HACKDLE — ALL CHALLENGES

You request a password reset for a target account.

The reset token appears in a `Referer` header sent to a third-party resource on the page.

Using the leaked token lets you set a new password without knowing the original.

The token is also short enough to brute-force directly.

Reset flow flaws include predictable tokens, non-expiring links, host header poisoning, and Referer leakage. A perennial top bug bounty class.

You're asked to click a button on a page that looks mostly blank.

Clicking the button performs an action on a completely different site.

An invisible element positioned over the button captured the click.

A transparent iframe loaded the target site beneath the visible decoy.

A transparent iframe overlays an attacker's UI over a legitimate page. Clicks are delivered to the iframe. Prevented by `X-Frame-Options: DENY` or `frame-ancestors 'none'` in CSP.

The app has a ping tool that tests connectivity to a hostname you provide.

The server runs the command and returns the output.

Adding a semicolon after the hostname causes a second command to run.

Appending `; id` returns the server's current user identity in the response.

User input is passed unsanitized to a shell function. Characters like `;`, `|`, `&&`, and `$()` chain additional commands.

An authenticated API returns data to requests from a different origin.

The response includes your session data and user details.

The server reflects any value from the `Origin` request header back as the allowed origin.

An attacker's page silently reads authenticated responses using the victim's session.

Reflecting arbitrary `Origin` values with `Access-Control-Allow-Credentials: true` lets any site read authenticated API responses.

You're logged into a banking app.

Visiting a different site triggers a transfer on your account.

The request came from the attacker's page but carried your session cookie.

The server accepted it because it relies entirely on cookies for authentication.

Forged requests from an attacker's page execute actions on a site where the victim is authenticated. SameSite cookies and per-request tokens are the defenses.

You control a domain and its authoritative DNS resolver.

A victim visits your page and the JavaScript runs in their browser.

You update the domain's DNS to resolve to `127.0.0.1` with a very short TTL.

A second fetch from the same origin now hits `localhost` on the victim's machine.

Attacker-controlled DNS re-resolves to an internal address after the initial visit. The Same-Origin Policy is satisfied because the hostname never changes. Targets local dev servers and routers.

The page changes its content based on what's in the URL fragment.

No network request is made when the content updates.

JavaScript reads from `location.hash` and writes the value into the page.

A payload in the fragment executes without ever reaching the server.

Client-side JavaScript reads a URL source and writes it to a dangerous sink like `innerHTML` or `eval`. The payload never touches the server. Taint tracking tools map source-to-sink flow.

The app exposes a `/graphql` endpoint.

An introspection query returns the full schema including all types and fields.

Fields that appear access-controlled are returned without authentication.

A deeply nested query causes exponential backend work with no rate limiting.

Introspection reveals the entire API schema. Field-level authorization is often absent. Depth and complexity limits prevent query abuse. Clairvoyance maps schemas when introspection is disabled.

You request a password reset for a target account.

The reset email arrives with a link pointing to a domain you control.

The app used the HTTP `Host` header to construct the reset link URL.

Changing the `Host` header causes reset tokens to be delivered to an attacker-controlled server.

The `Host` header constructs URLs server-side without validation. An attacker-controlled value redirects reset tokens. `X-Forwarded-Host` is an alternative vector.

The application sits behind a reverse proxy.

A crafted request causes another user to receive your content.

The frontend and backend interpret HTTP message boundaries differently.

Conflicting `Content-Length` and `Transfer-Encoding` headers cause leftover bytes to be read as a new request.

Differing HTTP parsing between a proxy and backend desynchronizes request streams. CL.TE and TE.CL are the main variants. Discovered by James Kettle at DEF CON 27.

Your profile page URL contains your numeric user ID.

Changing the ID to another value returns a different user's profile.

No error is returned, and private data is included in the response.

The server never checks whether the authenticated user owns the requested resource.

Object references in URLs or API parameters are not validated against the authenticated user. Incrementing an ID returns any user's data.

A cookie contains a base64-encoded serialized object.

Modifying the object causes unexpected server-side behavior when processed.

The server reconstructs a full object from the client-supplied data.

The deserialization process triggers a code execution gadget as a side effect.

Untrusted serialized data is deserialized server-side. ysoserial generates Java gadget chains. PHP exploits `__wakeup` and `__destruct`. Python's `pickle.loads()` executes arbitrary code.

The program accepts a size value before allocating a buffer.

Supplying a very large size results in an unexpectedly small allocation.

Fixed-width integer arithmetic wraps silently past its maximum value.

A bounds check passes on the wrapped value, and the subsequent write overflows the undersized buffer.

`INT_MAX + 1` wraps to `INT_MIN` in C. A tiny allocation is overflowed with the full intended write, corrupting adjacent memory.

Authentication returns a token after login.

Modifying a claim in the token and resubmitting it is still accepted.

The token is three dot-separated base64 segments.

Changing the `alg` field to `none` removes the signature requirement entirely.

JWT signature verification has a flaw: `alg: none` bypass, RS256-to-HS256 confusion, or a weak HMAC secret cracked offline. Tool: jwt_tool.

There's a user-search form connected to Active Directory.

Submitting `*` as the username returns all directory entries.

The input is embedded in an LDAP filter string without sanitization.

A closing parenthesis breaks out of the filter and injects an always-true condition.

User input is concatenated into an LDAP filter. Special characters modify the filter logic, enabling authentication bypass and full directory enumeration.

A `?page=` parameter controls which content loads.

Modifying the parameter causes different server-side files to be included.

The parameter can reference files from the server's own filesystem.

Injecting a PHP payload into the server log and then including the log file achieves code execution.

A PHP `include()` call uses user-controlled input as the file path. Any readable file can be returned. Log poisoning turns this into remote code execution.

User registration happens via a JSON API endpoint.

Adding an extra field to the request body is accepted without error.

The extra field sets a privileged attribute like `isAdmin` on the new account.

The framework bound the entire request body to the model without an allowlist.

Frameworks that auto-map request parameters to model attributes allow setting privileged fields. Prevented by explicit allowlists in strong parameter filtering.

There's a login form backed by MongoDB.

Submitting a specially formatted value bypasses the password check.

The database understands query operators embedded in the input.

Passing `{"$gt": ""}` as the password field matches every document in the collection.

User input is passed directly to a NoSQL query, allowing operator injection. MongoDB's `$gt`, `$where`, and `$regex` are common vectors. NoSQLMap automates exploitation.

The site implements 'Login with Google'.

The authorization code is delivered to an unexpected destination.

A `redirect_uri` parameter specifies where to send the credential after authorization.

Changing `redirect_uri` to an attacker-controlled host sends the code there instead.

An unvalidated `redirect_uri` lets an attacker receive the authorization code. Open redirectors on the registered domain are a common bypass.

A logout link on a trusted site redirects you somewhere unexpected.

The destination is controlled by a `?next=` query parameter.

Changing the parameter redirects the browser to an external domain.

The trusted domain appears briefly in the URL bar before landing on an attacker-controlled page.

An unvalidated redirect parameter constructs the destination URL. Commonly chained with phishing and OAuth token theft.

The app lets you download files via a `?file=` parameter.

Changing the filename returns a different file.

Adding `../` sequences navigates outside the intended directory.

Requesting `../../../../etc/passwd` returns the system password file.

User-controlled input constructs a file path without validation. Dot-dot sequences escape the intended directory. URL encoding bypasses naive filters.

You're fuzzing a JSON API that performs a deep merge operation.

A deeply nested key causes unexpected properties to appear on unrelated objects.

Setting `__proto__[isAdmin]` to `true` grants admin access across the application.

A recursive merge function copies the prototype chain key into `Object.prototype`.

User-controlled keys pollute `Object.prototype`, affecting every object in the runtime. Common in lodash deep merge. Can escalate to RCE in Node.js.

A transfer endpoint lets you send funds between accounts.

Sending many concurrent requests causes the balance to go negative.

The balance check and the deduction are not performed atomically.

Multiple requests pass the check simultaneously before any deduction is recorded.

Time-of-check to time-of-use gap in concurrent request handling. Turbo Intruder removes network jitter. The single-packet attack synchronizes HTTP/2 requests.

You receive a link to a page with a search field.

Your search term appears verbatim in the page that loads.

The term is echoed into the HTML response without escaping.

A `<script>` tag in the query parameter executes when the link is visited.

User input is reflected into the HTML response without sanitization. The payload executes in any browser that visits the crafted URL. Burp Scanner detects these automatically.

A `?page=` parameter controls which content loads.

The parameter accepts an external URL, not just a local filename.

The server fetches and executes whatever is hosted at the address you supply.

Hosting a web shell on your own server and referencing it in the parameter gives remote code execution.

PHP fetches and executes remote files when `allow_url_include` is enabled. The attacker hosts a shell on external infrastructure.

A site uses SAML-based SSO for authentication.

Modifying the identity claim in the assertion is still accepted as validly signed.

The signature covers only part of the XML document.

Moving the signed element in the XML causes the parser to read the unsigned value as the identity.

XML Signature Wrapping repositions the signed element so the signature validates but the parsed identity is attacker-controlled. Tool: SAMLRaider.

There's a search form on the page.

Submitting a single quote causes a database error.

The error message references the query engine and shows the malformed syntax.

Appending `' OR '1'='1'--` returns every record in the table.

Input is concatenated directly into a SQL query. The database executes it, exposing any data the account can reach. `sqlmap` automates full enumeration.

The app has a PDF export feature.

The URL field in the export request is user-controlled.

Supplying an internal address returns a response from inside the network.

Requesting `http://169.254.169.254/latest/meta-data/` returns live cloud credentials.

The server fetches attacker-controlled URLs, exposing internal services and cloud metadata. IMDSv2 and strict egress filtering are the mitigations.

A greeting page reflects your name back into the response.

Submitting `{{7*7}}` returns `49` instead of the literal text.

The server is evaluating your input as a template expression.

Traversing `__class__.__mro__` through the template context reaches `os.popen()`.

User input is rendered inside a server-side template rather than passed as a variable. The template engine executes it. RCE is typically achievable in Jinja2, Twig, and Freemarker.

There's a comment section where other users' posts appear.

Text you submit shows up on the page rendered by other visitors' browsers.

An HTML tag you submit renders as markup, not as escaped text.

A `<script>` tag in the comment field executes in every visitor's browser.

Unescaped user input is stored and rendered as HTML. Every subsequent visitor executes the injected script. BeEF maintains persistent control over hooked browsers.

A company subdomain returns a 'repository not found' error from GitHub Pages.

The DNS record still points to GitHub Pages, but the repository no longer exists.

The platform allows anyone to create a repository matching that name.

Creating the repository gives you full control over what the subdomain serves.

A dangling CNAME to a deprovisioned external service can be claimed by anyone. The attacker registers the resource and now controls the subdomain. Tool: subjack.

A CDN sits in front of the application.

A crafted request causes all subsequent visitors to receive a malicious response.

Your input influenced the response but was not part of the cache key.

An unkeyed header like `X-Forwarded-Host` is reflected into the cached response.

Cache keys omit headers that still affect the response. Poisoning a cached entry delivers the payload to every subsequent visitor. Param Miner finds unkeyed inputs.

A chat app uses WebSocket for real-time messaging.

A page on a different origin can open a connection to the WebSocket endpoint.

The handshake request includes the victim's session cookies automatically.

The server authenticates the connection using cookies without validating the request origin.

WebSocket handshakes include cookies but are not covered by the Same-Origin Policy. Without origin validation, any site can connect as the authenticated user and read messages.

The app accepts an XML file upload and returns processed output.

The response includes content you didn't put in the file.

The parser followed a reference declared in the file's document type definition.

A custom entity pointing to `file:///etc/passwd` returns the file contents in the response.

The XML parser processes external entity declarations and includes their contents in the output. Disabling DTD processing eliminates the attack surface.

The app accepts a zip archive and extracts it server-side.

After extraction, a file appears outside the intended destination directory.

