Results 1 to 5 of 5

Thread: Specialized Ettercap Filter

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default Specialized Ettercap Filter

    Hi Im looking to make an ettercap filter that when a person requests an http url with the following syntax *.exe, it gets replaced by a different url, would a simple DNS edit work for this? Probably using base.

    so I understand the code, but am unsure of how it works exactly as I have not found very much online documentation.


    I imagine it would build off the base:

    if {requested_url == *.exe}
    (
    requested url = new url here
    )

    If possible the name should stay the same, but thats not imperative. Im looking to create a way to filter certain content, but building off of trust. They think they can access it but it actually does nothing except show up in my logs that they "violated the trust"

  2. #2
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    I've actually seen this before, done in a .htaccess (rewrite module) script perhaps?

    Ettercap is (very) good for MITM (arp) and DNS spoofing and a lot more of course!
    But if you let Ettercap do that, then hmm.. Starting to remember.. Metasploit has
    in most http server modules, the functionality to actually make any request to a web-
    site request the exe filed specified.

    However i guess with a little work from MPack you could make something similar as well buddy ;-)

    I hope my answer was sufficient for now :-P
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  3. #3
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    you can setup apache with transpartnet proxy or use my script :P

    http://forums.remote-exploit.org/showthread.php?p=94904

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Maxe... Senior Member O.o.... I shall speak with you on IRC


    Operator + Maxe: thank you is it at all possible to have it rename the executable? Im trying to do it, but its not working out to well :\ Even building off of that filter you gave.

  5. #5
    Just burned his ISO Wummi's Avatar
    Join Date
    May 2009
    Posts
    17

    Default

    you could setup your http server with a transparent redirection to change the filename.

    might do it with a simple .htaccess in flavor of:
    Code:
    Options +FollowSymlinks
    RewriteEngine on
    RewriteRule ^(.*) x.exe
    i have this setup here for testing purposes if you like:

    hxxp://test.ussr.at/whatever.exe

    you can replace whatever with what you like, server will always return the same exe, with the filename you specified in the request uri.

    only thing suspicious would be the server name, one could throw in a tricky dns spoof or just use the ip to obfuscate the real DNS.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •