Ettercap filters – fine-tuning your analysis

We've seen just how powerful Ettercap can be out-of-the-box. Where Ettercap really shines is its content filtering engine and its ability to interpret custom scripts. Ettercap makes man-in-the-middle attacks a no-brainer; however, with filters, we can turn a Kali box running Ettercap into, for instance, an IDS. Imagine the combined power of our bridged sniffing attack and custom filters designed to interpret packets and take action on them: dropping them, and even modifying them in transit.

Let's take a look at a basic example to whet our appetite. You may immediately notice the C-like syntax and the similarity to Wireshark display filters. There's a lot of conceptual overlap here; you'll find that analysis of patterns with Wireshark can yield some powerful Ettercap filters:

if (ip.proto == TCP) {
  if (tcp.src == 80 || tcp.dst == 80) {
    msg("HTTP traffic detected.\n");
  }
}

Translated into plain English, this says, test if the IP protocol is TCP; if so, do another test to see if the source port is 80, or the destination port is 80; if either is true, display a message to the user that says HTTP traffic detected. This is an example of nested-if statements, which are embedded in graph parentheses.

Let's take a look at an ability that should intrigue the Scapy/Python part of your brain:

if (ip.proto == TCP) {
  if (tcp.dst == 12345) {
    msg("Port 12345 pattern matched, executing script.\n");
    exec("./12345_exec");
  }
}

In this sample, we're testing for any TCP packet destined for port 12345. If the packet is seen, we alert the user that an executable is being triggered. The script then launches 12345_exec. We could write up a Python script (and yes, import Scapy to craft packets) that will trigger upon meeting a condition in Ettercap.