«
◀
OP-20 // WIRE TAP
SIGMA-9 ELITE // THE UNMASKING
0
XP
T1
RANK
0%
DETECT
↻
RESET
0🔥
STREAK
CAMPAIGN 3 — THE GHOST PROTOCOL
PASSIVE FIBRE TAP // PACKET CAPTURE // DECRYPTION // THE REVEAL
OP-20
NETWORK SNIFFING // PHYSICAL INTERCEPT
WIRE TAP
FIBRE OPTIC TAP · PASSIVE CAPTURE · PACKET ANALYSIS · THE REVEAL
OPERATION WIRE TAP — THE UNMASKING
🔌
MISSION BRIEFING
IDENTITY REVEAL
The Ghost-Writer's laptop held one encrypted file:
The decryption key isn't stored anywhere. It's being transmitted right now through an underground fibre-optic cable connecting the Grand Master's private terminal to a relay node. No wireless. No internet. No remote access. Just glass and light, three metres underground.
There's only one way in: We go through the maintenance tunnel. We clip onto the cable. We listen to the light.
Revenant and Shadow have one window: the Grand Master transmits his daily key at exactly 03:00. We need to be on the wire before then.
GM_FINAL_ORDER.enc. The Grand Master's final directive — every Syndicate operation signed and authorised, laundered through Vantage Systems and a dozen Bucharest shell fronts.The decryption key isn't stored anywhere. It's being transmitted right now through an underground fibre-optic cable connecting the Grand Master's private terminal to a relay node. No wireless. No internet. No remote access. Just glass and light, three metres underground.
There's only one way in: We go through the maintenance tunnel. We clip onto the cable. We listen to the light.
Revenant and Shadow have one window: the Grand Master transmits his daily key at exactly 03:00. We need to be on the wire before then.
WHAT IS A WIRE TAP?
FEYNMAN PRIMER
Imagine two people talking through a long pipe. Someone secretly attaches a listening device to the pipe. They do not interrupt the conversation. They only listen to everything passing through.
🔌 The Grand Master's fatal mistake: he trusted the physical world, but forgot that physical things can be touched. A buried cable can be tapped. The only truly safe data is encrypted data — even if someone steals the wire, encrypted data is useless without the key.
INTERCEPTED — RAVEN CHANNEL
01:44
RAVEN
The relay facility runs on a single dedicated fibre circuit. No wireless, no satellite, no internet. The Grand Master chose it because it leaves no digital footprint. He was right about that. He was wrong about the tunnel.
SHADOW
Twenty guards on the perimeter. How do we get in?
RAVEN
We don't go through the doors. The maintenance tunnel access point is 800 metres south. The guards protect the building. Not the pipes beneath it. We have until 03:00. Move.
🎯
THREAT ACTORS
CLASSIFIED
THE GRAND MASTER — IDENTITY UNKNOWN
Has orchestrated every Syndicate operation across three campaigns from behind Vantage Systems shell fronts and codenames. Trusted physical isolation over encryption. He has never appeared in any intelligence file. He is actively trusted by at least one major agency. His identity — the name behind Director Kane — is in the data on this wire.
THE ELITE GUARD
Twenty private security contractors controlling all above-ground access points. They protect doors and gates. The maintenance tunnel bypasses every checkpoint they guard. They are not the threat. The clock is.
◈ MISSION OBJECTIVES
01
Deploy the fibre tap — choose the correct passive technique that reads light without causing any detectable signal change.
02
Identify the right packet — analyse live Wireshark output and find which packet type carries the key at 03:00.
03
Extract the key via terminal — use the interactive terminal to inspect, decode, and pull the AES-256 key from the cleartext payload.
04
Decrypt the file — read the name — open GM_FINAL_ORDER.enc. The digital certificate reveals who the Grand Master really is.
⚠
SIGMA-9 LEGAL NOTE: Physical fibre-optic interception and network packet capture on communications you don't own are criminal offences under wiretapping laws globally. This simulation uses entirely fictional characters and a fictional facility. The vital lesson: physical isolation is NOT a substitute for encryption. Always encrypt sensitive data regardless of how secure you think the channel is.
📂 GRAND MASTER — INTELLIGENCE FILE
▼ EXPAND
SIGMA-9 // EYES ONLY // KNOWN FACTS PRE-OP-20
OP-11
First reference in AEGIS-ALPHA logs. Referenced only as "GM." Authorised the $40M bribery transfer. No name, no identifier — only the alias.
OP-15
Communication chain from the Data Miner's server showed GM authorised "full escalation" after NEXUS's collapse. Still no identity — only a signature mark: Ω
OP-19
Ghost-Writer's encrypted file:
GM_FINAL_ORDER.enc. Decryption key not on-device. Key transmitted daily at 03:00 over a dedicated fibre circuit. This is the thread.TARGET
nexus-core-sw01.nexus-global.int
IP ADDRESS
10.47.1.1
OS / SERVER
Ubuntu 22.04 · Wireshark/tcpdump · 1 Gbps trunk
KEY SERVICES
SPAN mirror port active · HTTP/FTP/Telnet unencrypted
ATTACK SCOPE
Passive sniff — all cleartext traffic on trunk in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand how packet sniffing reads cleartext credentials from the wire
02
▶
Capture and decode credentials from the live network tap
03
○
Classify which protocols expose data in transit vs encrypt it
04
○
Identify the fix (TLS everywhere + encrypted-only protocols)
05
○
Submit the capture-the-flag token
CAPTURE THE FLAG
Complete the exploit lab. The flag appears below once Phase 2 is done. Copy and submit it here for +50 XP.
PHASE 01
SILENT ENTRY — THE FIBRE TAP
TECHNICAL
RAVEN
ENCRYPTED
You are Shadow. Revenant is your technical support on the ground.
In your last operation, you intercepted Ghost-Writer's network traffic — but the final order was encrypted with a key stored on Vantage's fiber backbone. To decrypt it, you need to tap the line.
We're in the maintenance tunnel. The fibre cable is right in front of us. This is a single-mode fibre-optic line — the same technology that carries most of the world's internet traffic underground.
We need to read the light inside without breaking the cable. Think: pressing your ear to a wall to hear a conversation — but for light pulses instead of sound.
There are several ways to try this. Choose the correct technique — the wrong one could alert the Grand Master instantly.
In your last operation, you intercepted Ghost-Writer's network traffic — but the final order was encrypted with a key stored on Vantage's fiber backbone. To decrypt it, you need to tap the line.
We're in the maintenance tunnel. The fibre cable is right in front of us. This is a single-mode fibre-optic line — the same technology that carries most of the world's internet traffic underground.
We need to read the light inside without breaking the cable. Think: pressing your ear to a wall to hear a conversation — but for light pulses instead of sound.
There are several ways to try this. Choose the correct technique — the wrong one could alert the Grand Master instantly.
THE BEND COUPLER — SIMPLE EXPLANATION
10-YEAR-OLD LEVEL
Think of fibre as a glass straw with light running through it. Normally all the light goes straight from end to end. But if you bend the straw slightly, a tiny bit of light escapes out of the curve — like water dribbling from a kinked hose.
We use a bend coupler: a clip that bends the cable just enough to make a tiny amount of light leak sideways into our sensor. The Grand Master's terminal keeps receiving normal light. No alarm. No signal drop. No trace.
We use a bend coupler: a clip that bends the cable just enough to make a tiny amount of light leak sideways into our sensor. The Grand Master's terminal keeps receiving normal light. No alarm. No signal drop. No trace.
🔌 If light naturally leaks out of a bent cable — what would you need to read that leak without anyone at either end noticing the bend was ever made?
SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
02:47 UTC
> traced the Grand Master's terminal back to a single buried single-mode fibre run
> no encryption negotiated on the link — the glass carries plaintext light
> FOUND: a service loop of slack cable in the maintenance tunnel — a clean bend point
RAVEN: "He buried the cable and called it safe. But a buried cable isn't encrypted — it's just hidden. We don't break it. We listen to the light leaking off the side."
► SELECT THE CORRECT TAP TECHNIQUE
💡 RAVEN — HINT (−20 XP)
We need to stay completely invisible. No signal interruption, no measurable loss. Which option touches the cable from the outside without cutting it? Fibre carries light — RF antennas are useless here. Splicing always creates a break. Which option is purely passive?
✓
TAP DEPLOYED — PASSIVE BEND COUPLER ACTIVE
The bend coupler clips around the cable. A micro-bend forces ~0.1dB of optical signal to leak sideways into our sensor — within the cable's normal noise floor. The Grand Master's system reads completely normal signal levels.
In simple terms: Light travels in a straight line. Force it around a tight bend and a tiny bit "escapes." We catch that escaped light. The rest travels normally to its destination. Neither end can detect that anything leaked.
The Grand Master's fatal assumption: He trusted that a buried cable nobody knew about was secure. He never imagined someone would be physically in the tunnel beneath his facility.
In simple terms: Light travels in a straight line. Force it around a tight bend and a tiny bit "escapes." We catch that escaped light. The rest travels normally to its destination. Neither end can detect that anything leaked.
The Grand Master's fatal assumption: He trusted that a buried cable nobody knew about was secure. He never imagined someone would be physically in the tunnel beneath his facility.
Real-world context: Intelligence agencies have used exactly this technique on undersea fibre cables for decades. A buried cable is not inherently secure — only encrypted data travelling on it is secure.
PHASE 02
WIRESHARK — PACKET IDENTIFICATION
FORENSIC
Tap deployed. Optical signal flowing. The Grand Master transmits in two minutes — we need to find the exact packet before the window closes.
RAVEN
ENCRYPTED
The tap is live. Data is flowing into our capture device. Time: 02:58. Two minutes until the Grand Master's 03:00 key transmission window.
Wireshark is decoding the raw optical data into readable packets. Most of this traffic is routine — keepalives, timestamps, routing pings. One specific packet type will carry the decryption key at exactly 03:00.
A packet is like an envelope: the outside shows source and destination. The inside is the actual message. Wireshark opens every envelope. If the message inside isn't encrypted — we read everything.
Wireshark is decoding the raw optical data into readable packets. Most of this traffic is routine — keepalives, timestamps, routing pings. One specific packet type will carry the decryption key at exactly 03:00.
A packet is like an envelope: the outside shows source and destination. The inside is the actual message. Wireshark opens every envelope. If the message inside isn't encrypted — we read everything.
RAVEN
INTEL
What to look for: Find the TCP data segment from
Once you identify the correct packet, open it in layers: TCP layer → Payload → CERT_FIELD → Subject → Common Name (CN). The CN field contains the signer’s real identity.
10.9.9.2 to 10.9.9.1 arriving at timestamp 03:00:01 — that’s the key transmission window. The 512-byte cleartext payload is the session key exchange.Once you identify the correct packet, open it in layers: TCP layer → Payload → CERT_FIELD → Subject → Common Name (CN). The CN field contains the signer’s real identity.
Initialising capture on tap0...
MISSION OBJECTIVEFour packet types are visible in the Wireshark capture. Only one carries the 512-byte key payload at 03:00:01. Identify the correct packet type to proceed to extraction.
► WHICH PACKET TYPE CARRIES THE DECRYPTION KEY?
💡 RAVEN — HINT (−20 XP)
We need the packet with actual data payload arriving at exactly 03:00. ICMP ping = no payload. ARP = no user data. DNS = doesn't belong on a private air-gapped network. Look for the packet with a 512-byte cleartext payload arriving on the Grand Master's exact schedule.
✓
TARGET PACKET IDENTIFIED — KEY MATERIAL LOCATED
TCP data segment at
The simple version: Imagine sending a letter with your secret in plain English because you think the postal system is too secret to intercept. We intercepted the post. We can read every word.
