Intercepting Communication

• man page: nc
• man page: ip
• man page: tcpdump
• Cheat Sheet For ip Command
• Wireshark User's Guide
• Scapy's Documentation

From your host at 10.0.0.1, connect to the remote host at 10.0.0.2 on port 31337.

A great way to do this is to use the nc command (pronounced "netcat"), which allows you to open network connections from the command line. For example, to connect to the remote host at 10.0.0.42 on port 4242, you would run:

nc 10.0.0.42 4242

From your host at 10.0.0.1, connect to the remote host at 10.0.0.2 on port 31337, and send the message: Hello, World!.

As before, you'll want to use the netcat command. You'll notice that netcat will hang (e.g. you will not get a shell prompt back), waiting until the connection is closed. You can, as with most hanging processes, kill the process by pressing Ctrl-C.

In this challenge though, you need to send a message to the remote host. If you type that message into the terminal, nothing will immediately happen. That is because your terminal, by default, buffers the input you type until you press Enter! Press Enter after typing your message, and a single packet containing the entire message will be sent to the remote host.

From your host at 10.0.0.1, connect to the remote host at 10.0.0.2 on port 31337, and then shutdown the connection.

Sometimes the other side of a connection wants to wait for you to finish sending all of your data before it finishes sending data back to you. Imagine a protocol where the client might need to send lots of data, over a long duration, before the server can respond with some final result. In this case, it might not make sense to preestablish how much data will be sent in total as part of the protocol, because the client might not know at the beginning how much data it will need to send. How can we handle this situation?

One option would be to have the client send a single packet at the end that just says "END". But network packets can be complicated, with no guarantees from the network that they won't be split apart or merged together. Or what if you want to be able to send "END" as part of the data?

Netcat is a simple tool, that translates data from standard input to network packets and vice versa to standard output. So how do you shutdown the network connection in this way with netcat? You do the equivalent file operation: you close standard input! In an interactive terminal session, you can do this by pressing Ctrl-D.

Unfortunately, netcat may not actually do this by default. Review the man page for netcat (man nc) to see if there is any way to configure netcat to shutdown the network connection after closing standard input (EOF).

From your host at 10.0.0.1, listen on port 31337 for a connection from the remote host at 10.0.0.2.

Once a connection is established, that connection is bidirectional, meaning that both sides can send and receive data. However, to actually establish the connection, one side must listen for incoming connections, and the other side must connect to that listener. This time, unlike before, you are the listener.

Review the man page for netcat (man nc) to see how to listen for incoming connections.

From your host at 10.0.0.1, connect to some unknown remote host on the 10.0.0.0/24 subnet, on port 31337.

Fortunately, there are only 256 possible hosts on this subnet, so you can just try them all!

One simple tool that you can use to help you with this is ping. If you "ping" a host, and it is up, you will get a response; otherwise, ping will timeout and warn you that it cannot reach the host.

For example, try pinging yourself:

ping 10.0.0.1

This will continuously keep pinging until you press Ctrl-C to stop it.

You can also try pinging a host that you know is down:

timeout 10 ping 10.0.0.2

This will run ping for (up to) 10 seconds, but you should see ping messages indicating that the host is unreachable before the timeout.

As with most commands, you can also run man ping to see the manual page for ping.

Consider this an opportunity to practice your shell scripting skills! You can of course ping each of the 256 hosts manually, but maybe a for loop might be even easier!

for i in $(seq 10); do
  echo $i
done

From your host at 10.0.0.1, connect to some unknown remote host on the 10.0.0.0/16 subnet, on port 31337.

Now our network is starting to get bigger! There are 65,536 possible hosts on this subnet, so finding the remote host manually would really be a real pain. Even a basic for loop processing 10 hosts per second would take over an hour to complete!

We can of course get fancier with our shell scripting (parallelizing, etc.), but for now, let's consider a standard tool designed to help with this kind of task: nmap.

nmap is a powerful network scanning tool that can be used to discover hosts and services on a computer network. You can, for example, scan for which hosts are up (and popular services running on those hosts) on 10.0.0.0/30 with the following command:

nmap 10.0.0.0/30

Within 15 seconds or so, you should see that your host at 10.0.0.1 is up, as expected.

When conducting a network scan, it is important to be aware of the potential impact on the network. Under default settings, nmap tries to be at least somewhat polite and not totally overwhelm a network with tons of packets. Nevertheless, it is still possible to cause network congestion or even trigger security alerts by running a network scan, and so it is important to be aware of the potential impact. As such, you shouldn't run a network scan on a network that you don't own or have permission to scan!

In this network, it's okay to be a little more aggressive, a little more "rude" with our scanning. You'll want to review the man page for nmap (man nmap) to see how you can speed up the scanning process: you're specifically interested in how many packets are being sent per second. Disabling some of the default scans, such as DNS resolution, can also speed up the scanning process. When in doubt, use -v to see a bit more information about what nmap is currently doing.

Monitor traffic from a remote host. Your host is already receiving traffic on port 31337.

Monitor slow traffic from a remote host. Your host is already receiving traffic on port 31337.

Hijack traffic from a remote host by configuring your network interface. The remote host at 10.0.0.2 is communicating with the remote host at 10.0.0.3 on port 31337.

Manually send an Ethernet packet. The packet should have Ether type=0xFFFF. The packet should be sent to the remote host at 10.0.0.2.

Manually send an Internet Protocol packet. The packet should have IP proto=0xFF. The packet should be sent to the remote host at 10.0.0.2.

Manually send a Transmission Control Protocol packet. The packet should have TCP sport=31337, dport=31337, seq=31337, ack=31337, flags=APRSF. The packet should be sent to the remote host at 10.0.0.2.

Manually perform a Transmission Control Protocol handshake

Manually send an Address Resolution Protocol packet

Hijack traffic from a remote host using ARP

Man-in-the-middle traffic between two remote hosts and inject extra traffic