⬆️ ⬇️

File substitution in HTTP traffic

In addition to passive listening to traffic, MiTM attacks can provide more options, up to the execution of arbitrary code on the side of the victim. It does not require the exploitation of vulnerabilities, but requires only patience and suitable conditions. We are talking about the substitution of files in HTTP traffic.





When conducting a MiTM attack, the attacker redirects the victim’s traffic through himself, in which case he can change the packets as he sees fit. Thus, when we request some flashplayer.exe, we will be able to substitute any other executable file (for example, the usual bindshell code) and after launch we will naturally get the ability to execute commands. In general, there is nothing special to paint here, everything is quite simple.



In the new version of Intercepter-NG, there is a file substitution functionality, a demo video can be viewed below. Setting up a substitution is done by adding rules that specify the required template, the number of times to run the rule, as well as the file that should be substituted.

As a template, you can specify the extension ".exe" or directly the file name "file123.exe".

If the specified text is present in the GET request, a substitution occurs.

')

What's new:

In version 0.9.4, in addition to the file swapping function, ipv6 support appeared. The speed of data processing has also been multiplied.



In the console version appeared raw mode.

image



Recently, the console version of Intercepter-NG has become part of the BackTrack distribution (apt-get install intercepter-ng).



It was decided to abandon the readme file, all project information will be located on its own wiki page.



Source: https://habr.com/ru/post/149137/



All Articles