Skip to content

Docker-based platform for conducting MiTM attacks using Responder, NTLMRelayX, and Empire

Notifications You must be signed in to change notification settings

isaudits/docker-mitm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

docker-mitm

Docker implementation for man in the middle attacks:

Description

Executes MiTM attacks using responder with options to:

  • Capture credentials
  • Relay and execute a custom command using ntlmrelayx, such as a powershell launcher for a remote shell
  • Spawn an Empire server or meterpreter server and relay the agent command to targets via ntlmrelayx

Based upon attack scenarios described by byt3bl33d3r:

Runtime Notes

Components run inside of tmux windows and must be individually closed via ctrl-c / exit commands. Closing the parent terminal will leave the docker container running in the background. Make sure that you exit out all windows all the way down to your original command shell - If you see the tmux statusbar at the bottom of your command window, keep typing 'exit'!

Running on OSX, the netbiosd service conflicts with listeners on UDP ports 137-138 & 5353 so these ports cannot be exposed from the docker container. This limits the attacks that Responder can leverage. Given the option, you will likely have better results running inside of a Linux VM with bridged networking on top of OSX as opposed to inside of a native OSX docker instance.

Usage

Pull:

docker pull isaudits/mitm

or Build:

./build.sh

Run

./mitm.sh

Options

usage: entrypoint.py [-h] [-d] [-v] [--port PORT]
                     (--capture | --empire | --deathstar | --command ACTION)
                     [host_ip] [target_ip]

Responder / NTLMRelayX automation script with optional Empire / DeathStar
listeners

positional arguments:
  host_ip               Host IP
  target_ip             Target IP / Range / Subnet (nmap format)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Print lots of debugging statements
  -v, --verbose         Be verbose
  --port PORT, -p PORT  Port for Empire listener (443)
  --capture             Capture credentials only - no relay
  --empire              Start Empire listener as relay target
  --command ACTION      Command to relay to targets

Copyright 2020

Matthew C. Jones, CPA, CISA, OSCP, CCFE

IS Audits & Consulting, LLC - http://www.isaudits.com/

TJS Deemer Dana LLP - http://www.tjsdd.com/


Except as otherwise specified:

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

About

Docker-based platform for conducting MiTM attacks using Responder, NTLMRelayX, and Empire

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published