An archive entry's filename contains `../` sequences.

The extraction library writes the file to the path without validating the destination.

Archive entries with path traversal in their names are extracted to arbitrary filesystem locations. Writing to web roots or cron directories achieves code execution.

You're given a compiled binary that accepts input at a prompt.

Supplying a long string causes the program to crash at an unexpected address.

The crash address shifts predictably as you increase the input length.

A cyclic pattern from pwntools identifies the exact offset where the return address is overwritten.

Input exceeds a fixed-size stack buffer and overwrites the saved return address, redirecting execution. Mitigated by stack canaries, ASLR, and NX.

The program calls `free()` on the same pointer in two different code paths.

The second call corrupts the allocator's internal free list.

Future allocations can be directed to attacker-controlled addresses.

The glibc tcache key check must be bypassed to avoid an immediate crash on the second free.

Freeing the same pointer twice corrupts tcache freelists. Bypassing the key check enables arbitrary allocation. House of Botcake is a modern technique. Detected by Valgrind.

The program prints your input back to the terminal.

Entering `%x%x%x` causes it to print unexpected values from the stack.

The input is passed directly as the format string argument to `printf`.

`%n` writes the count of bytes printed to an arbitrary address on the stack.

User input used as a printf format string leaks stack values via `%x` and writes to arbitrary addresses via `%n`. Pwntools' `fmtstr_payload()` automates exploitation.

The binary allocates a buffer on the heap and accepts user input into it.

Crafted input causes a crash in dynamically allocated memory, not on the stack.

Writing past the buffer's end corrupts an adjacent heap chunk's metadata.

Corrupting the free list allows future allocations to be directed to attacker-controlled addresses.

A heap-allocated buffer is written past its end. Corrupting allocator metadata enables arbitrary writes. Techniques include unsafe unlink and House of Force.

An exploit for a heap corruption bug succeeds only intermittently.

The target address is unpredictable due to heap randomization.

Filling memory with many copies of the payload before triggering the bug improves reliability.

The probability that a corrupted pointer lands on controlled data grows with the number of allocations.

The heap is flooded with payloads before the vulnerability fires. A wild pointer reliably hits controlled memory. Classic in browser and PDF reader exploitation.

User-space code reads kernel memory without triggering a fault.

Out-of-order execution performs the read before the access control check completes.

The result is never committed, but it alters the cache in a measurable way.

Cache timing recovers the kernel memory value that was transiently accessed.

Out-of-order execution reads privileged memory before permission checks complete. The cache side-channel leaks the value. Fixed by KPTI. Primarily affects Intel CPUs.

A loop in the binary writes exactly one byte past the end of a buffer.

That byte overlaps with the low byte of an adjacent saved pointer.

Controlling the value of that one byte redirects the pointer into attacker-controlled memory.

Despite only a single byte of overwrite, heap layout manipulation enables full control flow hijacking.

A fencepost error overwrites a single adjacent byte. The low byte of a frame pointer or chunk size field is often enough for full exploitation.

You have a low-privileged shell on a Linux system.

A SUID binary runs commands with elevated permissions.

The binary's behavior can be influenced by environment variables or a writable config.

Exploiting the misconfiguration spawns a shell as root.

Misconfigurations like SUID PATH hijacking, writable cron jobs, or weak sudo rules allow a low-privilege user to gain root. Tools: LinPEAS, WinPEAS.

A binary with NX enabled has a stack overflow.

Injecting shellcode is blocked, but you can still overwrite the return address.

A function that spawns a shell already exists in the linked C library.

With ASLR enabled, a memory leak first reveals the library's base address.

The return address is overwritten with the address of `system()` in libc, `/bin/sh` as the argument. In 64-bit, a gadget sets `rdi` first. Libc-database matches leaked offsets.

A binary with a non-executable stack has a stack overflow.

Injecting shellcode is blocked, but you can still overwrite the return address.

Short instruction sequences ending in `ret` already exist throughout the binary.

Chaining those sequences via a crafted stack achieves arbitrary behavior without any injected code.

