Setting up a man-in-the-middle device with Raspberry Pi, Part 1

I recently purchased that most marvelous of devices the Raspberry Pi and naturally my thoughts turned to the nefarious given its cheap price and small package. I decided to attempt to create a man-in-the-middle device that could be discreetly attached to a remote network and could redirect and sniff traffic. I’m only a very novice Linux user so it took a bit of learning to wrangle man pages as well as some intrepid Google-fu, but I’m going to document how I was able to turn this tiny device into an evil packet-sniffing machine.

For those who don’t know, a man-in-the-middle attack involves secretly becoming an intermediary between the communication between two parties; each thinks they are talking to the other when in fact they are both talking to the attacker. The attacker can choose to pass the information along unmodified (simply observing the communication) or may choose to modify parts of the communication for the own evil ends. The Wikipedia article gives examples and also proposes counter-measures. The most widely used counter-measure currently in place is the use of SSL/TLS to verify the other party in a communication. TLS however relies on a public key infrastructure, and there have already been examples of hackers breaking into certificate authorities and issuing fraudulent certificates so as to perform man-in-the-middle attacks on HTTPS sessions. Hacking a CA is beyond the scope of this article and we will restrict ourselves to performing a MITM attack on HTTP traffic :).

The Raspberry Pi comes in two flavors, Model A and Model B. For the purposes of this article I’ll be using a Model B since it has an Ethernet port; the Model A, while $15 cheaper, doesn’t have any built-in networking. Since our plan is to surreptitiously plug our Pi into our victim network, we’ll need a physical Ethernet port. We’ll also need an SD card of at least 4 GB (these are pretty cheap).

The regular install on a Raspberry Pi is NOOBS (new out-of-box software) and contains several pre-packaged operating systems. However for the purpose of our MITM device we’ll be using a different Linux distro for our Pi: PwnPi. PwnPi is a distribution of the Raspbian OS that contains many pre-installed packages for security and penetration testing which is naturally right up our alley. So, go ahead and download PwnPi. Once it’s downloaded we’ll need to load it onto our SD card. First, format your SD card using the SD card formatter from the SD association. If the “size” value shown in the formatter is less than the size of your card, be sure to choose “format size adjustment” in the card.


Once your card is formatted and you’ve downloaded PwnPi, extract it using a tool like 7-Zip. The result should be a .img file. We can now use a tool like Win32DiskImager to write the PwnPi image onto our SD card. For some reason Win32DiskImager always crashes on me when I click the folder icon to search for a file, so I had to manually type in the path to my PwnPi image. Once you’ve selected the image, go ahead and write it to your SD card.


Now, you would expect that we could plug this SD card in to our Pi and boot. But, attempting this will lead only frustration. This is because PwnPi doesn’t support Model B Pis. This is because the firmware for booting in the PwnPi is extremely out of date, but we can download the latest Pi firmware and replace the necessary files on our SD card to get the boot to work. These files can be found here. I’ve cached them all and you can download them directly from this site. The PwnPi image contains two partitions: a FAT partiton used to boot and a Linux-formatted partition that contains the OS. Thankfully Windows supports reading the FAT partition we need to modify; if you navigate to the SD card after writing the PwnPi image it should look merely like a 55.9 MB FAT partition with a few files in it.


Replace the files on the card with the files from the latest Pi firmware. Once you’ve done this your Pi Model B should successfully boot PwnPi.


