Setting up a man-in-the-middle attack

Internet through ethernet

Disconnect from current WiFi connection, and connect ethernet cable.

With your package manager, install wireshark and mitmproxy

WiFi Access Point

Easy option: Network Manager

In nm-applet (or nmtui) click Edit Connections…, Add

And select Wi-Fi:

nm-applet Connection Type

Name your SSID mitm-something, Mode should be hotspot.

nm-applet Editing connection

You should probably also add a WPA2 password.

Does it not work? Check if WiFi interface supports AP mode:

# iw list | grep -A 10 modes:  # is there "AP"?

Hard option: Manual

Network Manager or similar managers must not be running.

Your upstream (internet) interface is eth0, and AP interface is wlan0 (change these if needed).

# upstream=eth0
# ap=wlan0

WiFi AP (hostapd)

Download hostapd.conf. Change interface, ssid and wpa_passphrase.


# hostapd ./hostapd.conf

SSID should now appear.

(To make it permanent, you could add this hostapd.conf to /etc/network/interfaces.)

Configure IP and dhcpd

I’ll use subnet here. Change everywhere if you intent to use something else.

# apnet=192.168.11
# ip addr add $apnet.1/24 dev $ap
# dnsmasq --interface=$ap --dhcp-range=$apnet.100,$apnet.199

NAT (Network Address Translation)

Just giving client the IP is not enough, you also need to set up IP forwarding, and rewriting (upstream routers don’t know about your $apnet).

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s $apnet.0/24 ! -d $apnet.0/24 -j MASQUERADE

To revert settings:

# echo 0 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -D POSTROUTING -s $apnet.0/24 ! -d $apnet.0/24 -j MASQUERADE

Kill dnsmasq, hostapd.

Hard option: Plan B, help of additional WiFi router

(Use this in case you WiFi network card doesn’t support AP mode)

WiFi router is configured as a plain router, and will serve as WiFi AP. Its WAN port is connected to ethernet of your laptop (your laptop is upstream for the WiFi router), and your laptop is connected to WiFi (that’s your laptop’s upstream).

Interface variables are then:

# upstream=wlan0
# ap=eth0

Then follow these two sections from above:

Configure IP and dhcpd

NAT (Network Address Translation)

Other interface options

This could also be done in other ways:


Use wireshark, inspect packets.


Start mitmproxy or mitmweb as transparent proxy:

$ mitmproxy -T --host  # older version
$ mitmproxy --mode transparent --showhost  # newer

Redirect packets to mitmproxy

Redirect HTTP (TCP port 80) to mitmproxy:

# iptables -t nat -A PREROUTING -i $ap -p tcp --dport 80 -j REDIRECT --to-port 8080

If you have a firewall, you may need to allow connections to :8080.


On your phone, go to and download the CA certificate.

Redirect HTTPS (TCP port 443) to mitmproxy:

# iptables -t nat -A PREROUTING -i $ap -p tcp --dport 443 -j REDIRECT --to-port 8080

mitmproxy tricks

Scripts (oS)

HTML replacements (oR):

Filter Regex Replacement
~b </head> </head> <style>body {transform: scaleY(-1);}</style></head>

Presentation slides: