Jump to content

Mark 4 - Mitm And Manipulate Html For Http Connections?


dustbyter
 Share

Recommended Posts

Hi All,

I'm trying to do some experimentation with the Mark IV in my lab and had the idea of trying to manipulate the HTML for pages that are passing over HTTP.

Any idea's on how to get something like this going? I though of setting up a proxy such as Squid which could have a url_rewrite_rule, but this would mean that one would need to connect to the proxy port that Squid is on.

Is there another way that may be able to do this which I 'm not aware of?

Regards.

Link to comment
Share on other sites

You might want to send a PM to Whistle Master - he has been working on ettercap in the past but ran into some issues as Seb mentioned. I'm sure he'd appreciate a new set of eyes on it.

telot

Link to comment
Share on other sites

Hmm, not sure if my error is the same one that Whistle Master is getting, but it seems that I'm having a hard time getting ettercap to work correctly.

I've created my filter and compiled it. Then when I try to run it, i get an error.

FATAL: MITM attacks can't be used on unconfigured interfaces

What experience have you guys had? Anyone else try to run ettercap on the device?

My hardware is the Mark IV, and i'm using the built in ettercap that is version 0.73.

Link to comment
Share on other sites

I've made some progress.

Part of my issue was that I was setting up ettercap on the wrong interface! Duh!

The command to use is:

ettercap -Tq -F a.ef -i br-lan

My filter is running, but its not actually changing the HTML, this will be tested further, however, when I terminate ettercap, the following error is shown..

ip_forwarding was not disabled, but we cannot re-enable it now.
remember to re-enable it manually

I haven't modified the /etc/ettercap.conf file at all. After getting the above error, then no more traffic flows from the clients and I must reboot the pineapple.

Any idea what I'me missing?

Edited by dustbyter
Link to comment
Share on other sites

I've made some progress, but not quite there yet...

1. Wrote a filter to inject an image into the traffic and it didn't work, so I tried to inject an alert message. The filter has a log(...) message to dump the DATA.data field to a log file. When reviewing the log, it is evident that the modification is present.

HTTP/1.1 200 OK
Connection: close
ETag: "500-48-501c2583"
Last-Modified: Fri, 03 Aug 2012 19:24:51 GMT
Date: Fri, 03 Aug 2012 19:45:19 GMT
Content-Type: text/html
Content-Length: 72
Transfer-Encoding: chunked

48
<html>
<head>
</head>[b]<script type="text/javascript">alert('<<<I WAS HERE>>>');</script>[/b]
<body>
<img src="logo_intro.gif">
</body>
</html>

0

HTTP/1.1 200 OK
Connection: close
ETag: "4ff-257d-501c2825"
Last-Modified: Fri, 03 Aug 2012 19:36:05 GMT
Date: Fri, 03 Aug 2012 19:45:19 GMT
Content-Type: image/gif
Content-Length: 9597
Transfer-Encoding: chunked

Ettercap on pineapple is launched using the command:

ettercap -Tq -F myFilter.ef -i br-lan

One think to be aware of is that once ettercap is stopped, then the Internet Connection Sharing on the pineapple doesn't work, ip_forward in /proc/sys/net/ipv4 needs to be set to 1 again.

Something has to be up with the network configuration on the device that is not allowing the traffic to pass back to the clients whose HTML is being modified. On the client there is no evidence oof the modification.

Link to comment
Share on other sites

:::Rubbing hands together evilly:::

I think we're all waiting with baited breath! Now that we have sslstrip, reaver, and soon ettercap working - where else are we taking this little fruit of ours?

telot

Link to comment
Share on other sites

Didn't realize that there was this much interest in this area!

What I did was pretty straight forward once I got the ettercap command configured correctly.

The steps I took are:

1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step.

2. Launched ettercap and configured it to perform a MITM attack on interface br-lan.

In my case, I attacked all the clients running through the pineapple.

ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd

I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up.

Link to comment
Share on other sites

Didn't realize that there was this much interest in this area!

What I did was pretty straight forward once I got the ettercap command configured correctly.

The steps I took are:

1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step.

2. Launched ettercap and configured it to perform a MITM attack on interface br-lan.

In my case, I attacked all the clients running through the pineapple.

ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd

I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up.

Write an infusion for it anyway, no one has a default ettercap module yet.

Would be great to add that to the pineapple bar.

Best,

Sebkinne

Link to comment
Share on other sites

I haven't looked at how the other infusions are coded yet, but given I haven't written one in the past, I'd have to figure out some of the basics first.

For example, how can I get control of the app's output to display it, and how can I pass commands to the application as I would if it was on the commandline as it's executing, etc.

If there is a guide for this somewhere, then i can try it out.

Link to comment
Share on other sites

Darren,

The flags used are shown above in the thread.

Initially I thought that given the interfaces were bridged I didn't have to perform an ARP attack. I spent a good day or two down that path with no luck. Thus I tried to run an ARP attack on the br-lan interface, this allowed then ettercap to see the traffic.

I'll dig up later the actual attributes used if anyone is interested to show what each is.

Link to comment
Share on other sites

Sorry for the delay in this response.

The ettercap command i used was:

ettercap -Tq -F a.ef -i br-lan -M ARP:remote // // -P autoadd

This allowed to route the traffic through ettercap and then run the filter code from a.ef.

The filter does a short injection when it detects </head> to inject

&lt;/head&gt;&lt;script&gt;alert('JS Injected from Ettercap');&lt;/script&gt;

I have not tried to injection any javascript file yet. If someone has already done this, then please share what you have done.

Regards.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...