A local, educational hacking-simulation chat app.
This repository contains a small, self-contained simulation of an insecure real‑time chat system (React + Vite frontend, Flask backend) together with a parallel Hacker Interface (React frontend + Flask + Scapy) that demonstrates how an attacker can sniff and attempt to brute-force classical ciphers.
The goal is educational: to visualize how plain/encrypted messages travel over an insecure channel and how weak ciphers are vulnerable to brute-force attacks.
- Two users open the User Interface frontend (React) on mobile browsers using the laptop's network URL. They send messages that are encrypted using one of two classical ciphers (Caesar or Vigenère) before being transmitted.
- The User Interface backend (Flask) accepts messages, applies the selected cipher, stores
original/encrypted/decryptedfields and serves message lists. - A separate Hacker Interface sniffing service uses Scapy to capture HTTP payloads from network packets. Captured ciphertexts are shown in the Hacker UI.
- The hacker UI includes simple brute-force/decryption routines:
- Caesar: try all 26 shifts.
- Vigenère: try keys from a small dictionary of common keys.
💡 If using Vite's proxy (recommended for mobile testing),
mobile → laptop:5173is visible on the Wi‑Fi interface and Vite forwards (localhost:5000) internally — the sniffer can capture both network and loopback traffic depending on where it runs and which interface it listens on.
This project is intended only for educational use on networks and devices you control.
Do NOT use the sniffing tools on networks or devices without explicit permission. Intercepting or decrypting others' traffic without consent is likely illegal in many jurisdictions. For classroom demos, use an isolated Wi‑Fi hotspot or virtual machine network.
- Node.js & npm
- Python 3.8+
- pip
- Virtualenv (recommended)
- On Linux: root privileges (or capabilities) to run Scapy sniffing (the hacker backend must be launched with
sudoor equivalent)
- User UI (React/Vite): 5173 (network) — open this for mobile clients
- User backend (Flask): 5000 — only needed to be opened to LAN if NOT using Vite proxy
- Hacker UI (React/Vite): 5174 (network)
- Hacker backend (Flask + Scapy): 5001 — needs root to sniff
Use an isolated hotspot or a lab network where you control all devices. Run the four components as below. Adjust IPs and ports per your machine.
cd BackendUserInterface
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python app.py # default: 0.0.0.0:5000cd FrontendUserInterface
npm install
npm run dev -- --host # serves on 0.0.0.0:5173 and prints Network URLOpen on mobile browser: http://<laptop-ip>:5173
If you use Vite proxy (see next section), configure the frontend to use VITE_API_URL='/api' or const API_URL = '/api' so API requests are proxied.
This requires root: Scapy needs privileges to sniff on network interfaces.
cd BackendHackerInterface
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
sudo .venv/bin/python app.py # or: sudo python app.py (ensure venv paths)
# hacker API runs on 0.0.0.0:5001 by defaultcd FrontendHackerInterface
npm install
npm run dev -- --host # default: 5174Open on laptop: http://localhost:5174 or http://<laptop-ip>:5174
Prefer restricting to LAN subnet instead of opening to the whole internet.
If your LAN is 192.168.0.0/24:
# Allow frontend access (mobile browsers)
sudo ufw allow from 192.168.0.0/24 to any port 5173 proto tcp
# If you do NOT use Vite proxy and want backend open to LAN:
sudo ufw allow from 192.168.0.0/24 to any port 5000 proto tcp
# Allow hacker UI access (if you want to open it on the network)
sudo ufw allow from 192.168.0.0/24 to any port 5174 proto tcp
sudo ufw allow from 192.168.0.0/24 to any port 5001 proto tcpIf you rely on the frontend proxy, you can keep port 5000 closed and open only 5173 & 5174/5001 as needed.
Add to vite.config.js / vite.config.ts in the frontend project to proxy /api to backend:
export default defineConfig({
server: {
host: true,
port: 5173,
strictPort: true,
proxy: {
'/api': {
target: 'http://localhost:5000',
changeOrigin: true,
rewrite: (path) => path.replace(/^\/api/, ''),
},
},
},
});Then in your frontend code call fetch('/api/send', ...) — mobile only needs access to 5173 and the proxied request will be made locally by Vite to the Flask backend (loopback). The attacker can sniff the mobile→5173 traffic on the Wi‑Fi iface and sniff the loopback traffic if running on the same laptop.
- Caesar: iterate shifts
0..25and attempt a plausibility check (e.g., presence of common English words) and present candidates to the user. - Vigenère: try a candidate key list (a small dictionary). For a simulation/demonstration, the keyspace is intentionally small so brute-force completes quickly.
Include comments in the hacker UI explaining the time complexity and why longer/stronger keys are important.
- Start
userinterface_backendon laptop1 (port 5000). - Start
userinterface_frontendon laptop1 with--host(port 5173). - Start
hackerinterface_backend(withsudo) on laptop1 (port 5001). - Start
hackerinterface_frontendon laptop1 (port 5174). - Open two mobile browsers to
http://<laptop-ip>:5173and chat. - Open the hacker UI on laptop1
http://<laptop-ip>:5174and watch captured ciphertexts.
Below are step-by-step visuals showing how Hacking Simulation On Chat Application works — from user communication to hacker interception and decryption attempts.
- No packets captured: verify
SNIFF_IFACE(useip addr/iw dev/nmcli device status). If you used Vite proxy, useloto capture loopback forwarded requests orwlp...to capture Wi‑Fi traffic. - Scapy permission error: run hacker backend with
sudoor grant capabilities to Python binary. - HTTPS: if your mobile uses HTTPS, packets are encrypted — use HTTP for this educational demo.
Alok Kumar Maurya – Developer | Email: alok05.maurya@gmail.com