Existing code snippets ending in `ret` are chained to build a full exploit. ROPgadget finds them. ret2plt leaks libc base; one_gadget finds a shell. Bypasses NX/DEP.

An unprivileged process flips bits in memory it cannot directly access.

The process never reads or writes the affected address.

Rapidly accessing adjacent DRAM rows causes electrical interference in neighboring cells.

The bit flips cross hardware isolation boundaries between processes.

Rapid DRAM row access causes bit flips in adjacent rows with no software vulnerability required. Google Project Zero demonstrated privilege escalation in 2015. Mitigated by Target Row Refresh in newer DRAM.

The binary accepts input and writes it into a buffer you can later trigger execution of.

The memory region your input lands in is marked executable.

No other exploit primitive is needed -- direct code injection is possible.

Raw machine instructions in your input are executed by the processor.

User-supplied bytes land in executable memory. Classic shellcode spawns `/bin/sh`. Null bytes and bad characters must be avoided. `msfvenom` generates payloads for various architectures.

A process reads memory belonging to another process without triggering a fault.

The CPU speculatively executes a branch before the permission check completes.

The speculative result is discarded, but it leaves a measurable trace in the cache.

Timing the cache reveals the value that was accessed during speculation.

Speculative execution leaves cache side-channel residue. Variants: bounds check bypass (v1), branch target injection (v2). Mitigated by retpoline and microcode updates.

The program crashes when given deeply nested or recursive input.

Each recursive call consumes stack space without releasing it.

The call stack is exhausted before the recursion can unwind.

The crash is reliably reproducible at a fixed recursion depth.

Unbounded recursion or oversized local arrays exhaust the fixed-size call stack. `ulimit -s` controls its size. Visualized with pwndbg's `stack` command.

A privileged program checks a file's permissions before operating on it.

A symbolic link is swapped in for the verified file before the operation executes.

The program acts on the symlink's target instead of the originally checked file.

The privileged process writes to a sensitive system path the attacker couldn't access directly.

`access()` then `open()` on a user-controlled path leaves a window for symlink substitution. Mitigated by `O_NOFOLLOW`. Monitoring tool: `inotifywait`.

A JIT-compiled runtime crashes on specially crafted input.

An object is accessed using the wrong type interpretation.

A field the attacker controls determines which type the engine assumes.

The confusion grants an arbitrary read/write primitive into the engine's memory.

A pointer to one type is treated as another, bypassing safety checks. Common in browser JIT CVEs in V8, SpiderMonkey, and JavaScriptCore. Often leads to full renderer RCE.

The program crashes only after a specific sequence of allocate, free, and access operations.

A freed memory region is accessed again through a pointer that was never cleared.

The freed region has been reallocated by a different object before the stale pointer dereferences it.

Heap grooming places attacker-controlled content into the reallocated region.

A dangling pointer reads or writes freed-then-reallocated heap memory. Critical in browser exploitation. Mitigated by MiraclePtr and memory-safe languages.

You can submit modified ciphertext for decryption.

Flipping a bit in one ciphertext block causes a predictable change in the next plaintext block.

The encryption mode chains blocks so ciphertext modifications propagate into adjacent plaintext.

Flipping the correct bit in the IV changes the first byte of plaintext block 1 to any target value.

CBC ciphertext bit flips cause XOR-predictable changes in the next plaintext block. The IV controls block 1. Fixed by authenticated encryption like AES-GCM.

An encryption oracle always uses the same IV.

Two messages with an identical first block produce identical first ciphertext blocks.

The relationship exposes whether two plaintext blocks are equal.

`C1[0] XOR C2[0] = P1[0] XOR P2[0]` leaks plaintext relationships between messages.

A fixed IV in AES-CBC creates a deterministic ciphertext for any given plaintext block. Identical IV plus identical plaintext block zero always produces identical ciphertext.

You can encrypt chosen plaintext under a fixed key.

Two encryptions of identical input produce identical ciphertext blocks.

The ciphertext reveals structural patterns that mirror the plaintext.

By aligning input at block boundaries, you recover unknown plaintext one byte at a time.

