Man in the Middle Attack — Lab Setup with VirtualBox

Man in the Middle (MitM) attack concept has been around for a long time and it dates back even to 1981, when Dr. Leslie Lamport wrote the paper on “Password authentication with insecure communication“.

There are numerous ways a man in the middle attack could be performed, which is out of the scope of this post. However, I find the slide deck from Blackhat 2003, still relevant and fairly interesting.

Since 2003 there has been multiple SSL/TSL attacks, including DROWN, BEAST, CRIME, Heartbleed and POODLE, that allowed seeing even through encryption.

However, it is true that creating a lab setup to try out different MitM attack patterns and SSL/TSL attacks is complex. This might require having special network equipment such as level 1 hubs, network taps, routers with OpenWRT/DD-WRT and multiple computers to simulate the environment. ARP spoofing in a lab setup, to initiate a MitM attack can be simply inefficient. Therefore, best approach is to virtualize the MitM lab.

It is important to note that this lab setup does not necessarily demonstrate how a MitM attack would happen in practice (during a real attack).  However, this technique can be used if an attacker could gain shell access to victim’s machine and could add iptable rules. Sole purpose of this post is to create a MitM lab setup that can be used to test and demonstrate MitM prevention techniques and SSL/TSL attacks.

I will be using VirtualBox through the post, but I am sure that similar setup can be created with any other virtualization softwares.

Network Setup

Create three virtual machines in VirtualBox. One is used to host applications (server) and other virtual machines are for the victim and the attacker.

VirtualBox VMs

All three virtual machines should only connect with “Internal Network”. This is done to isolate the lab environment from external network and internet.

Network Settings

Once the network setup is done. Virtual machines’ interface configuration (ifconfig) should look similar to following :

Server (ifconfig). IP address is


Attacker (ifconfig). IP address is


Victim (ifconfig). IP address is


Creating Normal Scenario



Before creating the man-in-the middle setup, let us create the normal scenario in which “Victim” actually connects to the application hosted in the “Server”.

  • Create a folder in “Server” at ~/TestServer
  • Create a file named “Test.html” in ~/TestServer with content “Hi”
  • Change directory to ~/TestServer and start a python SimpleHTTPServer with command “python -m SimpleHTTPServer”

Now you have a python HTTP server running at port 8000 of the “Server”.


In “Victim’s” browser enter URL http://<server_ip>:8000/Test.html and observe that we get the expected response.

SimpleHTTPServer Response

Building Victim to Attacker Link

blog_mitm (1)


Execute below iptable commands in “Victim’s” virtual machine to forward all outbound traffic with destination port 80, 443 and 8000 to “Attacker’s” IP address (

Using below steps start a python SimpleHTTPServer in “Attacker’s” virtual machine as well.

  • Create a folder in “Attacker’s” virtual machine at ~/TestServer
  • Create a file named “Test.html” in ~/TestServer with content “Hi from Attacker!”
  • Change directory to ~/TestServer and start a python SimpleHTTPServer with command “python -m SimpleHTTPServer”

Refresh the “Victim’s” browser and observe that instead of the original content “Hi”, we are now getting “Hi from Attacker!”. This is because we have forwarded all the traffic with destination port 8000 to “Attacker’s” IP address.

Screenshot from 2016-05-20 19:38:16

Building Attacker to Server Link

blog_mitm (2)


In “Attacker’s” virtual machine execute below iptables commands to forward any incoming traffic with destination port 80, 443 or 8000 to “Server’s” IP address (

Once above rules are in place, refresh the “Victim’s” browser and observe that we are getting the original response from the “Server”. However, now all the traffic is routed through the “Attacker’s” network interface.

Screenshot from 2016-05-20 19:40:33

Screenshot from 2016-05-20 19:40:45

Intercepting Communication

Open up Wireshark in “Attacker’s” virtual machine (you might need to run Wireshark with sudo in order to get the interface list, if group permissions are not properly set). Select “eth0” as the interface and capture communication.

In the screenshot below, you can clearly observe our iptable rules affect the response flow. Response comes fromserver ( ) to attacker ( and then is sent from attacker ( to the victim (

Screenshot from 2016-05-20 19:46:56

Future Posts

I will be using this setup in future posts to demonstrate SSL/TSL attacks and discuss man in the middle attack prevention techniques.

4 comments on “Man in the Middle Attack — Lab Setup with VirtualBox

  1. vhb October 17, 2016 5:09 PM
  2. hacker group October 22, 2016 12:05 PM

    <a href="http://alert('XSS‘);” title=””alert(/xss/)”>

  3. l2r December 5, 2016 6:53 PM

    What OS did you use or install for each VM? I didn’t see any steps or mention of one.

  4. kitty January 17, 2017 8:44 AM

    can this be applied on ipv6 too? i was trying to lynx the website from victims to the server’s html but it says ‘unable to connect remote host’

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">