Intercepting Communication
level 1
Connect to a remote host
We can use nc
to connect to the specified address on the port specified.
level 2
Listen for a connection from a remote host
The l
option in nc
allows users to listen on a specified port.
level 3
Find and connect to a remote host
nmap
is a very useful tool that we can use to find open addressees and ports.
After that we just have to connect on the open
level 4
Find and connect to a remote host on a large network
This time we have to scan a /16
so we need to speed up the process.
The T5
flag in nmap
sets the scan speed to insane
which is the fastest available speed.
level 5
Monitor traffic from a remote host
We can use tcpdump
to look at the packets we are receiving.
The A
flag prints out every packet in ASCII.
level 6
level 7
Hijack traffic from a remote host by configuring your network interface
In this level, the host at 10.0.0.4 is communicating with the host at 10.0.02.
We can essentially become 10.0.0.2 so that we now receive those packets.
We have added the address on our eth0
interface.
Now when we receive an ARP who-has
request asking for 10.0.0.2, we can send a is-at
reply with our MAC address.
level 8
Manually send an Ethernet packet
We can use scapy
in order to create and send packets.
We have to change the default fields.
Now that we have the correct fields, we are ready to send the packet.
The remote host is connected to the eth0
interface, so we send the packets out of the eth0
interface.
level 9
Manually send an Internet Protocol packet
We can encapsulate a packet within another packet using the /
separator.
Now we just have to fill the correct fields.
level 10
Manually send a Transmission Control Protocol packet
We have to add another layer of encapsulation, which is TCP.
level 11
Manually perform a Transmission Control Protocol handshake
A TCP handshake is really just a sequence of packets that establishes a secure and reliable connection between two devices.
It includes three packets:
SYN
SYN-ACK
ACK
We have to first send a SYN packet, represented by the S
flag.
Let's look at the response from the host at 10.0.0.3.
As we can see, the response has seq
field set to 3093962236
and the ack
field set to 31338
which is our seq+1
.
So the host at 10.0.0.3 has acknowledged our SYN packet. Now we have to acknowledge theirs by setting our ack
field to 3093962237
which is their seq+1
.
level 12
Manually send an Address Resolution Protocol packet
We need to tell the host at 10.0.0.3 that we have the IP address that they want to talk to. For that we need to send an ARP is-at
response.
Note that ARP encapsulates an Ethernet frame.
The packet fields represent the following:
hwsrc
: Source hardware address. This will be updated in the target's ARP table.psrc
: The IP to be added in the target's ARP table.hwdst
: Destination hardware address.pdst
: Destination where the ARP packet must go.
level 13
Hijack traffic from a remote host using ARP
In this level we have to achieve the same goal as level 7. However, we don't have the ability to add addresses as we are not the net admin.
Therefore we will have to create an ARP packet from scratch and send it to the host on 10.0.0.4.
level 14
Last updated