dustbyter Posted August 1, 2012 Share Posted August 1, 2012 Hi All, I'm trying to do some experimentation with the Mark IV in my lab and had the idea of trying to manipulate the HTML for pages that are passing over HTTP. Any idea's on how to get something like this going? I though of setting up a proxy such as Squid which could have a url_rewrite_rule, but this would mean that one would need to connect to the proxy port that Squid is on. Is there another way that may be able to do this which I 'm not aware of? Regards. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted August 1, 2012 Share Posted August 1, 2012 Ettercap would be the way to go in my opinion. There are some issues with it at the moment but I will see what I can do. Best, Sebkinne Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 1, 2012 Author Share Posted August 1, 2012 Sebkinne - Great idea! I didn't think of that initially. Thanks for the direction! Quote Link to comment Share on other sites More sharing options...
telot Posted August 1, 2012 Share Posted August 1, 2012 You might want to send a PM to Whistle Master - he has been working on ettercap in the past but ran into some issues as Seb mentioned. I'm sure he'd appreciate a new set of eyes on it. telot Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 1, 2012 Author Share Posted August 1, 2012 Thanks telot. I'll send Whistle Master a PM regarding it. Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 2, 2012 Author Share Posted August 2, 2012 Hmm, not sure if my error is the same one that Whistle Master is getting, but it seems that I'm having a hard time getting ettercap to work correctly. I've created my filter and compiled it. Then when I try to run it, i get an error. FATAL: MITM attacks can't be used on unconfigured interfaces What experience have you guys had? Anyone else try to run ettercap on the device? My hardware is the Mark IV, and i'm using the built in ettercap that is version 0.73. Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 3, 2012 Author Share Posted August 3, 2012 (edited) I've made some progress. Part of my issue was that I was setting up ettercap on the wrong interface! Duh! The command to use is: ettercap -Tq -F a.ef -i br-lan My filter is running, but its not actually changing the HTML, this will be tested further, however, when I terminate ettercap, the following error is shown.. ip_forwarding was not disabled, but we cannot re-enable it now. remember to re-enable it manually I haven't modified the /etc/ettercap.conf file at all. After getting the above error, then no more traffic flows from the clients and I must reboot the pineapple. Any idea what I'me missing? Edited August 3, 2012 by dustbyter Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 3, 2012 Author Share Posted August 3, 2012 I've made some progress, but not quite there yet... 1. Wrote a filter to inject an image into the traffic and it didn't work, so I tried to inject an alert message. The filter has a log(...) message to dump the DATA.data field to a log file. When reviewing the log, it is evident that the modification is present. HTTP/1.1 200 OK Connection: close ETag: "500-48-501c2583" Last-Modified: Fri, 03 Aug 2012 19:24:51 GMT Date: Fri, 03 Aug 2012 19:45:19 GMT Content-Type: text/html Content-Length: 72 Transfer-Encoding: chunked 48 <html> <head> </head>[b]<script type="text/javascript">alert('<<<I WAS HERE>>>');</script>[/b] <body> <img src="logo_intro.gif"> </body> </html> 0 HTTP/1.1 200 OK Connection: close ETag: "4ff-257d-501c2825" Last-Modified: Fri, 03 Aug 2012 19:36:05 GMT Date: Fri, 03 Aug 2012 19:45:19 GMT Content-Type: image/gif Content-Length: 9597 Transfer-Encoding: chunked Ettercap on pineapple is launched using the command: ettercap -Tq -F myFilter.ef -i br-lan One think to be aware of is that once ettercap is stopped, then the Internet Connection Sharing on the pineapple doesn't work, ip_forward in /proc/sys/net/ipv4 needs to be set to 1 again. Something has to be up with the network configuration on the device that is not allowing the traffic to pass back to the clients whose HTML is being modified. On the client there is no evidence oof the modification. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted August 3, 2012 Share Posted August 3, 2012 I am glad you are trying to get this working and love to hear your results:-) Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 3, 2012 Author Share Posted August 3, 2012 Awesome! I can inject and modify code HTML now! Darn ettercap! Quote Link to comment Share on other sites More sharing options...
PineDominator Posted August 3, 2012 Share Posted August 3, 2012 Awesome! I can inject and modify code HTML now! Darn ettercap! Great news:-D what was the problem? Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted August 3, 2012 Share Posted August 3, 2012 (edited) I'm interested to know also :) I have a keylogger module sleeping somewhere on my hard drive :P Edited August 3, 2012 by Whistle Master Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 4, 2012 Share Posted August 4, 2012 Awesome! I can inject and modify code HTML now! Darn ettercap! What was the trick? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 4, 2012 Share Posted August 4, 2012 What was the trick? Also interested in knowing as well, then it can be fixed in firmware. I've had some plans for ettercap. Quote Link to comment Share on other sites More sharing options...
telot Posted August 4, 2012 Share Posted August 4, 2012 :::Rubbing hands together evilly::: I think we're all waiting with baited breath! Now that we have sslstrip, reaver, and soon ettercap working - where else are we taking this little fruit of ours? telot Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 4, 2012 Author Share Posted August 4, 2012 Didn't realize that there was this much interest in this area! What I did was pretty straight forward once I got the ettercap command configured correctly. The steps I took are: 1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step. 2. Launched ettercap and configured it to perform a MITM attack on interface br-lan. In my case, I attacked all the clients running through the pineapple. ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted August 4, 2012 Share Posted August 4, 2012 Didn't realize that there was this much interest in this area! What I did was pretty straight forward once I got the ettercap command configured correctly. The steps I took are: 1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step. 2. Launched ettercap and configured it to perform a MITM attack on interface br-lan. In my case, I attacked all the clients running through the pineapple. ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up. Write an infusion for it anyway, no one has a default ettercap module yet. Would be great to add that to the pineapple bar. Best, Sebkinne Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 4, 2012 Author Share Posted August 4, 2012 I haven't looked at how the other infusions are coded yet, but given I haven't written one in the past, I'd have to figure out some of the basics first. For example, how can I get control of the app's output to display it, and how can I pass commands to the application as I would if it was on the commandline as it's executing, etc. If there is a guide for this somewhere, then i can try it out. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted August 4, 2012 Share Posted August 4, 2012 (edited) Write an infusion for it anyway, no one has a default ettercap module yet. Would be great to add that to the pineapple bar. Best, Sebkinne Something like this ? I'm on it ;) Edited August 4, 2012 by Whistle Master Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 4, 2012 Author Share Posted August 4, 2012 Looks pretty sweet Whistle Master! I'll let you wrap it up ;) Quote Link to comment Share on other sites More sharing options...
Molotof Posted August 4, 2012 Share Posted August 4, 2012 All i can say YUMMY ! LOL Quote Link to comment Share on other sites More sharing options...
PineDominator Posted August 4, 2012 Share Posted August 4, 2012 Great job dustbyter:-D Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted August 5, 2012 Share Posted August 5, 2012 Cheers all around! Not near a terminal or man Page at the moment. Think you could outline the flags used. I was under the impression bridge mode was the right plan of attack, but you seem to be using Arp? Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 6, 2012 Author Share Posted August 6, 2012 Darren, The flags used are shown above in the thread. Initially I thought that given the interfaces were bridged I didn't have to perform an ARP attack. I spent a good day or two down that path with no luck. Thus I tried to run an ARP attack on the br-lan interface, this allowed then ettercap to see the traffic. I'll dig up later the actual attributes used if anyone is interested to show what each is. Quote Link to comment Share on other sites More sharing options...
dustbyter Posted August 13, 2012 Author Share Posted August 13, 2012 Sorry for the delay in this response. The ettercap command i used was: ettercap -Tq -F a.ef -i br-lan -M ARP:remote // // -P autoadd This allowed to route the traffic through ettercap and then run the filter code from a.ef. The filter does a short injection when it detects </head> to inject </head><script>alert('JS Injected from Ettercap');</script> I have not tried to injection any javascript file yet. If someone has already done this, then please share what you have done. Regards. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.