node-mitm is a lightweight and configurable framework for executing Man-in-the-middle attacks against victim browsers. It does this primarily by poisoning the HTTP response.
Attacks can come in many forms, but maintain a consistent structure and can be thought of as simply being payload and exploit pair. Payloads are the vehicle by which exploits get delivered to the client. Exploits are malicious code/scripts the attacker intends to execute on victim browsers.
One example attack would be a script injection attack. In this scenario, the attacker has a an evil script they want deployed to victim browsers so he can take control. One way he could do this is by writing a <script/> tag containing his code to the browser, which the browser happily executes on his behalf.
node-mitm is designed to be easily extended without having to modify the core features. This is primarily done by writing middleware and exploits.
Middlewares are configurable functions that generate and deploy payloads to victim browsers at a specified point in the HTTP response's lifecycle. Put another way, payloads can be configured to deploy before, during, or after writing the response back to the victim. Additionally, middlewares allow for dynamically configuring payloads with exploits at runtime. For example, it is possible to configure the script injection middleware with the evil.js exploit, and have it deploy after the page renders. More on middleware later. Middleware framework is still undergoing design. See examples below.
Exploits are functions that execute and mutate the response in some way. The most common exploits are client-side scripts which the attacker wants to deploy to the user's browser. Another example would be a function that transforms markup in some way, like the code found in the gsub middleware.
More to follow...
Currently under development
node-mitm (currently) assumes you have already setup a fake access point/honeypot. If you do not know how to do this, check the resources section for links.
node.js (and module dependencies)
Fake AP Depdencies
Backtrack Linux 5r3
- aircrack-ng suite
- wi-fi card with monitoring enable
// Load the Mitm DSL Mitm = require('./dsl/mitm').Mitm; // Load the script injection middleware scriptInjection = require('./middlewares/script_injection').scriptInjection; // Load the gsub (regex replace) middleware gsub = require('./middlewares/gsub').gsub; // Go! Mitm.before(scriptInjection("alert")). // Execute the script injection middleware before page load frame(gsub(/cloud/ig,"Ass")). // Execute the gsub middleware against each frame after(scriptInjection("alert")). // Execute the gsub middleware after page load start(8000); // port
- Josh Deeden (gangster@github)