The payload contains structured key material. Time to decode it.
03:00:01 — 512 bytes of cleartext payload. Because the Grand Master trusted physical isolation instead of encrypting his data, this payload is travelling in plain readable bytes.The simple version: Imagine sending a letter with your secret in plain English because you think the postal system is too secret to intercept. We intercepted the post. We can read every word.
The payload contains structured key material. Time to decode it.
Core lesson: "Trusting the channel" instead of "protecting the data" is a fundamental security failure. Encrypt the data itself — not just the path. If the data is encrypted, a tap is useless. If it isn't, a tap is catastrophic.
PHASE 03
KEY EXTRACTION — TERMINAL
INTERACTIVE
Target packet confirmed. 512 bytes of cleartext payload sitting in our capture buffer. Time to crack it open layer by layer and pull the key.
RAVEN
ENCRYPTED
We have the raw packet. Now we dig into it layer by layer.
Think of this like boxes inside boxes. The packet is the outer box. Inside is a payload. Inside the payload is a structured message. Inside the message is the key field. We dig through each layer with one command at a time.
Type commands into the terminal. Four steps:
If you get stuck, hit 💡 HINT for the exact next step (costs 20 XP).
Think of this like boxes inside boxes. The packet is the outer box. Inside is a payload. Inside the payload is a structured message. Inside the message is the key field. We dig through each layer with one command at a time.
Type commands into the terminal. Four steps:
inspect → decode → extract key → read certIf you get stuck, hit 💡 HINT for the exact next step (costs 20 XP).
WHAT THESE COMMANDS DO
REFERENCE
tcpdump -i eth0 -w capture.pcapCapture raw network traffic from interface
eth0 and write every packet to a file for offline analysis.tshark -r capture.pcap -Y tlsRead the capture file and filter for TLS packets only, stripping out noise like ARP, ICMP, and keepalives.
openssl enc -aes-256-cbc -d ...Decrypt a file encrypted with AES-256-CBC using the extracted key — this is what unlocks
GM_FINAL_ORDER.enc.MISSION OBJECTIVEUse the interactive terminal to dig through the packet in four steps: inspect → decode → extract key → read cert. Each command goes one layer deeper. Complete all four to recover the AES-256 key and reveal the signer's identity.
► TAP CAPTURE ACTIVE // 03:00:01 UTC
Packet loaded: 512 bytes TCP payload from 10.9.9.2 → 10.9.9.1
Raw cleartext data ready for analysis.
Commands: inspect | decode | extract key | read cert
shadow@sigma9:~$ █
Packet loaded: 512 bytes TCP payload from 10.9.9.2 → 10.9.9.1
Raw cleartext data ready for analysis.
Commands: inspect | decode | extract key | read cert
shadow@sigma9:~$ █
shadow@sigma9:~$
💡 RAVEN — ACTIVE HINT
Start with inspect to see the packet structure. Then decode to parse fields. Then extract key to pull the AES key. Finally read cert to see the signer's identity.
✓
KEY EXTRACTED — GM_FINAL_ORDER.enc READY TO DECRYPT
Key material successfully parsed from the TCP cleartext payload.
In simple terms: The packet was a box with a label showing its layout. We read the label, found the keyhole, and took the key out. Because the data was never encrypted, the key was sitting in plain text — like a front door key left in an unlocked letterbox.
The digital certificate in the same payload contains the Grand Master's real identity. Running decryption on
AES-256-CBC KEY: 4f8d2a1e7b3c9f6d2a8e4b1c7f3a9e2dIn simple terms: The packet was a box with a label showing its layout. We read the label, found the keyhole, and took the key out. Because the data was never encrypted, the key was sitting in plain text — like a front door key left in an unlocked letterbox.
The digital certificate in the same payload contains the Grand Master's real identity. Running decryption on
GM_FINAL_ORDER.enc...
