A man-in-the-middle (MITM) attack occurs when a third party intercepts, inspects, or modifies communication between two parties without their knowledge, allowing credential theft, exposure of sensitive data, or manipulation of messages in transit. This repository provides a controlled simulation of the flow and effects of a MITM.
First we must know which hosts and which IPs are registered on the network. For this we will use host discovery with an ARP scan. We have two common options:
Use the tool already installed on many GNU/Linux distributions (Debian and derivatives):
- Install arp-scan
sudo apt update
sudo apt install -y arp-scan- Usage example:
sudo arp-scan -I <Interface> --localnetDownload and/or use the arpScan.py script attached to this repository, which simulates discovery of devices on the network interface we choose. If we opt for the script, we must ensure the Scapy library is installed.
- Install Scapy
sudo apt update
sudo apt install -y python3-scapy- Quick example running the arpScan.py script
Assuming you have the arpScan.py script and Scapy installed, run (with root permissions to access the interface):
sudo python3 arpScan.py -t 192.168.1.0/24or for a single IP:
sudo python3 arpScan.py -t 192.168.1.10Whether using method 1 or method 2, the device scan on the specified network should display like the following example:
ARP poisoning (ARP spoofing) is a network attack in which an attacker sends false ARP replies to associate their MAC address with another host's IP address (for example, the gateway), thereby deceiving devices on the network.
First, to perform the poisoning (spoofer) it is necessary to update the indicated commands so that, when executed, the victim maintains their browsing connection and the process is not interrupted.
- Allow forwarding in iptables
sudo iptables -P FORWARD ACCEPT- Enable IP forwarding (temporary)
Either of these two is fine (choose one):
- sysctl method (recommended)
sudo sysctl -w net.ipv4.ip_forward=1- Or directly in /proc
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward- (Check:)
cat /proc/sys/net/ipv4/ip_forward
# Should show: 1Next we will select the victim's IP address within the network we want to spoof.
(Note: arpspoof is part of the dsniff package on Debian/Ubuntu.)
- Install arpspoof (dsniff package)
sudo apt update
sudo apt install -y dsniff- Usage example:
sudo arpspoof -i <Interface> -t <VictimIP> -r <RouterIP>Below is an example of how the ARP Spoofer would work on the selected IP:
We will leave this tool running in a window and not close it until the attack is complete. Additionally, another strategy we can use is to carry out poisoning across the entire network. For this, we can use and run the bash script named AllNetwork_Spoof.sh, which will perform poisoning across the whole network. This script automatically operates across IP addresses from 192.168.1.1 to 192.168.1.254. However, if we want to change the IP range, we can edit the bash script. This is only necessary if we want to poison the entire network; if targeting individual hosts, this step can be omitted.
Once the poisoner/spoofer is running independently, we will capture DNS traffic using a network sniffer. This can be done with Wireshark or by running the repository's dns_sniffer.py script in parallel; that script already filters the most relevant fields and applies a junk-word veto during capture to reduce noise.
- Usage example:
python3 dns_sniffer.pyIn this section we will show all DNS domains the victim accesses during their browsing. Below is an example:
Once the poisoner/spoofer is running independently, we will capture HTTP traffic using a network sniffer. This can be done with Wireshark or by running the repository's http_sniffer.py script in parallel; that script already filters the most relevant fields and applies a junk-word veto during capture to reduce noise.
- Usage example:
python3 http_sniffer.pyIn this section we will show all HTTP requests the victim makes during their browsing as well as credentials and unencrypted text. (This only works on HTTP pages without SSL.) Below is an example:
At this point, to execute more advanced attacks based on HTTPS traffic, it is necessary to perform actions with certificates that allow decoding of information that has been encrypted. For this purpose we will use a proxy. To proceed with installing this proxy, it is imperative that the machine has already been compromised. This software can be obtained from www.mitmproxy.org by clicking the binary downloads option, specifically for Linux operating systems.
Once the binary file is downloaded, extract it with:
tar -xf <File_Name>After running that command you will obtain a directory with the tools and scripts. For example, the structure might look like this:
After that we will run the mitmweb file as follows:
./mitmwebThis will establish port 8080 on the attacker's machine to facilitate access from the victim's computer, allowing the certificate to be downloaded and the proxy configured.
Now, we will access the victim machine's settings and adjust the proxy options to use our attacker IP address and port 8080, as shown below:
After setting the proxy on the victim machine, we will open www.mitm.it on that same machine and download the security certificate, as illustrated below, to carry out HTTPS decoding.
Once the download is complete, we will install it, selecting "yes" and "next" to proceed. The only change we will make will be in the following option:
After this certificate has been installed on the target system, we return to our attack machine and run the mitmproxy executable as follows:
./mitmproxyThis will provide an interface for receiving HTTPS traffic, where we can view and decrypt all HTTPS requests made by the victim to any website, including credentials and cleartext access.
This repository and its contents are provided for educational, research, and learning purposes only.
-
The material shown — including scripts, commands, and examples — is intended to demonstrate concepts and techniques in a controlled and authorized environment.
-
Do not use this material to perform illegal, unauthorized, or harmful activities against networks, systems, or people.
The author accepts no responsibility for any damage, loss, misuse, unauthorized access, legal consequences, or incidents that result from the use of this content. By using this material you agree that you do so at your own risk and that you have the necessary permissions to test or run the procedures described here.
- If you plan to practice on a network or device you do not own, obtain explicit written permission from the owner before proceeding.
-
Use isolated lab environments (virtual machines, test networks) for experimentation.
-
Respect applicable laws and your organization’s policies.
-
If you have legal or ethical doubts, consult a qualified professional.
This project was developed by xrl3y.
This project is licensed under the MIT License – see the LICENSE file for details.