Currently, I am looking for different ways of injecting HTML in HTTP responses during MITM attacks.
First at all, I have tried the solution using ettercap filters:
The problem with ettercap is that the "Content-Length" field on the HTTP header is not updated when you inject data.
As a result, the victim browser doesn't execute the end of HTML code embedded on the HTTP answer (data injected length)
See screenshot:Content-Length not updated
Then I have manually set the Content-Length value to 999.
As you can see, the HTML code is fully executed : Content-Lenght changed/
Ettercap filter is very limited and it is impossible to get the old Content-Lenght value and update it with the current length.
Moreover, ettercap works at the packet level.
As a result, the packet that contains the Content-Length field should have already been forwarded before I reach the packet where I am injecting HTML.
I've deduced that I cannot use packet level tool (as tcpdump, hping or nemesis) to inject HTML code. So, I've decided to go for a HTTP proxy since it will cache all packets and reconstruct the HTTP request/response before forwarding it.
Then, I have tried using Burp Suite.
From the proxy options, in the match and replace section, I have configure to replace "</body>" by "injected data</body>" in the response body.
As a result, the HTTP response is forwarded to the victim machine with HTML code injected, Content-Length field updated with the new length and the HTML code is fully executed by the victim machine.
Do you know other tools and options (graphical or CLI) that can automatized HTML code injection during MITM attack? (which of course updates the Content-length field)
I have automated the tasks by writing a Burp java extension using Burp Extender APIs but it is not straightforward and the Burp interface still need to be launched.
I had already a look on Sergio proxy and it looked like interesting.
I will dig the tools you've advised me