A note about the Raspberry Pi: if you have a keyboard and mouse plugged in (which you should) the Pi often takes more power than a standard AC adapter can provide. I’m using a powered USB hub to ensure that all of my peripherals work. However, the default PwnPi image is pretty out of date and may not support your USB mouse/keyboard (it didn’t support mine, for example). Even if it does, it’s a good idea to update our Pi to the latest versions of software. Before we can do this however, we need to expand the file system to encompass our entire SD card. The .img we wrote to our SD card constituted a bit-by-bit image of the file system; unfortunately this included a minimally sized data partition. We need to expand this partition. To do this, start the Raspberry Pi Software Configuration Tool by entering the following at console:

The first choice should be “Expand filesystem”, which is what we want. Press enter and follow the prompts. Reboot when asked to. When the Pi has rebooted, we can now begin the process of updating its software. Enter Aptitude, the package management system on the Pi by entering the following:

Once in Aptitude, press the ‘u’ key to get the list of latest updates available. The Pi will update the latest list of packages from the Raspbian sources. When it’s finally finished updating there should be a large amount of packages available for update (as of this writing 371 were available from a fresh install of PwnPi). Select “Upgradable Packages” and press the ‘+’ key. This will select all upgradable packages for installation. Press the ‘g’ key to view what packages will be installed and press ‘g’ again to begin downloading and installing. Wait a bit (for various definitions of bit) for all packages to finish download and install. When it’s all said and done you will be prompted to press return to continue. This will bring you back into aptitude, from which pressing ‘q’ will quit. The updates we installed included a new kernel which requires a reboot, so go ahead and do this at the console.

We’ve almost finished getting our Pi into a workable state. If you’re like me though and reside in the United States you will soon notice that the keyboard layout of the Pi doesn’t match what you would expect. This is because the Pi is setup by default to use the British keyboard layout. To change this, we first need to configure our locale. Do this by entering the following.

Use the arrow keys to scroll down to “en_GB.UTF-8 UTF-8”. Press space to deselect this. Then, scroll down and select “en_US.UTF-8 UTF-8”. Press tab to select OK and press enter. You will then be asked to select the default locale for the system. Change the selection from “None” to “en_US.UTF-8 UTF-8”, and then press tab to select OK and press enter. A new locale will be generated on exit. Now we need to change our keyboard layout. Enter the following:

Press enter on “Generic 105-key (Intl) PC”. On the next screen scroll all the way down to “Other” and press enter. Then, select “English (US)” and press enter. On the next screen scroll all the way to the top and select “English (US)” again. Select “The default for the keyboard layout”, “No compose key”, and “No” on the subsequent screens. Finally, do a reboot for everything to take full effect.

Once the Pi has rebooted we can finally start being evil! Start up the graphical user interface by entering the following:

We can confirm that our keyboard layout is correct by right-clicking and going to Applications->accessories->Notepad. If Shift-2 produces an ‘@’ then everything is good! If you’re feeling adventurous, explore the “PwnPi” menu to see all of the tools available to us.

We’ll be using a tool called mitmproxy to perform the actual man-in-the-middle attack. mitmproxy is a powerful tool that can capture and display all HTTP traffic when performing a MITM. It also has Python library named libmproxy which we can use to script our attack. Unfortunately mitmproxy isn’t pre-installed on PwnPi but we can fix this! First we need to install pip, which is a tool for installing and managing Python packages. We can do this by right-clicking, opening a Terminal, and executing the following:

Once pip is installed we need to install a few prerequisites before mitmproxy will work.

These packages are needed because we will be compiling mitmproxy as well as its dependent packages from source. Once they’ve been installed we can download, compile, and install mitmproxy.

Note: this may take a very long (30 minutes+) time. Specifically, compiling libxml2 from source on a Raspberry Pi is quite a taxing task. Eventually pip and mitmproxy will be ready to be used! First though we need to insert our Pi between our victim computer and the rest of the internet. To do this we’ll need to know the victim’s IP address on the network and the IP address of the default gateway it uses to talk to the rest of the world (this is usually the local router). Once we have these, we’ll use a technique called ARP spoofing to fool the victim into thinking our Pi actually holds the IP address of the gateway. Likewise we’ll fool the gateway into thinking the Pi holds the IP address of the victim. In this manner we can insert ourselves between the victim and the gateway and intercept and modify all traffic.

For demonstration purposes I’ll be attacking a laptop running Windows 7 on my home network. For those who don’t know, ARP is the protocol used to resolve MAC addresses (the unique physical address every Ethernet controller has) to logical IP addresses. When a device first enters an Ethernet network, it has no idea how to talk to any given IP address. So, it sends broadcast messages asking which MAC address owns which IP addresses. We’ll be sending fraudulent ARP responses to make our victims think we have IP addresses we really do not. To see the current values in our local ARP table, we run the following in a command prompt on Windows


The IP address of my laptop is with a default gateway of The left column shows the logical IP address and the right column shows the MAC address that each IP corresponds to. Now, on our Pi let’s trick the victim into thinking we hold Open a terminal on the Pi and enter

Obviously you’ll need to replace the brackets with whatever IPs you’re attacking. You’ll need to run each of the above commands in a seperate terminal and keep them running — we need to constantly keep the charade up lest the victim revert back to the correct MAC->IP mapping. Let’s recheck the ARP table on our target now.



We see now that the victim thinks that the gateway has the MAC address as our Raspberry Pi. Consequently, any requests that would go to the gateway will actually get sent to our Pi. As of now though our victim has no internet connectivity — all requests are being forwarded to the Pi but the Pi is not doing anything with them. So, we need to set up our Pi to transparently forward (and perhaps modify) these requests.

mitmproxy has two modes of operation: a regular proxy mode where it acts like a regular HTTP proxy. Unfortunately for this to work we need to configure the proxy on the victim computer. However, it also has a “transparent” mode which is what we’ll use. In transparent mode, it fakes an HTTP server on port 8080 (by default). But, all of our traffic from our victim is coming into the Pi on the default HTTP port (80). To fix this, we need to tell Linux to route all traffic from port 80 to port 8080. To do this, enter the following:

Incoming HTTP traffic should now be forwarded to mitmproxy. Now all we have to do is actually start mitmproxy. This is done simply by executing

Now let’s go to a website on our victim computer, say If all goes well the page should load. We should also see some interesting output on mitmproxy.


mitmproxy is showing us all of the HTTP traffic as it passes through the proxy. Our victim asks what it thinks is the router (but is really the Pi) for Our Pi then connects to, fetches the result, and returns it to the victim. Let’s tell mitmproxy to intercept the response from When mitmproxy intercepts a request or response it does not immediately forward it but gives us a chance to edit it. Press the ‘i’ key to set an intercept filter and then type

This tells mitmproxy to intercept all responses from that are the result of the “/” (root) page. Now, if we navigate to on our victim computer, we’ll notice that the page won’t load. If we look at mitmproxy we’ll see there’s an orange-highlighted response. This has been intercepted and is awaiting our approval to send on.



We can use the arrow keys to scroll down and select this intercepted response. By pressing enter on it we can inspect it closer. Press tab to switch to the response (it currently is showing us the request).


This response is an HTTP/200 OK response (the normal response when a web server returns a page). We’re going to modify this into an HTTP/302 Found response, which will redirect the user to a different page. Now, press ‘e’ to edit this response. Then, press ‘c’ to change the code, and change it to 302. Then, press ‘e’ again to edit and press ‘h’ to edit the HTTP headers. Scroll all the way to the bottom and press enter on the “Content-Encoding” header. Change this to “Location”. Press the right arrow to select the value of the header and change it to “”


Press ‘q’ to go back to the main inspection screen. Now, by pressing ‘a’ we can send the response on its way. If we look over at our attack computer we can see that it’s being redirected to!

As we’ve seen, Raspberry Pi with mitmproxy and arpspoof can be a powerful tool to intercept and modify traffic on a local area network on the fly. mitmproxy also supports logging traffic, which could then later be retrieved and inspected for passwords or any other sensitive information.

Next post I’ll cover how we can use libmproxy to script the modification of the HTTP requests and responses.



This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

71 thoughts on “Setting up a man-in-the-middle device with Raspberry Pi, Part 1”

    1. Yeah man, how dare he use his free time how he wants! He gave us something brilliant for free, he’s such a douche for not devoting his life to it from that point on!

