A Man-in-the-middle attack framework built using node.js
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



node-mitm is a lightweight and configurable framework for executing Man-in-the-middle attacks against victim browsers. It does this primarily by poisoning the HTTP response.

Attacks can come in many forms, but maintain a consistent structure and can be thought of as simply being payload and exploit pair. Payloads are the vehicle by which exploits get delivered to the client. Exploits are malicious code/scripts the attacker intends to execute on victim browsers.

One example attack would be a script injection attack. In this scenario, the attacker has a an evil script they want deployed to victim browsers so he can take control. One way he could do this is by writing a <script/> tag containing his code to the browser, which the browser happily executes on his behalf.

node-mitm is designed to be easily extended without having to modify the core features. This is primarily done by writing middleware and exploits.

Middlewares are configurable functions that generate and deploy payloads to victim browsers at a specified point in the HTTP response's lifecycle. Put another way, payloads can be configured to deploy before, during, or after writing the response back to the victim. Additionally, middlewares allow for dynamically configuring payloads with exploits at runtime. For example, it is possible to configure the script injection middleware with the evil.js exploit, and have it deploy after the page renders. More on middleware later. Middleware framework is still undergoing design. See examples below.

Exploits are functions that execute and mutate the response in some way. The most common exploits are client-side scripts which the attacker wants to deploy to the user's browser. Another example would be a function that transforms markup in some way, like the code found in the gsub middleware.

More to follow...


  Currently under development



mitm attack premise


node-mitm (currently) assumes you have already setup a fake access point/honeypot. If you do not know how to do this, check the resources section for links.


node.js (and module dependencies)

Fake AP Depdencies

Backtrack Linux 5r3

  • dnspoof
  • dhcp3-server
  • brctl
  • aircrack-ng suite
  • wi-fi card with monitoring enable

Example Usage

// Load the Mitm DSL
Mitm = require('./dsl/mitm').Mitm;

// Load the script injection middleware
scriptInjection = require('./middlewares/script_injection').scriptInjection;

// Load the gsub (regex replace) middleware
gsub = require('./middlewares/gsub').gsub;

// Go!
Mitm.before(scriptInjection("alert")). // Execute the script injection middleware before page load
     frame(gsub(/cloud/ig,"Ass")).     // Execute the gsub middleware against each frame
     after(scriptInjection("alert")).  // Execute the gsub middleware after page load
     start(8000); // port




  • Josh Deeden (gangster@github)