MitM SMTP injection

[StefaniakD]

Hi!

I am trying to use ettercap as MitM with ARP spoofing, to inject big amount of data (>10kB) into a mail (TCP, SMTP connection). This much data will clearly not fit in one packet, and this is a problem.

The filter is correctly identifying the desired packet (SMTP packet with the mail itself), and then using replace function, replacing some predefined string with long strings of base64 encoded data.

In wireshark I can see that the packet that has been matched by filter is correctly substituted and sent, then second packet is being sent (I guess it's being generated by ettercap), however after that ettercap exits with Segmentation Fault... The last thing I see before ettercap crashes is an ACK from mailserver.

In packet capture above, packets 38,39,40 are the packets containing "original" email, the filter is matching the first (38) as it sontains the keyword "Subject: *", and therefore substituting strings "1czesc", "2czesc", ..., "5czesc" with total of 7700 characters. After that two ettercap created packets are sent (41 and 42). Then the ACK packet is coming back from server, with seq# of both 41 and 42. The injected message did not fit in those two packets sent by ettercap.

The code is simply two if statements to detect SMTP packet carrying the data, and 5 replace functions one ofter another. I the code below I omitted most of the gibberish, together in those 5 functions I am inserting almost 8000 characters.

if (ip.proto == TCP && tcp.dst == 25) { if (regex(DATA.data, "Subject: *")) { replace("1czesc", "iVBORw0KGgoAAAANSUhEUgAAAoAAAAHgCAMAAAAC..."); replace("2czesc", "ydDtTY1ltNxDP9r2rN0MQsCkI/lyzzN14XtuVzduNdr4m8..."); replace("3czesc", "EKIAAC/h355TEoLfzLlS+YjEYFcRwBS/JFktFgSOwjSHh7..."); replace("4czesc", "vxrUrCtdGMVa+/5EUyLzGrgZ3/zY9GfDSpcC6XZ+mo9..."); replace("5czesc", "/zZs+yBDdc8RjlwTLQQ8xL/svNpZab8Og6VWWGA1jM..."); } }

I get the Segmentation Fault error regardless of how big the argument of each replace function is. I have tried injecting those ~7700 chars all with 1 replace, with 5 replaces, with 20 replaces, every time getting the same error.

Is it possible to achieve that kind of injection? If so, what am I doing wrong, or how should I approach the issue? Is ettercap capable of injecting so much data, that it requires segmentation and creation of additional packets?

Any input will be highly appreciated.

[koeppea]

First of all the issue must be reproducable. As far as I understood the scenario it would be basically be the same injecting HTML code exceeding one packet.

However first thing is always to be checked before reproducing: Is the issue reproducable with the latest code from Github?

Please answer this question first.

[StefaniakD]

Hi again, thanks for reply!

I am using ettercap installed with apt-get, version 0.8.2. I am not sure how to determine if the issue is reproduceable. I am using a normal topology of 3 PCs, two od them (SMTP client and MitM) connected to a switch, switch and 3rd PC connected with router.

I am using a script to generate a filter file with the message to inject, compile it and run ettercap.

Could you please specify what is needed to reproduce the issue?

Is it possible at all to achieve such big injection? so let say, if Smtp client sends 2 packet mail, is ettercap capable of adding big amount of data, to make it an lets say 5 packet mail, without breaking the TCP connection? Injecting big data in HTML connection is also something I would test next.

[koeppea]

With reproduce I mean, describe a procedure which I can follow to reproduce the issue. Nevertheless, please try to reproduce the issue yourself using the latest code base from Github. The following procedure should somewhat work:

You need to purge ettercap first: apt-get purge ettercap. Then you need to install the following dependencies to build ettercap from source (extracted from README):

apt-get install build-essential git
apt-get install debhelper bison check cmake flex ghostscript libbsd-dev \
      libcurl4-openssl-dev libgeoip-dev libltdl-dev libluajit-5.1-dev \
      libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev \
      libgtk-3-dev libgtk2.0-dev 

Then you need to clone the Ettercap repository:

git clone https://github.com/Ettercap/ettercap
cd ettercap

Then create a build directory and build and install ettercap:

mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Debug ..
make
sudo make install

Now try to reproduce the issue with this version of Ettercap.

[koeppea]

@StefaniakD any update?

[xiaokugua250]

hi,im new in Ettercap,and i want to know is it possable for ettercap to modify smtp packet or achive a mitm smtp modification for example "i send an email which from a to b and content is "hello", now i want to modify the smtp email to from c to b and centend is "how are you"," and how to acheive that ,like if (ip.proto == TCP && tcp.dst == 25) { if (regex(DATA.data, "Subject: *")) { replace("a", "c..."); replace("hello", "how are you."); } }

[koeppea]

Exactly like this. Normally increasing packet length with a filter is not a problem, however we have got reported a case where excessively long replacement leads to crash. This is still under investigation.

So try to write a filter, compile it with etterfilter and load your filter in ettercap and make the desired traffic flowing through ettercap.

[xiaokugua250]

ok, i will try it myself ,thank you