CWE-294
AllowedAuthentication Bypass by Capture-replay
Abstraction: Base · Status: Incomplete
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
342 vulnerabilities reference this CWE, most recent first.
GHSA-HHQ4-97C2-P447
Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-05-06 02:40Summary
Zalo webhook replay cache cross-target messageId scope bypass
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
4d038bb242c11f39e45f6a4bde400e5fd42e4ebf— 2026-03-31T19:33:57+09:00
Release Process Note
- The fix is already present in released version
2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @smaeljaish771 for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41402"
],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-706"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:59:11Z",
"nvd_published_at": "2026-04-28T19:37:43Z",
"severity": "LOW"
},
"details": "## Summary\nZalo webhook replay cache cross-target messageId scope bypass\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` \u2014 2026-03-31T19:33:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
"id": "GHSA-hhq4-97c2-p447",
"modified": "2026-05-06T02:40:21Z",
"published": "2026-04-02T20:59:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41402"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass"
}
GHSA-HJCG-4H7X-VMJ6
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-18 00:01A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.
Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)
{
"affected": [],
"aliases": [
"CVE-2022-22806"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.\n\nAffected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)",
"id": "GHSA-hjcg-4h7x-vmj6",
"modified": "2022-03-18T00:01:28Z",
"published": "2022-03-10T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22806"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJQG-7WQ4-XVWX
Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2024-07-03 18:36An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.
{
"affected": [],
"aliases": [
"CVE-2023-47435"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T18:15:08Z",
"severity": "CRITICAL"
},
"details": "An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.",
"id": "GHSA-hjqg-7wq4-xvwx",
"modified": "2024-07-03T18:36:13Z",
"published": "2024-04-19T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47435"
},
{
"type": "WEB",
"url": "https://github.com/blinkfox/hexo-theme-matery/issues/897"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWJ7-FRGJ-7829
Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-23 16:30Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/answerdev/answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1537"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-21T22:32:10Z",
"nvd_published_at": "2023-03-21T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.",
"id": "GHSA-hwj7-frgj-7829",
"modified": "2023-03-23T16:30:20Z",
"published": "2023-03-21T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1537"
},
{
"type": "WEB",
"url": "https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af"
},
{
"type": "PACKAGE",
"url": "https://github.com/answerdev/answer"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/171cde18-a447-446c-a9ab-297953ad9b86"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Answer vulnerable to Authentication Bypass by Capture-replay"
}
GHSA-HWMR-XJ5R-936P
Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-03-29 15:30OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
{
"affected": [],
"aliases": [
"CVE-2026-32987"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-29T13:17:02Z",
"severity": "CRITICAL"
},
"details": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.",
"id": "GHSA-hwmr-xj5r-936p",
"modified": "2026-03-29T15:30:19Z",
"published": "2026-03-29T15:30:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32987"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J56C-WPQM-H24X
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:18Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:18:47Z",
"nvd_published_at": "2026-04-09T22:16:30Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.",
"id": "GHSA-j56c-wpqm-h24x",
"modified": "2026-04-10T20:18:47Z",
"published": "2026-04-10T00:30:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants",
"withdrawn": "2026-04-10T20:18:47Z"
}
GHSA-J6M4-4C94-5XFW
Vulnerability from github – Published: 2024-01-11 21:31 – Updated: 2024-01-19 15:30The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks to bring the alarm system to a disarmed state.
{
"affected": [],
"aliases": [
"CVE-2023-50128"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T21:15:10Z",
"severity": "MODERATE"
},
"details": "The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks to bring the alarm system to a disarmed state.",
"id": "GHSA-j6m4-4c94-5xfw",
"modified": "2024-01-19T15:30:18Z",
"published": "2024-01-11T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50128"
},
{
"type": "WEB",
"url": "https://www.secura.com/services/iot/consumer-products/security-concerns-in-popular-smart-home-devices"
},
{
"type": "WEB",
"url": "http://hozard.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7R7-7QMF-XQ87
Vulnerability from github – Published: 2025-10-29 15:31 – Updated: 2025-11-05 20:51Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache.
This allows attackers able to obtain information about the SAML authentication flow between a user’s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.
SAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.583.585.v22ccc1139f55"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64131"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T22:03:43Z",
"nvd_published_at": "2025-10-29T14:15:57Z",
"severity": "HIGH"
},
"details": "Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache.\n\nThis allows attackers able to obtain information about the SAML authentication flow between a user\u2019s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.\n\nSAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.",
"id": "GHSA-j7r7-7qmf-xq87",
"modified": "2025-11-05T20:51:56Z",
"published": "2025-10-29T15:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64131"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/saml-plugin/commit/6170b1013daf52770de29a66aeb57893aae1d7d6"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/saml-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3613"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins SAML Plugin does not implement a replay cache"
}
GHSA-JCMP-PHFM-38X8
Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-05-28 18:30Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.
{
"affected": [],
"aliases": [
"CVE-2026-9095"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T17:16:34Z",
"severity": "HIGH"
},
"details": "Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials.",
"id": "GHSA-jcmp-phfm-38x8",
"modified": "2026-05-28T18:30:32Z",
"published": "2026-05-28T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9095"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/780781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JGVP-6MMR-4MRW
Vulnerability from github – Published: 2026-02-09 15:30 – Updated: 2026-02-09 15:30Crafted delegations or IP fragments can poison cached delegations in Recursor.
{
"affected": [],
"aliases": [
"CVE-2025-59023"
],
"database_specific": {
"cwe_ids": [
"CWE-294"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-09T15:16:10Z",
"severity": "HIGH"
},
"details": "Crafted delegations or IP fragments can poison cached delegations in Recursor.",
"id": "GHSA-jgvp-6mmr-4mrw",
"modified": "2026-02-09T15:30:31Z",
"published": "2026-02-09T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59023"
},
{
"type": "WEB",
"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.
Mitigation
Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.