Why does the digital certificate matter? When you sign a document digitally, the certificate contains your real name — a mathematical proof that you specifically signed it, impossible to forge. The Grand Master signed every Cabal order with his real certificate, believing the communication was private. He was catastrophically wrong.
PHASE 04
THE DECRYPTION — THE REVEAL
FINALE
Key in hand. GM_FINAL_ORDER.enc is open. One field stands between us and the Grand Master's identity: the certificate Common Name. Read the name that signed every Cabal order.
CRITICAL — RAVEN
FINAL SEQUENCE
The file is open.
GM_FINAL_ORDER.enc — decrypted. 847 pages. Authorisation codes for every Cabal operation across the last three years. Financial records. Target lists. Termination orders.
Every document signed by the same digital certificate.
The certificate's Common Name field is on the screen in front of us.
Revenant reads it. Doesn't speak for twelve seconds.
The name belongs to someone who has been present in Shadow's operational life since the very beginning. Someone Shadow trusted completely.
GM_FINAL_ORDER.enc — decrypted. 847 pages. Authorisation codes for every Cabal operation across the last three years. Financial records. Target lists. Termination orders.
Every document signed by the same digital certificate.
The certificate's Common Name field is on the screen in front of us.
Revenant reads it. Doesn't speak for twelve seconds.
The name belongs to someone who has been present in Shadow's operational life since the very beginning. Someone Shadow trusted completely.
$ openssl enc -aes-256-cbc -d -in GM_FINAL_ORDER.enc -out GM_FINAL_ORDER.txt -K 4f8d2a1e9c3b7f56a2d8e41b0c6f3d9a2e7b4c8d1f5a3e6b0c9d2f4a7e1b3c8 -iv 0102030405060708090a0b0c0d0e0f10
MISSION OBJECTIVEThe digital certificate in the decrypted file names its signer. Select who the Grand Master is from the options below. One correct answer closes Operation Wire Tap and concludes Campaign 3.
► THE CERTIFICATE COMMON NAME FIELD READS:
WHO IS THE GRAND MASTER?
💡 RAVEN — HINT (−20 XP)
Revenant says: "He gave us the targets. He knew we would succeed. He was using us to remove every competing organisation above him." Who had authority to assign Shadow's operations across ALL three campaigns? Who issued the SIGMA-9 clearance? Who could eliminate NEXUS, the Architect, and the Cabal while remaining completely above suspicion?
🔧 UNDER THE HOOD▼
THE ATTACK — STEP BY STEP
Passive optical fibre tap — unlike copper wire, fibre doesn't emit electromagnetic radiation, but a physical bend in the cable causes light to escape. A photodetector placed at the bend captures the signal without injecting anything:
# Physical tap setup (conceptual):
# 1. Gain physical access to the fibre run (data center, street cabinet)
# 2. Bend the fibre 90+ degrees — light leaks from the core
# 3. Place a photodetector at the bend point
# 4. Reconstruct the optical signal into electrical form
# 5. Feed into a standard NIC in promiscuous mode
# No power draw, no electrical signature, no traffic disruption.
# The legitimate signal is NOT interrupted — the connection stays up.
# Capture with tcpdump after signal reconstruction:
tcpdump -i tap0 -w capture.pcap
# Analyse offline: wireshark capture.pcap
COMMON VARIATIONS
1. TEMPEST / van Eck phreaking — capture electromagnetic emissions from monitors, keyboards, or unshielded copper runs using a directional antenna from a distance — no physical contact required.
