Manipulate HTTP responses

[joostbijl]

Hi,

I'm running ettercap in bridge mode. I've configured the dns_spoof module to respond to a list of malicious domains with 127.0.0.1, effectively blocking them on a dns level.

I would like to do the same for HTTP URL patterns. If a hosts requests a malicious url it should get a static error page saying it denied access. I would like to have a configuration file with malicious patterns.

What would be the best way to do this?

• make a plugin for ettercap (not all too trivial)
• write a lua script in ettercap
• redirect to transparent proxy (i'd prefer not to)
• etterfilter (i guess not possible, since you can only manipulate packets, not forge responses)
• something else ;)

Many thanks!

[LocutusOfBorg]

I don't know the best way, but I think the plugin is the easiest one :)

Also etterfilter is feasible, although you have some constraints about the packet lenght you have to inject (I'm not sure you can change the payload length when injecting packets).

I personally would go for a plugin, what do you think @koeppea?

[joostbijl]

Let's see what @koeppea thinks :) I take it that no one has done this before? I think it would make a terrific blocker for malicious http traffic. Especially if you add User-Agent policies to the mix.

[koeppea]

I think we shouldn't try to turn Ettercap into something it's not supposed to be by nature. What you want is typically a functionality of a webfilter or proxy. This is not what Ettercap is designed for However etterfilter is capable doing that. You'd just need a little program that generates the response packet and the appropriate TCP states. The filter could look like:

if (tcp.dst == 80 && regex(DATA.data, "regex")) {
    log("/tmp/bad-http");
    drop();
    execinject("/usr/local/bin/redirector /tmp/bad-http");
    msg("bad HTTP requested ");
}

To just filter the connections based on the URL pattern matching, you can just kill() instead of log(), drop() and execinject().

[joostbijl]

Hi @koeppea, thanks for your reply. This is useful but it will only replace the contents of the packet. I want to forge a response packet to the client, similar to dns_spoof. Is this possible with etterfilter? Or should i code a plugin?

[koeppea]

Forging the response packet from the dumped packet was the purpose of the external program "redirector".

However doing it as a plugin would most probably require some changes in Ettercap to send/create the response packet.

I could think of a new etterfilter command "reply" which would be like inject just in the opposite direction. What do think about that?

[joostbijl]

I think a reply command would be great, particularly if it can be from a script that's fed the matching data!

It would have to take into account the right sequence numbers for the receiving host to accept the packet. I can imagine this to be a little harder than spoofing DNS in udp?

Can you use the httpdissector output in etterfilter? Or is the dissector only used to print credentials?

Joost

On Tue, Nov 25, 2014, 18:41 Alexander Köppe notifications@github.com wrote:

Forging the response packet from the dumped packet was the purpose of the external program "redirector".

However doing it as a plugin would most probably require some changes in Ettercap to send/create the response packet.

I could think of a new etterfilter command "reply" which would be like inject just in the opposite direction. What do think about that?

— Reply to this email directly or view it on GitHub https://github.com/Ettercap/ettercap/issues/627#issuecomment-64440076.

[koeppea]

Yes it's not that easy. Specifically that the TCP socket will run out-of-sync so that the 3-way teardown handshake can not succeed.

[joostbijl]

Can't you send a RST packet with "Location: http://redirect.content" as content?

[koeppea]

A etterfilter command would be more generic. The TCP payload would have to be provided by the script creator.

The approach with the RST needs to be tested as it's usually an uncommon situation.

[cabelito]

reply command would be great