniffer] L'avversario installa un sniffer nel percorso tra il server e il client e monitora il traffico.
L'avversario installa un sniffer nel percorso tra il server e il client.
Attack Techniques
-
The adversary sets up a sniffer in the path between the server and the client.
2
Step 2
Exploit[Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.
adversary loads the sniffer to capture the application code bound during a dynamic update.
The adversary proceeds to reverse engineer the captured code.
AI Translation
[Capturing Application Code Bound During Patching] adversary sa che il computer/OS/applicazione può richiedere nuove applicazioni da installare, oppure verifica periodicamente la disponibilità di aggiornamenti. L'adversary carica lo sniffer configurato durante la fase di Esplorazione e estrae il codice dell'applicazione dalle comunicazioni successive. L'adversary procede quindi a reverse engineering del codice catturato.
L'adversary carica lo sniffer per catturare il codice dell'applicazione legato durante un aggiornamento dinamico.
L'adversary procede quindi a reverse engineering del codice catturato.
Attack Techniques
-
adversary loads the sniffer to capture the application code bound during a dynamic update.
-
The adversary proceeds to reverse engineer the captured code.IT: l'avversario carica lo sniffer per catturare il codice dell'applicazione vincolato durante un aggiornamento dinamico.
Mitigations
3
Design: Encrypt All Communication Between The Client And Server.
Implementation: Use Ssl, Ssh, Scp.
Operation: Use "Ifconfig/Ipconfig" Or Other Tools To Detect The Sniffer Installed In The Network.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Potential Impacts
Gain Privileges
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1040
Network Sniffing
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network …
Resources Required
1
The Attacker needs the ability to capture communications between the client being updated and the server providing the update.
In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.