0

So I have a proxy setup using squid on port 3128.
I also have ettercap setup.

My main goal is to change data as it flows through my proxy.

Basically, you open up www.something.com using my proxy, it displays "lala", and I want to alter "lala" using ettercap, into "lala2" for example.

Any commandline tips to achieve this ? This isn't a MITM ARP procedure from what I can tell.

Adrian A.
  • 85
  • 1
  • 2
  • 12
  • Still haven't found any reliable answer. The `redirect_program` actually refers to URLs and not data that passes through the proxy. – Adrian A. Feb 03 '11 at 07:36

3 Answers3

2

If you already have a working proxy where the data flows through you dont need arpspoof. You have to write a filter for ettercap. A plain textfile replace.filter containing (Port 80 for http):

if (ip.proto == TCP && tcp.dst == 80) { // suspress gzipped content
    if (search(DATA.data, "Accept-Encoding")) {
        replace("Accept-Encoding", "Accept-DontLoad"); 
        msg("zapped Accept-Encoding!\n");
    }   
}
if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "searchstring")) {
        replace("searchstring", "replacestring");
    }
}

You can use several filters in one file for different ports. You also have to "compile" your filter in order to work by

etterfilter replace.filter -o replace.ef

Start ettercap using this filter by issuing

ettercap -T -q -F replace.ef -M ARP /<GATEWAY_IP>/ /<TARGET_IP>/
BrainWorx
  • 21
  • 7
1

In squid.conf, use the redirect_program configuration variable to point at a program/script. In that script, you can mess with the data being passed through however you want. For a fun example, see Upside-Down-Ternet.

DBendit
  • 11
  • 2
  • Considering I don't have that much knowledge, I would really need something directly available with ettercap. I just want to replace data. I got it working, I see the filters are running, but the data ( even though it shows as being replaced ), it's not working – Adrian A. Jan 07 '11 at 20:06
0

What you really need is a proxy that will do the filtering at the application layer. There are modules for Squid that offer this, though a quick search is not showing any that don't require recompiling Squid. Alternatively, you could chain your Squid proxy through a proxy that offers the features you want. It could be as simple as a Perl script using HTTP::Proxy, or another language and library of your choice.

Ettercap really isn't the tool for this, though it could probably be made to work. You'll probably have to muck around with the kernel routing tables to get it to work. Try sniffing your traffic in the current configuration: you may find that Ettercap is retransmitting modified frames without dropping the original ones. Also, make sure you have the latest version of Ettercap. It was recently re-released with lots of bug fixes, and I know at least a few had to do with packet filtering. Latest version is 0.7.4.

bonsaiviking
  • 4,420
  • 17
  • 26