ettercap allows you to create a series of filters to find the bytes you want to alter, and then provides a way to easily replace information with whatever you want. Other on-the-fly packet manipulation programs—for example, airpwn—allow the same kind of manipulation. See Chapter 8 for more information on airpwn.
Creating an ettercap filter is pretty straightforward. You decide what data you want to replace and with what. A fun and common scenario is to replace web images with some image of your choosing. In this example, I’m going to replace any image with my own image called OWNED.gif, which is shown in Figure 4-5.
Figure 4-5. This should let the user know that something is different
First of all, let’s make a filter. Fire up your favorite text editor and create a newfile called owned.filter:
Now, every time a packet traverses your sniffing machine, the frame containingimg src=information will be rewritten and the stringimage replacedwill appear as output on the console. Now, this is pretty imperfect, since it requires that whoever
Figure 4-6.Now that should get someone's attention!
wrote the web page you’re trying to muck with always writes <img src=someimage>or the like, which is of course not always the case. Many people write <img align="top" height="128" src="foo">and so forth. Since protocols such as HTML allowyou to put many different elements in different order, your filter won’t work on 100 percent of the web pages out there. But at least you have a good idea as to what’s required to write a filter.
As a last footnote to end this chapter, there’s an excellent tutorial about filter writing at http://www.irongeek.com/i.php?page=security/ettercapfilter.