Cyber MITM Attack Lab – Demonstration

What the Lab Does

iptables setup (lab2setup.sh): Redirects all outbound TCP traffic to destination port 80 (HTTP) from non-root processes into local port 8080 using a DNAT rule, and drops RST/RST,ACK packets to keep flows alive while we inject/manipulate.
Sniffing (sniffer1.py): Listens on port 8080, extracts the raw HTTP request, prints host/path if recognized, censors any request body containing the keyword frankenstein, and for allowed traffic re-emits the packet to real destination port 80.
Teardown (lab2teardown.sh): Removes all rules so the system returns to its prior state.

The result is a local MITM-like redirection of outbound HTTP requests before they leave the host, enabling inspection or modification.

Packet Flow Overview

User process (browser/curl) initiates GET http://example.com/... (dst port 80).
iptables rule rewrites destination to local :8080 (DNAT).
Sniffer receives packet, parses HTTP method line + Host: header.
If payload contains the censor token frankenstein → block & log [CENSORED].
Else, craft a new packet: same IP src/dst, same TCP seq/ack/options, but destination port changed back to 80; recompute checksums; send.
Log success Your packet has been forwarded to port 80.

Example Console Output

[HTTP] example.com/books
Your packet has been forwarded to port 80
[HTTP] example.com/search?q=novel
[CENSORED]
[HTTP] unknown/
No Payload Found

Interactive Simulation (Client-Side)

This JavaScript demo mimics only the decision logic (it does not perform real network interception).

Output will appear here…

Key Code Concepts

sniff(filter="tcp and port 8080") restricts capture to the redirected flow.
http_info() manually parses method line and headers without a full HTTP parser.
CENSOR constant scans raw payload bytes before forwarding.
Reconstruction keeps sequence/ack values to maintain TCP state – only destination port changes.
del new_pkt[IP].chksum and del new_pkt[TCP].chksum force Scapy to recompute checksums.

Limitations / Next Steps

No handling of response packets (one-way demonstration).
No TLS interception; applies only to plaintext HTTP.
Keyword match is simplistic (raw substring, not tokenized).
Does not reassemble segmented TCP payloads (assumes request fits in one packet).

Possible extensions: add TCP stream reassembly, log to file with timestamps, bidirectional proxying, richer content filtering rules, or upgrade to a transparent proxy.

How to Run the Real Lab

Install dependencies (once): pip3 install scapy
As root, apply iptables rules: sudo ./lab2setup.sh
Run the sniffer: sudo python3 sniffer1.py
In a separate terminal (non-root), make HTTP requests to trigger behavior:
- Forwarded example (no body → may log No Payload Found):
  curl http://example.com/books
- Forwarded example with body (allowed):
  curl -X POST -d "q=hello" http://example.com/search
- Censored example (body contains frankenstein):
  curl -X POST -d "q=frankenstein" http://example.com/search
Observe console output in the sniffer window.
Stop with Ctrl+C; optional cleanup: sudo ./lab2teardown.sh.

Notes: The DNAT rule targets non-root processes only; run your test curl commands without sudo. This lab inspects plaintext HTTP on port 80; HTTPS is not intercepted.