2. Timing correlation attack — even with end-to-end encryption, an attacker who monitors both ends of a Tor connection can correlate traffic timing patterns to de-anonymize the user — no decryption needed:
2. Timing correlation attack — even with end-to-end encryption, an attacker who monitors both ends of a Tor connection can correlate traffic timing patterns to de-anonymize the user — no decryption needed:
# Attacker monitors:
# - Volume/timing of packets entering the Tor entry node
# - Volume/timing of packets exiting at the destination
# Statistical correlation reveals who is talking to whom
3. Lawful intercept / network tap boxes — ISPs are legally required in many jurisdictions to install deep packet inspection equipment (CALEA in the US) that law enforcement can access with a court order.HOW TO DEFEND
End-to-end encryption is the only complete defense against physical interception — even a perfect tap only sees ciphertext:
# TLS 1.3 with Perfect Forward Secrecy — each session uses a unique key:
# Even if the long-term private key is later compromised,
# past sessions cannot be decrypted (keys are ephemeral, not stored).
# Check your TLS configuration:
openssl s_client -connect target.com:443
# Look for: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384
# For internal services, mutual TLS (mTLS) — both sides authenticate:
# Client and server both present certificates
# Traffic padding to resist traffic analysis:
# Some VPNs (WireGuard) and Tor add constant-rate dummy packets
# to obscure real traffic volume patterns
Physical security: seal fibre splice points, use tamper-evident enclosures, install intrusion detection on optical distribution frames.🔌
IDENTITY CONFIRMED
OPERATION WIRE TAP — SUCCESS
THE GRAND MASTER IS UNMASKED
+0
XP EARNED THIS OPERATION
◈ SIGMA-9 // CLASSIFIED // GRAND MASTER IDENTITY CONFIRMED
DIRECTOR KANE
INTELLIGENCE DIVISION DIRECTOR — SIGMA-9 PARENT DIRECTORATE
The man who assigned every one of Shadow's operations across three campaigns.
The man who issued SIGMA-9 clearance to Shadow personally.
The man who told Shadow who the targets were.
He was never hunting the Cabal.
He was using Shadow as a precision instrument — eliminating every rival organisation competing with him for power. NEXUS. The Architect. The Cabal's inner circle. One by one. Untouchable, because he sat inside the very agency hunting them.
Every operation we ran made the Grand Master more powerful. We were always his weapon.
The man who issued SIGMA-9 clearance to Shadow personally.
The man who told Shadow who the targets were.
He was never hunting the Cabal.
He was using Shadow as a precision instrument — eliminating every rival organisation competing with him for power. NEXUS. The Architect. The Cabal's inner circle. One by one. Untouchable, because he sat inside the very agency hunting them.
Every operation we ran made the Grand Master more powerful. We were always his weapon.
03:14 — MAINTENANCE TUNNEL // SIGMA-9 DARK CHANNEL
SYSTEM
Revenant reads the screen. Does not move for twelve seconds.
RAVEN
He gave us the targets. He knew we would succeed. He was using us to remove every competing organisation above him. NEXUS. The Architect. The Cabal's own inner circle. Every operation we ran made the Grand Master more powerful.
SHADOW
The Wire Tap. We have the proof.
RAVEN
Yes. And he knows every channel we would use to report it. Every handler above me runs through his office. We cannot go through official channels.
SHADOW
Then we go dark.
SYSTEM
Shadow powers down the Sigma-9 field terminal. Revenant removes the tap. They exit through the maintenance tunnel into the pre-dawn darkness — carrying the only copy of evidence that cannot be reported through any official channel. The hunt for Vantage Systems begins tonight.
The Cabal: Operationally dismantled. Assets seized. Inner circle dead, captured, or in hiding.
Director Kane: Not yet arrested. The proof exists. The reporting channel is compromised. He now knows Shadow survived Operation Wire Tap.
Agent Shadow and Revenant: Rogue operatives. Holding the only copy of the evidence. Hunted by the organisation they served.
The final act — the hunt for Vantage Systems — begins.
Director Kane: Not yet arrested. The proof exists. The reporting channel is compromised. He now knows Shadow survived Operation Wire Tap.
Agent Shadow and Revenant: Rogue operatives. Holding the only copy of the evidence. Hunted by the organisation they served.
The final act — the hunt for Vantage Systems — begins.
