Home arrow Security arrow Page 6 - LAN Reconnaissance

4.5 Manipulating Packet Data - Security

If you're trying to keep your LAN secure, sometimes it helps to think like a cracker. This article shows you how to scout out a LAN, and how malicious hackers get around security. It is excerpted from chapter four of Security Power Tools, written by Bryan Burns et. al. (O'Reilly, 2007; ISBN: 0596009631). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. LAN Reconnaissance
  2. 4.1 Mapping the LAN
  3. 4.2 Using ettercap and arpspoof on a Switched Network
  4. 4.3 Dealing with Static ARP Tables
  5. 4.4 Getting Information from the LAN
  6. 4.5 Manipulating Packet Data
By: O'Reilly Media
Rating: starstarstarstarstar / 5
November 13, 2008

print this article



Sniffing packets is interesting in its own right, but being able to actually change the data inside a packet and send it on its way without the originator’s knowledge is really cool. One of the neatest things ettercap can do is modify data inside a packet on the fly. Since ettercap was designed from the start to act as a man-in-the-middle, it is in a prime location to alter packets passing between two hosts and launch attacks by inspecting and injecting data. So you can do something juvenile such as denying service to a host by sending reset packets into a session or inserting dirty words into someone’s AIM chat. You can launch far more devious and dangerous attacks such as spoof DNS replies and send victims to hosts of your choice. Or inject HTML or JavaScript into web pages and make fun things happen to a client browser.

ettercap allows you to create a series of filters to find the bytes you want to alter, and then provides a way to easily replace information with whatever you want. Other on-the-fly packet manipulation programs—for example, airpwn—allow the same kind of manipulation. See Chapter 8 for more information on airpwn.

Creating an ettercap filter is pretty straightforward. You decide what data you want to replace and with what. A fun and common scenario is to replace web images with some image of your choosing. In this example, I’m going to replace any image with my own image called OWNED.gif, which is shown in Figure 4-5.

Figure 4-5.  This should let the user know that something is different

First of all, let’s make a filter. Fire up your favorite text editor and create a newfile called owned.filter:

  # owned.filter

  if (ip.proto == TCP && tcp.src == 80){
     replace("img src=", "img src="http://skeena/OWNED.gif \ " ");
   msg("image replaced\n");

Then you need to compile the filter using ettercap’s filter compiler called, conveniently enough, etterfilter:

  skeena:~> etterfilter owned.filter -o owned.ef

After running etterfilter, you should see the following output:

  etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
   12 protocol tables loaded:
          DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

   11 constants loaded:

   Parsing source file 'owned.filter'  done.
   Unfolding the meta-tree  done.
   Converting labels to real offsets  done.
   Writing output to 'owned.ef'  done.
   -> Script encoded into 7 instructions.

OK, so now let’s fire up ettercap and use it to run the filter:

  skeena:~> ettercap –Tq –I eth0 –F owned.ef –M ARP / //

See Figure 4-6 for an example. 

Now, every time a packet traverses your sniffing machine, the frame containingimg src=information will be rewritten and the stringimage replacedwill appear as output on the console. Now, this is pretty imperfect, since it requires that whoever

Figure 4-6.  Now that should get someone's attention!

wrote the web page you’re trying to muck with always writes <img src=someimage>or the like, which is of course not always the case. Many people write
<img align="top" height="128" src="foo">and so forth. Since protocols such as HTML allowyou to put many different elements in different order, your filter won’t work on 100 percent of the web pages out there. But at least you have a good idea as to what’s required to write a filter.

As a last footnote to end this chapter, there’s an excellent tutorial about filter writing at http://www.irongeek.com/i.php?page=security/ettercapfilter

>>> More Security Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: