GIAC
GCIH · Question #175
GCIH Question #175: Real Exam Question with Answer & Explanation
The correct answer is A: Replay. Eve intercepts and stores valid authentication credentials from a live session, then retransmits them later to impersonate Alice - this is a textbook replay attack.
Question
Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping the conversation and keeps the password. After the interchange is over, Eve connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob accepts. Which of the following attacks is being used by Eve?
Options
- AReplay
- BFirewalking
- CSession fixation
- DCross site scripting
Explanation
Eve intercepts and stores valid authentication credentials from a live session, then retransmits them later to impersonate Alice - this is a textbook replay attack.
Common mistakes.
- B. Firewalking is a network reconnaissance technique that uses crafted TTL-manipulated packets to map firewall ACL rules; it does not involve capturing or replaying credentials.
- C. Session fixation forces a victim to authenticate using an attacker-supplied session ID, which is distinct from capturing and replaying a password from a previous legitimate session.
- D. Cross-site scripting (XSS) injects malicious client-side scripts into pages viewed by other users to steal data or hijack sessions; it does not describe offline credential capture and retransmission.
Concept tested. Replay attack using intercepted credentials
Reference. https://csrc.nist.gov/glossary/term/replay_attack
Community Discussion
No community discussion yet for this question.