Results 1 to 4 of 4

Thread: HTTP injection options in MITM attack

  1. #1
    Just burned his ISO
    Join Date
    Nov 2011
    Posts
    3

    Default HTTP injection options in MITM attack

    Currently, I am looking for different ways of injecting HTML in HTTP responses during MITM attacks.

    First at all, I have tried the solution using ettercap filters:
    Etterfilter tuto

    The problem with ettercap is that the "Content-Length" field on the HTTP header is not updated when you inject data.
    As a result, the victim browser doesn't execute the end of HTML code embedded on the HTTP answer (data injected length)
    See screenshot:Content-Length not updated

    Then I have manually set the Content-Length value to 999.
    As you can see, the HTML code is fully executed : Content-Lenght changed/

    Ettercap filter is very limited and it is impossible to get the old Content-Lenght value and update it with the current length.

    Moreover, ettercap works at the packet level.
    As a result, the packet that contains the Content-Length field should have already been forwarded before I reach the packet where I am injecting HTML.

    I've deduced that I cannot use packet level tool (as tcpdump, hping or nemesis) to inject HTML code. So, I've decided to go for a HTTP proxy since it will cache all packets and reconstruct the HTTP request/response before forwarding it.

    Then, I have tried using Burp Suite.
    From the proxy options, in the match and replace section, I have configure to replace "</body>" by "injected data</body>" in the response body.
    As a result, the HTTP response is forwarded to the victim machine with HTML code injected, Content-Length field updated with the new length and the HTML code is fully executed by the victim machine.

    Do you know other tools and options (graphical or CLI) that can automatized HTML code injection during MITM attack? (which of course updates the Content-length field)

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    40

    Default Re: HTTP injection options in MITM attack

    Charles Proxy is an excellent tool for this kind of thing, much better than burp. Using bash to read data from the web interface you can automate everything.
    You may also want to try Sergio Proxy and MITMProxy.

    Quote Originally Posted by ridercop View Post
    Currently, I am looking for different ways of injecting HTML in HTTP responses during MITM attacks.

    First at all, I have tried the solution using ettercap filters:
    Etterfilter tuto

    The problem with ettercap is that the "Content-Length" field on the HTTP header is not updated when you inject data.
    As a result, the victim browser doesn't execute the end of HTML code embedded on the HTTP answer (data injected length)
    See screenshot:Content-Length not updated

    Then I have manually set the Content-Length value to 999.
    As you can see, the HTML code is fully executed : Content-Lenght changed/

    Ettercap filter is very limited and it is impossible to get the old Content-Lenght value and update it with the current length.

    Moreover, ettercap works at the packet level.
    As a result, the packet that contains the Content-Length field should have already been forwarded before I reach the packet where I am injecting HTML.

    I've deduced that I cannot use packet level tool (as tcpdump, hping or nemesis) to inject HTML code. So, I've decided to go for a HTTP proxy since it will cache all packets and reconstruct the HTTP request/response before forwarding it.

    Then, I have tried using Burp Suite.
    From the proxy options, in the match and replace section, I have configure to replace "</body>" by "injected data</body>" in the response body.
    As a result, the HTTP response is forwarded to the victim machine with HTML code injected, Content-Length field updated with the new length and the HTML code is fully executed by the victim machine.

    Do you know other tools and options (graphical or CLI) that can automatized HTML code injection during MITM attack? (which of course updates the Content-length field)

  3. #3
    Just burned his ISO
    Join Date
    Nov 2011
    Posts
    3

    Default Re: HTTP injection options in MITM attack

    Quote Originally Posted by thaijames View Post
    Charles Proxy is an excellent tool for this kind of thing, much better than burp. Using bash to read data from the web interface you can automate everything.
    You may also want to try Sergio Proxy and MITMProxy.
    Thank you thaijames for your answer.
    I have automated the tasks by writing a Burp java extension using Burp Extender APIs but it is not straightforward and the Burp interface still need to be launched.

    I had already a look on Sergio proxy and it looked like interesting.
    I will dig the tools you've advised me

    Regards,

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    40

    Default Re: HTTP injection options in MITM attack

    Both Charles Proxy and Burp have a headless mode (run without interface)

    If you come up with any good scripts to control any of these transparent proxies, would appreciate if you could share.

    Quote Originally Posted by ridercop View Post
    Thank you thaijames for your answer.
    I have automated the tasks by writing a Burp java extension using Burp Extender APIs but it is not straightforward and the Burp interface still need to be launched.

    I had already a look on Sergio proxy and it looked like interesting.
    I will dig the tools you've advised me

    Regards,

Similar Threads

  1. fake AP vs MITM attack
    By SecureSurfer in forum Beginners Forum
    Replies: 1
    Last Post: 01-07-2011, 01:32 AM
  2. MITM attack question
    By taffy-nay in forum OLD Newbie Area
    Replies: 1
    Last Post: 10-26-2009, 02:40 PM
  3. SSL Rebinding & EV SSL MITM attack
    By htons139 in forum OLD BackTrack 4 Package and feature Requests
    Replies: 1
    Last Post: 08-21-2009, 08:38 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •