Mark 4 - Mitm And Manipulate Html For Http Connections?

[dustbyter]

Hi All,

I'm trying to do some experimentation with the Mark IV in my lab and had the idea of trying to manipulate the HTML for pages that are passing over HTTP.

Any idea's on how to get something like this going? I though of setting up a proxy such as Squid which could have a url_rewrite_rule, but this would mean that one would need to connect to the proxy port that Squid is on.

Is there another way that may be able to do this which I 'm not aware of?

Regards.

[Sebkinne]

Ettercap would be the way to go in my opinion.

There are some issues with it at the moment but I will see what I can do.

Best,

Sebkinne

[dustbyter]

Sebkinne - Great idea! I didn't think of that initially.

Thanks for the direction!

[telot]

You might want to send a PM to Whistle Master - he has been working on ettercap in the past but ran into some issues as Seb mentioned. I'm sure he'd appreciate a new set of eyes on it.

telot

[dustbyter]

Thanks telot.

I'll send Whistle Master a PM regarding it.

[dustbyter]

Hmm, not sure if my error is the same one that Whistle Master is getting, but it seems that I'm having a hard time getting ettercap to work correctly.

I've created my filter and compiled it. Then when I try to run it, i get an error.

FATAL: MITM attacks can't be used on unconfigured interfaces

What experience have you guys had? Anyone else try to run ettercap on the device?

My hardware is the Mark IV, and i'm using the built in ettercap that is version 0.73.

[dustbyter]

I've made some progress.

Part of my issue was that I was setting up ettercap on the wrong interface! Duh!

The command to use is:

ettercap -Tq -F a.ef -i br-lan

My filter is running, but its not actually changing the HTML, this will be tested further, however, when I terminate ettercap, the following error is shown..

ip_forwarding was not disabled, but we cannot re-enable it now.
remember to re-enable it manually

I haven't modified the /etc/ettercap.conf file at all. After getting the above error, then no more traffic flows from the clients and I must reboot the pineapple.

Any idea what I'me missing?

Edited August 3, 2012 by dustbyter

[dustbyter]

I've made some progress, but not quite there yet...

1. Wrote a filter to inject an image into the traffic and it didn't work, so I tried to inject an alert message. The filter has a log(...) message to dump the DATA.data field to a log file. When reviewing the log, it is evident that the modification is present.

HTTP/1.1 200 OK
Connection: close
ETag: "500-48-501c2583"
Last-Modified: Fri, 03 Aug 2012 19:24:51 GMT
Date: Fri, 03 Aug 2012 19:45:19 GMT
Content-Type: text/html
Content-Length: 72
Transfer-Encoding: chunked

48
<html>
<head>
</head>[b]<script type="text/javascript">alert('<<<I WAS HERE>>>');</script>[/b]
<body>
<img src="logo_intro.gif">
</body>
</html>

0

HTTP/1.1 200 OK
Connection: close
ETag: "4ff-257d-501c2825"
Last-Modified: Fri, 03 Aug 2012 19:36:05 GMT
Date: Fri, 03 Aug 2012 19:45:19 GMT
Content-Type: image/gif
Content-Length: 9597
Transfer-Encoding: chunked

Ettercap on pineapple is launched using the command:

ettercap -Tq -F myFilter.ef -i br-lan

One think to be aware of is that once ettercap is stopped, then the Internet Connection Sharing on the pineapple doesn't work, ip_forward in /proc/sys/net/ipv4 needs to be set to 1 again.

Something has to be up with the network configuration on the device that is not allowing the traffic to pass back to the clients whose HTML is being modified. On the client there is no evidence oof the modification.

[PineDominator]

I am glad you are trying to get this working and love to hear your results:-)

[dustbyter]

Awesome! I can inject and modify code HTML now!

Darn ettercap!

[PineDominator]

Awesome! I can inject and modify code HTML now!

Darn ettercap!

Great news:-D

what was the problem?

[Whistle Master]

I'm interested to know also :) I have a keylogger module sleeping somewhere on my hard drive :P

Edited August 3, 2012 by Whistle Master

[Darren Kitchen]

Awesome! I can inject and modify code HTML now!

Darn ettercap!

What was the trick?

[Mr-Protocol]

What was the trick?

Also interested in knowing as well, then it can be fixed in firmware. I've had some plans for ettercap.

[telot]

:::Rubbing hands together evilly:::

I think we're all waiting with baited breath! Now that we have sslstrip, reaver, and soon ettercap working - where else are we taking this little fruit of ours?

telot

[dustbyter]

Didn't realize that there was this much interest in this area!

What I did was pretty straight forward once I got the ettercap command configured correctly.

The steps I took are:

1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step.

2. Launched ettercap and configured it to perform a MITM attack on interface br-lan.

In my case, I attacked all the clients running through the pineapple.

ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd

I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up.

[Sebkinne]

Didn't realize that there was this much interest in this area!

What I did was pretty straight forward once I got the ettercap command configured correctly.

The steps I took are:

1. Wrote an ettercap filter that trashed the Accept-Encoding and modified the HTML to either mess with the images or inject some Javascript. You can get a creative as you'd like in this step.

2. Launched ettercap and configured it to perform a MITM attack on interface br-lan.

In my case, I attacked all the clients running through the pineapple.

ettercap –Tq –F a.ef –i br-lan –M ARP:remote // // -P autoadd

I was going to try and write an infusion for it, but it sounds like others are partially there already! Hopefully this helps someone wrap theirs up.

Write an infusion for it anyway, no one has a default ettercap module yet.

Would be great to add that to the pineapple bar.

Best,

Sebkinne

[dustbyter]

I haven't looked at how the other infusions are coded yet, but given I haven't written one in the past, I'd have to figure out some of the basics first.

For example, how can I get control of the app's output to display it, and how can I pass commands to the application as I would if it was on the commandline as it's executing, etc.

If there is a guide for this somewhere, then i can try it out.

[Whistle Master]

Write an infusion for it anyway, no one has a default ettercap module yet.

Would be great to add that to the pineapple bar.

Best,

Sebkinne

Something like this ? I'm on it ;)

Edited August 4, 2012 by Whistle Master

[dustbyter]

Looks pretty sweet Whistle Master! I'll let you wrap it up ;)

[Molotof]

All i can say YUMMY ! LOL

[PineDominator]

Great job dustbyter:-D

[Darren Kitchen]

Cheers all around!

Not near a terminal or man Page at the moment. Think you could outline the flags used. I was under the impression bridge mode was the right plan of attack, but you seem to be using Arp?

[dustbyter]

Darren,

The flags used are shown above in the thread.

Initially I thought that given the interfaces were bridged I didn't have to perform an ARP attack. I spent a good day or two down that path with no luck. Thus I tried to run an ARP attack on the br-lan interface, this allowed then ettercap to see the traffic.

I'll dig up later the actual attributes used if anyone is interested to show what each is.

[dustbyter]

Sorry for the delay in this response.

The ettercap command i used was:

ettercap -Tq -F a.ef -i br-lan -M ARP:remote // // -P autoadd

This allowed to route the traffic through ettercap and then run the filter code from a.ef.

The filter does a short injection when it detects </head> to inject

</head><script>alert('JS Injected from Ettercap');</script>

I have not tried to injection any javascript file yet. If someone has already done this, then please share what you have done.

Regards.