I am trying to intercept TCP traffic and alter the data in the packet using an ettercap filter.
I am man-in-the-middling communication and have set up the following filter for use with ettercap:
if (search(DATA.data, "\x32\x30\x00\x00\x00\x04")) {
msg("Message intercepted\n");
replace("\x32\x30\x00\x00\x00\x04", "\x32\x30\x00\x00\x00\x01");
}
When I send the test message, the mitm works, I get the debug "Message Intercepted" message popping up - meaning that it has found the very specific string in the data, but it is failing to replace the \x04 with \x01 at the end.
I am relatively new to ettercap filters so any help would be much appreciated!
EDIT: Some additional information - the MITM I am attempting involves sending a message to my host running ettercap, and I am using socat to forward this back to the original host. I am wondering if socat is forwarding the original unedited message even though ettercap is editing it correctly? Ettercap is able to drop packets entirely though, so I had thought the packet was getting intercepted by ettercap before it hit socat? I am not sure how else I could perform the packet forwarding without using socat as ettercap is not running on the same subnet as the target and so it fails to find hosts.
ADDITIONAL INFORMATION: I am trying to forward the packet within the filter - I have killed socat and am now using:
if (ip.src == '<IP>') {
msg("HIT");
ip.dst = '<IP>';
}
I get the HIT message meaning that it is detecting the packet from the target, however, it is not successfuly changing the destination.