ECB encrypts each 16-byte block independently with no chaining or randomness. Identical plaintext blocks produce identical ciphertext, enabling chosen-plaintext byte recovery.

A file integrity check uses MD5 to verify an uploaded document.

Two different files produce the same hash value.

The hash function's collision resistance has been practically broken.

Submitting the crafted second file passes the integrity check.

`fastcoll` and `hashclash` produce MD5 collisions in seconds. SHAttered demonstrated the first SHA-1 collision in 2017. SHA-256 has no known practical collisions.

An API authenticates requests with `MD5(secret || message)`.

Knowing the hash output and the length of the secret is enough to extend the message.

The hash output exposes the internal state, letting you resume hashing from it.

You can append arbitrary data and produce a valid MAC without knowing the secret.

`H(secret || message)` is vulnerable to extension. Tool: `hashpump`. Fixed by HMAC or using SHA-3/BLAKE2, which don't use the Merkle-Damgard construction.

Two messages were encrypted with the same key and nonce.

XORing the two ciphertexts cancels the shared keystream.

The result is the XOR of the two plaintexts.

Known plaintext in one message allows recovering plaintext from the other.

Reusing a nonce in AES-CTR or ChaCha20: `C1 XOR C2 = P1 XOR P2`. GCM nonce reuse also recovers the authentication key H.

The server decrypts a ciphertext you submit and returns different errors based on the result.

One error indicates invalid padding; another indicates an authentication failure.

Flipping bytes in the ciphertext and observing which error appears lets you recover plaintext one byte at a time.

Each byte is isolated by manipulating ciphertext and checking padding validity.

Distinct errors for 'bad padding' vs 'bad MAC' leak the padding check result. `padbuster` automates CBC+PKCS7 decryption. Fixed by using AES-GCM.

The same message was encrypted with `e=3` and sent to three different recipients.

Collecting all three ciphertexts lets you apply the Chinese Remainder Theorem.

The combined result gives `m^3` without wrapping around any modulus.

Taking the integer cube root of the result recovers the original plaintext.

Hastad's broadcast attack recovers plaintext from three low-exponent ciphertexts via CRT and integer root extraction. Always use OAEP padding.

An endpoint compares a token you supply against a stored secret.

Responses arrive slightly faster when more characters of your guess are wrong.

The comparison exits early at the first mismatch, leaking information through latency.

Statistical analysis over many requests reveals the correct value one byte at a time.

Non-constant-time string comparison leaks secrets through response latency. Fixed by `hmac.compare_digest()`. Also exploited against RSA operations in TLS implementations.

You're given two RSA public key moduli.

Taking their GCD returns a value greater than 1.

The two moduli share a prime factor.

Dividing each modulus by the shared factor immediately yields both private keys.

Shared prime factors allow instant factorization of both keys. Also: Fermat factorization for close primes, Wiener's attack for small private exponents. Tools: RsaCtfTool, factordb.

A binary behaves differently when launched under a debugger.

The program detects the analysis environment and alters its execution path.

Multiple detection methods are layered: API calls, timing checks, and exception handling.

Each check must be located and patched or hooked before reaching the protected logic.

`IsDebuggerPresent`, ptrace detection, and timing deltas are common methods. ScyllaHide bypasses most in x64dbg. Hardware breakpoints evade ptrace-based detection.

The binary's logic is intentionally difficult to follow.

Meaningful operations are hidden behind renaming, encoding, and indirection.

Static analysis reveals structure but not meaning.

Dynamic tracing cuts through the obfuscation by showing the actual execution path.

de4dot for .NET, Ghidra/IDA for binaries, jsnice for JavaScript. Dynamic tracing often bypasses static obfuscation entirely.

A program requires a serial key to unlock its features.

The validation logic is embedded in the binary itself.

The check reduces to a single comparison instruction.

Patching the conditional jump causes the check to always pass.

Find the `cmp` instruction in the disassembly. Patch the conditional jump, or reverse the algorithm to generate valid keys.

A laptop with full-disk encryption is seized while powered off.

DRAM retains data for seconds to minutes after power is removed.