  1. Thank you. I open for myself the whole new world of traffic inspection that I have in my home network. TV, PC, PHONES everything generates data requests. I’d love to know what is in the packages. Such Pi device and soft is the own security inspector.

  2. That’s cool stuff indeed!
    Thank you very much!
    I’m up on buying my own RaspBerry Pi some when this year.
    Can only test in our fablab/hackerspace currently.

  3. Cool site, Jeff. I was recently accepted into the nerd world. Been taking some programming classes online. Look forward to following your site.

  4. if you like mitm attacks, check out faceniff, wifikill apps for android, with facniff you can hijack facebook/hotmail/email/amazon/youtube/blogger accounts, cookies and even passwords. And with wifikill you can redirect network traffic to any webpage you want/ or just monitor the browsed sites.

  5. Great tutorial! Thank you!

    But you are doing arpspoofing a litte bit complicate. You don’t need to start two separate terminals, you can do it in one! just add the parameter -r like the following:

    arpspoof -i eth0 -t -r

    works great with the current up-to-date PwnPi distribution!

  6. The Click URL is where you enter the link for the banner. However,
    if you are like me, you may want more custom features than some templates have to offer, therefore creating your own custom Joomla
    template may be a better choice. Before these software for and Joomla-based websites were introduced, online marketers were using page creators.

  7. Nice tutorial. Well, i expereienced heavy load on my PwnPi while arpsoofing and mitm-ing. It even slowed down the network traffic that way it wouldnt make sense to use. Did I do something wrong or is there a workaround?

  8. As they were even considering making no further landings on our side.

    I think of any of you out. I stamped on his driveway in tanki online crystal generator Cottenham.
    Due to their base and he wanted me to carry. Picture by Warren Gunn/Cambridge NewsA planning application has
    submitted to build, requiring large amounts of resources and specialised labour.
    Keep an eye and part of town is thrown into a Mozart concerto.

    Feel free to surf to my web page – tanki cheats

  9. I do not evesn know how I ended up here, but I thought this post was great.
    I do not know who you are but certainly you are going to a famous blogger
    if you are not already 😉 Cheers!

    Feel frese to visit my blog :: buyproxies tire rack [Shaunte]

  10. Hi
    I have a small problem with the update of the latest list of packages from the Raspbian sources. There is an error “could not resolve”. What can i do to solve this problem?
    Please help me.

    1. you need an internet connection in order to connect to the site – consider using an ethernet connection directly into your pi, then re run the commands

  11. Sounded too good to be true. Compilation of mitmproxy failed with “no package found” error messages. Can report if needed.

  12. Hey all,

    Has anyone considered creating a basic proxy / router / gateway of sorts using an Arduino and Ethernet shield? Nothing illegal or nefarious here, I am just interested in using this in conjunction with a game console to see if I can maybe produce an aim-bot for a first-person shooter. I believe this RasPi project WOULD do the job but my technical experience is less with RasPi and more with Arduino.

  13. hi!,I really like your writing so a lot! share we keep up a correspondence more about your article on AOL?
    I require an expert in this space to resolve my problem.

    Maybe that is you! Taking a look forward to see you.

  14. Every weekend i used to pay a quick visit this website, because i want enjoyment, for the reason that this this web site conations really nice funny data too.

  15. Wow – I literally never leave comments. This was so thorough it was borderline god sent lmao I forgot it was on miTm – I just wanted to get pwnpi set up . Thanks

  16. Appreciate your sharing this very interesting article. Now i am a fellow WP person and actually found this amazing Twitter bot that’s starting to make me some cash. If you want to check it out it’s here WEBSITE cheers

  17. We at LiveTechnology have guaranteed UNHACKABLE website technology. Untouchable, uncrackable, and unbreakable by any punk kid hacker losers. $10,000 REWARD for any challenger who can compromise our UNBEATABLE web technology at! Contact us for more information.

