What is Man-in-the-Middle?

Man-in-the-Middle Definition

Man-in-the-Middle (MitM) is an attack type where an adversary positions themselves between two parties (e.g., user and server) to intercept, read, or modify communication. The victim doesn’t realize their traffic is routed through the attacker.

MitM Attack Variants

Network-level:

• ARP spoofing
• DNS spoofing
• DHCP spoofing
• BGP hijacking

Application-level:

• SSL/TLS interception
• SSL stripping
• HTTP injection
• Session hijacking

Wireless:

• Evil twin (rogue WiFi)
• Karma attacks
• Bluetooth MitM

How does MitM work?

Classic scenario:

1. Attacker joins the same network as victim
2. ARP spoofing redirects victim’s traffic
3. Attacker intercepts communication
4. Traffic forwarded (victim unaware)
5. Eavesdropping, modification, credential theft

MitM Attack Tools

• Ettercap: Classic MitM framework
• Bettercap: Modern successor
• mitmproxy: HTTP/HTTPS interception
• Wireshark: Traffic analysis
• Responder: LLMNR/NBT-NS poisoning

SSL/TLS and MitM

SSL stripping:

• Downgrading HTTPS to HTTP
• User sees HTTP (no padlock)
• Attacker sees plaintext traffic

Defense:

• HSTS (HTTP Strict Transport Security)
• Certificate pinning
• User awareness

Adversary-in-the-Middle (AiTM)

Modern MitM variant targeting MFA:

1. User receives phishing link
2. Phishing proxies traffic to legitimate site
3. User completes MFA authentication
4. Attacker captures session token
5. Session used to bypass MFA

MitM Defense

Network:

• 802.1X authentication
• Dynamic ARP inspection
• DHCP snooping
• Network segmentation

Application:

• TLS everywhere
• Certificate validation
• HSTS
• Certificate pinning

User:

• VPN on untrusted networks
• Verifying certificates
• Avoiding public WiFi for sensitive operations

MitM attacks remain relevant despite TLS ubiquity, especially in internal networks and through social engineering (AiTM).