POST-OPERATION — DIRECTOR KANE // INTERCEPTED 04:17
SIGMA-9
DIRECTOR KANE
The maintenance tunnel was accessed at 02:58. Two signatures on the motion log — not our personnel. The cable was tapped. They have the file.
CONTACT
Should we activate retrieval?
DIRECTOR KANE
Shadow is still alive. And Shadow now knows what I am. Activate retrieval on all channels. Hunt them down before they can surface the evidence.
🛡
WHAT SHOULD DIRECTOR KANE HAVE DONE?
DEFENSE
The attack worked because of one mistake: trusting the physical channel instead of encrypting the data.
Had the key transmission used TLS encryption, the tapped data would have been completely useless — scrambled ciphertext. The lesson is the most important in this entire campaign:
"Encrypt the data — not just the path."
Had the key transmission used TLS encryption, the tapped data would have been completely useless — scrambled ciphertext. The lesson is the most important in this entire campaign:
"Encrypt the data — not just the path."
| DEFENSE | WHAT IT DOES | STOPS THIS? |
|---|---|---|
| TLS/SSL on the data | Encrypts payload before transmission | ✓ Yes — tapped data is unreadable ciphertext |
| VPN tunnel | Wraps entire session in encryption | ✓ Yes — all traffic encrypted end-to-end |
| Physical cable monitoring | Detects signal anomalies | ⚠ Partial — passive taps stay within noise floor |
| Buried cable only | Prevents easy physical access | ✗ No — maintenance tunnels always exist |
| Air-gapped network | No external connections | ✗ No — physical tap ignores the air gap |
DEBRIEF — REFLECTION QUESTION
You captured traffic passively — no injection, no login, no detectable trace. What defence remains effective against an adversary with physical access to the wire?
► INTEL — OP-20 // WIRE TAP
NEXUS Server Room — Physical Network
Classification: TOP SECRET // Campaign 3 Ghost Protocol
MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
Physical access to the server room switch enabled installation of a passive tap on the uplink. All unencrypted traffic on that segment is now visible including any cleartext protocols.
📓
OWASP CLASSIFICATION
INTELNetwork forensics: passive sniffing captures all traffic visible to the capture point. Cleartext protocols expose credentials and session data.
⚖
GLOSSARY TERMS: Packet Sniffing, Wireshark, Passive Tap, Promiscuous Mode, PCAP, Network Forensics. All terms auto-logged to your Field Manual.
SIGMA-9 ACADEMY
OPERATION 20 // NETWORK SNIFFING // COMPLETE REFERENCE
◈ WHAT IS NETWORK SNIFFING?
Imagine the internet is a postal system. Every message gets broken into little envelopes called packets, each addressed and sent through a series of sorting offices (routers) to reach its destination.
Network sniffing is like standing at one of those sorting offices and reading the inside of every envelope that passes through. If the message inside is in plain language (unencrypted), you read everything. If it's in a secret code (encrypted), you see scrambled text that means nothing.
In Operation Wire Tap, we used a physical fibre tap to literally intercept the light carrying the packets — before they even reached a network device. Then Wireshark decoded those optical signals into readable packets. Because the Grand Master never encrypted his data, we read every byte.
◈ THE FIVE STEPS OF PASSIVE FIBRE SNIFFING
1
Find the cable. You need physical access to the same network path as the target traffic. In our case: the maintenance tunnel 800 metres from the guarded perimeter.
2
Tap without interruption. A passive bend coupler reads leaked light from a slightly bent fibre. In a simplified lab model, the leakage stays within the expected loss budget, so the link keeps working and no alarm fires.
3
Convert to digital. The optical sensor converts light pulses back to electrical signals. Wireshark decodes these as standard network frames: source, destination, protocol, payload.
4
Filter the traffic. Most packets are noise — keepalives, routing updates. Identify
TCP DATA packets with actual payload arriving on the target's exact schedule.5
Extract and interpret. Parse the payload structure. Because the Grand Master transmitted the key in cleartext, it was readable with four simple terminal commands in under two minutes.