Cooling the chips with compressed air significantly extends the retention window.

Transferring the chips to a controlled system allows reading the retained key material.

DRAM remanence enables key recovery after power loss. Princeton researchers demonstrated extraction of BitLocker, FileVault, and dm-crypt keys in 2008. Mitigated by key scrubbing on suspend.

You're given a RAM dump from a compromised system.

The dump contains running processes, decrypted secrets, and active network connections.

The analysis framework must match the kernel version of the captured system.

Plugins expose process lists, open sockets, and password hashes from the dump.

Volatility analyzes RAM dumps. Key plugins: `pslist`, `hashdump`, `netscan`, `malfind`. Profile must match the exact kernel version of the captured system.

You're given an image file that looks completely normal.

The file size is slightly larger than expected for its dimensions.

The low-order bits of the pixel values encode hidden data.

Extracting and reassembling those bits reveals the hidden content.

zsteg for PNG LSB, steghide for passphrases, stegsolve for bit-plane analysis, binwalk for appended data. Audio spectrograms can also reveal hidden content.

You're on the same LAN as the target.

Sending unsolicited ARP replies updates the victim's ARP cache.

The victim's traffic is now directed to your MAC address.

You sit between the victim and the gateway, reading and modifying all traffic.

Gratuitous ARP replies overwrite IP-to-MAC mappings. Tools: arpspoof, Bettercap. Prevented by Dynamic ARP Inspection on managed switches.

You control an autonomous system connected to the internet.

You announce a more-specific prefix for an address block you don't own.

Neighboring ASes prefer the more-specific route and update their tables.

Traffic destined for the victim's address block routes through your AS.

BGP has no built-in authentication. A rogue AS announces more-specific prefixes to attract victim traffic. RPKI provides route origin validation.

You're on the same network as the target.

You intercept and relay traffic between the client and server without either noticing.

Even encrypted connections can be read when certificate validation is skipped.

Your certificate is accepted because the client has a weak or compromised trust anchor.

Network positioning via ARP spoofing or a rogue AP. mitmproxy and Bettercap intercept and modify traffic. Defeated by HSTS and certificate pinning.

A target receives an email that appears to come from their bank.

The link leads to a page that looks identical to the real login form.

The credentials entered are captured by the attacker.

The attacker now has valid credentials for the legitimate site.

A spoofed email delivers victims to a cloned login page. GoPhish automates campaigns; evilginx2 handles adversary-in-the-middle MFA bypass. SPF, DKIM, and DMARC reduce deliverability.

A specific employee receives a message referencing their current project by name.

The message appears to come from a known colleague.

OSINT gathered from LinkedIn and public sources supplied the targeting details.

The personalization makes the message convincing enough to bypass skepticism.

Targeted OSINT via LinkedIn and theHarvester informs a tailored message. Far more effective than generic campaigns. Commonly used for business email compromise or malware delivery.

You're in a MITM position between a client and an HTTPS server.

The client connects to you over plaintext HTTP.

You maintain an encrypted connection to the server and relay content transparently.

The client has no indication that the connection should have been encrypted.

MITM silently downgrades HTTPS to HTTP. The server sees a secure connection; the victim sees plaintext. Defeated by HSTS preloading. Demonstrated by Moxie Marlinspike at Black Hat 2009.

The target server becomes unreachable during the exercise.

The server allocated state for each incoming SYN but no handshakes completed.

The source addresses in the packets are forged, so no replies reach anyone.

The half-open connection table fills up, blocking all legitimate connections.

SYN packets without ACKs exhaust the connection state table. Mitigated by SYN cookies, which encode state into the sequence number. hping3 generates the flood.

You're within radio range of the target Wi-Fi network.

Sending a spoofed deauthentication frame disconnects all clients.

The frame is accepted without verification because 802.11 management frames are unauthenticated.

Clients reconnect automatically, exposing the WPA handshake for offline cracking.

Spoofed 802.11 deauth frames from the AP's MAC force clients to reassociate. Capturing the handshake enables offline password cracking. Fixed by 802.11w management frame protection. Tool: aireplay-ng.