Man-in-the-Middle Attack

Why It Matters

Man-in-the-middle (MITM) attacks represent a fundamental threat to secure communications. When attackers position themselves between communicating parties, they can eavesdrop on sensitive data, steal credentials, modify transactions, and inject malicious content—all while victims remain unaware.

The impact of MITM attacks has driven the widespread adoption of encryption. The shift from HTTP to HTTPS, the deployment of certificate transparency, and the development of secure messaging protocols all respond to MITM threats. Yet vulnerabilities persist in legacy systems, misconfigured servers, and user willingness to bypass security warnings.

MITM attacks remain relevant in multiple contexts: public Wi-Fi networks, corporate environments with compromised infrastructure, nation-state surveillance, and targeted attacks against specific individuals. The techniques scale from simple network tools to sophisticated state-level capabilities.

For security professionals, understanding MITM attacks informs both offensive and defensive work. Penetration testers demonstrate these vulnerabilities to organizations; network engineers implement protections; and security architects design systems that resist interception.

How MITM Attacks Work

In a MITM attack, the attacker inserts themselves into the communication path:

Attack Phases

1. Interception: Attacker gains position between victim and destination
2. Decryption: If traffic is encrypted, attacker breaks or bypasses encryption
3. Eavesdropping/Modification: Attacker reads, copies, or alters data
4. Forwarding: Traffic continues to intended destination to avoid detection

MITM Techniques

Network-Level Attacks

ARP Spoofing/Poisoning

Exploits the Address Resolution Protocol to associate the attacker's MAC address with the victim's IP address, redirecting traffic through the attacker.

# Using arpspoof (part of dsniff) - for authorized testing only
# This poisons ARP caches to intercept traffic

# Forward traffic between victim and gateway
echo 1 > /proc/sys/net/ipv4/ip_forward

# Spoof ARP responses
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1  # Tell victim we're gateway
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100  # Tell gateway we're victim

DNS Spoofing

Returns false DNS responses, redirecting victims to attacker-controlled servers.

DHCP Spoofing

Rogue DHCP server provides attackers' addresses as default gateway or DNS server.

BGP Hijacking

Manipulates internet routing to redirect traffic through attacker-controlled networks. Used in nation-state attacks.

Wireless Attacks

Evil Twin

Creates a rogue access point mimicking a legitimate network. Victims connect unknowingly, routing all traffic through the attacker.

Evil Twin Attack Components:
1. Wireless adapter in monitor mode
2. Hostapd creating fake access point
3. DHCP server assigning IPs
4. DNS server for potential spoofing
5. Traffic interception tools (mitmproxy, bettercap)

KARMA/MANA Attacks

Respond to any WiFi probe request, tricking devices into connecting to attacker networks.

SSL/TLS Attacks

SSL Stripping

Downgrades HTTPS connections to HTTP, intercepting unencrypted traffic.

SSL Stripping Flow:

1. Victim requests http://bank.com
2. Server redirects to https://bank.com
3. Attacker intercepts redirect
4. Attacker establishes HTTPS with server
5. Attacker serves HTTP to victim
6. Victim sees http://bank.com (no HTTPS)
7. Attacker relays traffic, reading everything

Certificate Impersonation

Attacker presents fraudulent certificates. Requires either:

• Victim ignoring certificate warnings
• Compromised Certificate Authority
• Attacker-installed root certificate

HSTS Bypass

Exploiting gaps in HTTP Strict Transport Security implementation.

Application-Level Attacks

Session Hijacking

Stealing session tokens to impersonate authenticated users.

Email Interception

MITM on unencrypted email protocols (IMAP, SMTP without TLS).

API Interception

Intercepting mobile app or IoT device communications with backend servers.

Detection Indicators

Network Signs

• Unexpected ARP table changes
• Certificate warnings in browsers
• DNS resolution anomalies
• Unusual network latency
• Unknown devices on network

Application Signs

• HTTP instead of expected HTTPS
• Certificate issuer changes
• Unexpected authentication prompts
• Session disconnections

# Check for duplicate MAC addresses (sign of ARP spoofing)
arp -a | sort | uniq -d

# Monitor ARP table for changes
watch -n 1 'arp -a'

# Use arpwatch for automated monitoring
arpwatch -i eth0

Prevention and Mitigation

Encryption

• TLS/HTTPS everywhere: Encrypt all web traffic
• HSTS: Enforce HTTPS and prevent downgrade attacks
• Certificate pinning: Validate specific certificates in apps
• End-to-end encryption: Protect against infrastructure compromise

Authentication

• Mutual TLS: Both parties verify certificates
• Certificate transparency: Detect unauthorized certificates
• DNSSEC: Prevent DNS spoofing
• Strong authentication: MFA reduces credential theft impact

Network Security

Network-Level Protections:
- Dynamic ARP Inspection (DAI)
- DHCP snooping
- Port security on switches
- 802.1X network authentication
- Network segmentation
- VPN for untrusted networks

User Awareness

• Don't ignore certificate warnings
• Verify HTTPS on sensitive sites
• Avoid sensitive activities on public WiFi
• Use VPN on untrusted networks
• Verify unusual requests through separate channels

Career Connection

MITM attack techniques and defenses span network security, application security, and penetration testing. Understanding these attacks is essential for anyone working with network infrastructure or secure communications.