Universal MITM Web Server: CopyCat

ID N0WHERE:157005
Type n0where
Reporter N0where
Modified 2017-02-07T06:12:55


Universal MITM Web Server

CopyCat is a Node.js based universal MITM web server. Used with DNS spoofing or another redirect attack, this server will act as a MITM for web traffic between the victim and a real server.

Most often we see DNS spoofing used to redirect victims to an attackers server hosting a static clone of the spoofed domain’s login page. But this server will forward all traffic between the victim and the spoofed domain allowing an attacker to sit in as the MITM while the victim interacts with the real domain. This also allows the attacker to inject scripts and manipulate the victim’s interactions with the intended web server.

All urls are hijacked inside the HTML response from the server causing all traffic to be rerouted back through the server (provided you have a redirect attack for those domains as well).

This is currently only configured to work with fake subdomains of real domains. If the server you are trying to spoof uses HSTS with the includeSubdomains argument the victim’s browser will attempt to upgrade to HTTPS. The option to allow spoofing domains without using a subdomain will be released at a later time.


After download, look at the .env file in the root directory. This is where you set the subdomains to their corresponding real prefixes. The default prefix map is:

  'http://': 'us-west-1',
  'https://': 'us-west-2',
  'http://www.': 'us-west-3',
  'https://www.': 'us-west-4'


Requires Node.js v6+ to run.

$ cd /path/to/repo
$ npm install
$ sudo node server.js

What’s Happening?

The attacker directs the victim to the spoofed domain for example http://us-west-4.facebook.com. Using DNS spoofing this request is sent to this server. It recognizes the pattern “us-west-4” means this should be a request to https://www.facebook.com. A session is either generated or looked up and associated with the request. The server makes a request to that domain. When a response is received, it hijacks any urls in the HTML to be their spoofed counterpart to ensure those requests are sent back through this server. Any cookies from the real domain are attached to the victims session to be used with future requests. Security headers are modified or deleted to allow content to render properly. A script is injected into the HTML before responding. This client side script (public/hijacks.js) overwrites the native XMLHttpRequest.open method to hijack the requested url. It also traverses the DOM looking for elements which request content and hijacks their urls in case they were added client side or slipped past the server side url hijaking function. The end result being a functioning version of the spoofed domain.

What can I do with it?

This is nothing more than a functioning platform for being a MITM with web requests. The potential to use this with other attacks is there. You completely own this domain and can run whatever arbitrary scripts you’d like, or even inject a BeEF . If they’re going through this server you have complete control of the victim’s experience.

Universal MITM Web Server: CopyCat Download