A technique for attacking or gaining improper access to a network. Remote client impersonation takes place when a third party monitors traffic on a network by using a packet sniffer or software such as Microsoft Network Monitor, captures a connection during the user authentication process, extracts the authentication parameters (such as username, password, and domain) from the captured frames, and then takes control of the authenticated connection.
A similar hacking technique called a replay attack takes place when a third party monitors traffic on a network, captures a connection during the authentication process, and then plays back the client’s captured response to obtain a new authenticated connection.
Authentication schemes in which the user’s password is transmitted in clear text, such as the Password Authentication Protocol (PAP) supported by most Point-to-Point Protocol (PPP) services, are most susceptible to remote client impersonation and replay attacks. More secure PPP authentication schemes, such as the Challenge Handshake Authentication Protocol (CHAP) or the Microsoft version of that protocol (MS-CHAP), are preferable. CHAP guards against remote client impersonation by using the user’s password to create an encrypted hash of a challenge string instead of passing the actual password during the authentication process. It protects against replay attacks by using a different, arbitrarily selected challenge string for each authentication attempt.
To access secured resources on Internet Web sites hosted by Internet Information Services (IIS), be sure that Basic Authentication is disabled on the server and that sensitive documents are located on NTFS volumes with suitable permissions configured.