◈ WHY ENCRYPTION IS THE ONLY REAL DEFENCE
✗ Physical isolation alone: "No one can reach the wire." — Wrong. Maintenance tunnels exist. Insiders exist. Bend couplers need no network login.
✓ End-to-end encryption: Even if someone taps the wire, they get encrypted ciphertext — completely useless without the decryption key that was never transmitted over the tapped channel.
Director Kane's mistake: "trusting the channel over the data." He protected the wire. He should have protected what was travelling on it. Always encrypt sensitive data before it leaves your system — regardless of how secure you think the channel is.
❓
FIELD QUESTIONS — OPERATION WIRE TAP
Can you sniff encrypted HTTPS traffic with Wireshark?
Sort of — but it won't help much. Wireshark can capture HTTPS packets, but the payload is encrypted ciphertext — completely unreadable without the TLS session key. This is why Perfect Forward Secrecy (PFS) matters: even if you later obtain the private key, past sessions remain secure because each session used a unique temporary key that was never stored.
What is the difference between passive and active sniffing?
Passive sniffing: You listen to traffic that naturally passes your device — like overhearing a conversation. No injection, no interference. Works on shared networks and physical taps. Active sniffing: You manipulate the network to redirect traffic toward you. Techniques include ARP poisoning and man-in-the-middle attacks. Active sniffing is detectable. A passive physical fibre tap — staying within noise floor — is extremely difficult to detect.
What exactly does Wireshark see when it captures a packet?
Wireshark sees the complete packet in layers: Layer 2 (Ethernet — MAC addresses), Layer 3 (IP — source and destination IPs), Layer 4 (TCP/UDP — port numbers, sequence numbers), and Layer 7 (Application data — the actual content). For HTTP traffic, Layer 7 is fully readable plaintext. For HTTPS, Layer 7 is encrypted ciphertext. Wireshark automatically reassembles TCP streams so you can read complete conversations from start to finish.
What was Director Kane's actual security mistake?
Director Kane made the classic mistake of trusting the channel rather than the data. He believed a physically isolated, buried, private fibre circuit was equivalent to security. The correct approach: encrypt the data before it touches the wire using TLS. Even if someone taps the wire, they see encrypted data — useless without the key. Additional mistake: signing documents with his real digital certificate while believing the communication was private. If data is encrypted, the certificate is invisible. If data is cleartext, the certificate is evidence.
Why was Director Kane the Grand Master? What was his plan?
Director Kane occupied the highest trusted position in Shadow's chain of command. His plan: he identified Shadow as an exceptionally capable operative, issued SIGMA-9 clearance, and assigned targets that were all his rivals for power — NEXUS, the Architect, the Cabal's inner circle. Each successful operation eliminated a competitor while appearing as legitimate intelligence work. He was simultaneously the hunter and the one being protected. He was exposed only because he trusted a physical wire over encryption — the same mistake he expected his targets to make.
REAL-WORLD TOOLS — TRAFFIC INTERCEPTION
WHAT PROFESSIONALS USE
📷
Wireshark
FREE / OPEN SOURCE
Capture and inspect packets from a span/tap port. Reconstruct full sessions with Follow TCP Stream to see exactly what crossed an unencrypted link.
Filter: tcp.port == 80 || tls.handshake
📡
tcpdump
FREE / OPEN SOURCE
Lightweight CLI capture for writing pcap files from a monitoring interface during authorised assessments.
tcpdump -i tap0 -w capture.pcap
🔐
TLS / mkcert
FREE / OPEN SOURCE
The defence: encrypt the link end-to-end so a tap only yields ciphertext. mkcert spins up trusted local certs for testing TLS.
mkcert internal.service.local
LEAVE MISSION?
Progress is saved. You can resume from the mission select screen at any time.
RESET MISSION?
This wipes all progress for this operation only. XP in other operations is unaffected.
ARE YOU SURE?
Final confirmation -- all progress for this operation will be permanently erased.