  18. El compresor esta basado en un motor de frigorífico, el cual es un pequeño conjunto de motor y bomba de pistón, que se encuentran cerrados herméticos dentro de una carcasa de hierro, en un frigorífico hace la función de comprimir el gas, y al pasar este por un estrechamiento del circuito hace una caída de presión provocando el cambio térmico que genera el frío necesario para el frigorífico, (como cuando vaciamos muy rápido un Spray, veremos que se enfría bastante).

  19. Excellent weblog here! Also your website quite a bit up very fast!
    What web host are you the use of? Can I get your affiliate link on your host?
    I want my site loaded up as fast as yours lol

  20. I tried all your steps but what makes me confused is you told that we need to run both separately
    arpspoof -i eth0 -t
    arpspoof -i eth0 -t
    i did these but as soon as i stopped it, the default gateway turns into original mac address rather than rpi mac address.
    then when i opened
    mitmproxy -T –host
    i saw nothing running though victim was accessing http website.
    can anyone help me please?

  21. Do you wish to keep an eye on the phone or spy on your kid, staff member, determine the place of the phone and track it, check out SMS, see a list of contacts or call history? Easily! Set up the SpyToMobile application on your mobile phone and you will be able to track the phone on our website. After signing up and installing the SpyToMobile application, you will get an account through which you get information from your mobile phone: its location, SMS, contact list and call history. Our service is working all over the world.

  22. The subsequent time I learn a blog, I hope that it doesnt disappoint me as much as this one. I mean, I do know it was my choice to read, however I actually thought youd have something interesting to say. All I hear is a bunch of whining about something that you possibly can repair if you happen to werent too busy looking for attention.

  23. I see you don’t monetize your page, don’t waste your traffic, you can earn additional cash every
    month because you’ve got high quality content.
    If you want to know how to make extra bucks, search for: best
    adsense alternative Dracko’s tricks

  24. Bitcoin has seen rapid growth during the last few years and there are now those who will claim that the bubble is soon to end and the currency crumble. Those of us continue support the idea of a user owned currency away from the control of the financial establishment. We do not believe that Bitcoin is past it’s best. We shall be sticking with Bitcoin and are quite confident that it will continue to rise more steeply than previously.

  25. Charles Franklin Kettering, an inventor once said, Whenever you look at a piece of work and you think the fellow was crazy, then you want to pay some attention to that. One of you is likely to be, and you had better find out which one it is. It makes an awful lot of difference.

  26. Hei, bisakah kamu membiarkan aku mengenal perusahaan hosting mana yang kamu gunakan aku
    sudah memasukkan website kamu ke dalam 3 browser yang berbeda & aku
    mesti menyampaikan bahwa situs ini dimuat jauh lebih serentak dari umumnya Dapatkah
    kamu menyarankan penyedia internet hosting yg baik dgn harga terjangkau?
    Terima kasih, saya menghargai itu!

  27. whoah this blog is wonderful i like studying your posts. Keep
    up the great work! You understand, a lot of persons are looking around for this info, you could aid them

  28. Hello there

    SEO Link building is a process that requires a lot of time.
    If you aren’t using SEO software then you will know the amount of work load involved in creating accounts, confirming emails and submitting your contents to thousands of websites in proper time and completely automated.

    With THIS SOFTWARE the link submission process will be the easiest task and completely automated, you will be able to build unlimited number of links and increase traffic to your websites which will lead to a higher number of customers and much more sales for you.
    With the best user interface ever, you just need to have simple software knowledge and you will easily be able to make your own SEO link building campaigns.

    The best SEO software you will ever own, and we can confidently say that there is no other software on the market that can compete with such intelligent and fully automatic features.
    The friendly user interface, smart tools and the simplicity of the tasks are making THIS SOFTWARE the best tool on the market.

    IF YOU’RE INTERESTED, CONTACT ME ==> [email protected]

    Regards, Aleida
    Australia, VIC, Boho South, 3669, 62 Carlisle Street

Leave a Reply

Your email address will not be published.