101
0/228
Loading content...
An attacker seeking MITM position faces a fundamental challenge: how do you redirect traffic that isn't destined for your machine to flow through it anyway? The answer depends on the attacker's position in the network, their level of access, and the specific vulnerabilities of the target environment.
Over decades of network security research (both offensive and defensive), a sophisticated arsenal of MITM techniques has emerged. Some exploit fundamental protocol design decisions made before security was a priority. Others leverage implementation weaknesses in specific software. Still others require significant infrastructure access but provide correspondingly powerful capabilities.
Understanding these techniques is essential for defenders—you cannot protect against attacks you don't understand. It's equally valuable for security professionals conducting penetration tests, incident responders analyzing breaches, and engineers designing secure systems.
This page covers the major MITM attack techniques organized by network layer, including Layer 2 attacks (ARP, CAM table, VLAN), Layer 3 attacks (ICMP, routing), and application layer attacks (DNS, HTTP). For each technique, you'll learn the mechanics, requirements, tooling, and detection strategies.
Address Resolution Protocol (ARP) is one of the most commonly exploited protocols for MITM attacks. ARP operates at Layer 2, mapping IP addresses to MAC addresses within a local network segment. Its design—created in an era of trusted networks—includes no authentication mechanism, making it inherently vulnerable.
How ARP Works (Legitimate Operation):
When a host needs to send a packet to an IP address on the local network:
The Vulnerability:
ARP has a critical flaw: hosts accept ARP replies even without having sent a request. This "gratuitous ARP" mechanism was designed for network reconfiguration (e.g., failover scenarios) but enables trivial attack.
1234567891011121314151617181920212223
# ARP Poisoning Attack - Conceptual Flow # Normal situation:# Victim (192.168.1.100) ARP cache: Gateway 192.168.1.1 → AA:BB:CC:DD:EE:FF# Gateway (192.168.1.1) ARP cache: Victim 192.168.1.100 → 11:22:33:44:55:66 # Attacker's machine: 192.168.1.50, MAC: XX:XX:XX:XX:XX:XX # Step 1: Enable IP forwarding on attacker's machineecho 1 > /proc/sys/net/ipv4/ip_forward # Step 2: Send forged ARP to victim# "Hey victim, I'm the gateway (192.168.1.1), my MAC is XX:XX:XX:XX:XX:XX"# Victim's ARP cache becomes: 192.168.1.1 → XX:XX:XX:XX:XX:XX (POISONED!) # Step 3: Send forged ARP to gateway # "Hey gateway, I'm the victim (192.168.1.100), my MAC is XX:XX:XX:XX:XX:XX"# Gateway's ARP cache becomes: 192.168.1.100 → XX:XX:XX:XX:XX:XX (POISONED!) # Step 4: Continuously send forged ARPs to maintain poisoned caches# ARP entries expire, so attacker must repeat every ~30 seconds # Result: All traffic between victim and gateway flows through attackerAttack Requirements:
Attack Tools:
| Tool | Platform | Description |
|---|---|---|
| Ettercap | Linux/Windows | Full-featured MITM suite with GUI and CLI |
| Arpspoof | Linux | Simple command-line ARP spoofing tool |
| Bettercap | Linux/macOS | Modern, modular network attack framework |
| Cain & Abel | Windows | Windows-based credential capture suite |
| mitmproxy | All | Transparent proxy for traffic inspection |
ARP poisoning creates detectable anomalies: multiple ARP replies for the same IP, rapid ARP cache changes, duplicate MAC addresses for different IPs, and abnormally high ARP traffic. Network monitoring tools can detect these signatures, but most endpoints lack built-in ARP monitoring.
Network switches maintain a Content Addressable Memory (CAM) table—a mapping of MAC addresses to switch ports. This table enables switches to forward traffic only to the specific port where the destination resides, rather than flooding traffic to all ports (like a hub).
Normal Switch Operation:
CAM Table:
MAC Address Port VLAN Age
--------------------------------------------
AA:BB:CC:DD:EE:01 Fa0/1 10 3 min
AA:BB:CC:DD:EE:02 Fa0/2 10 1 min
AA:BB:CC:DD:EE:03 Fa0/3 10 5 min
When a frame arrives for MAC AA:BB:CC:DD:EE:02, the switch only sends it out port Fa0/2.
The CAM Table Overflow Attack:
The CAM table has finite capacity (typically 4,000-130,000 entries depending on the switch model). The attack floods the switch with thousands of fake MAC addresses, filling the CAM table to capacity.
What Happens When CAM Table is Full:
Most switches implement a "fail-open" behavior when the CAM table overflows:
Attack Implementation:
# Using macof from the dsniff toolkit
macof -i eth0 -n 50000
# This sends 50,000 frames with random source MACs
# Rapidly fills the switch's CAM table
# Duration depends on switch capacity and aging timers
Attack Limitations:
Defense Mechanisms:
| Defense | Implementation | Effectiveness |
|---|---|---|
| Port Security | Limit MACs per port | High - directly blocks attack |
| 802.1X | Authenticate devices | High - limits network access |
| Private VLANs | Isolate hosts | Medium - limits attack scope |
| VLAN Segmentation | Separate broadcast domains | Medium - limits impact |
| Switch Monitoring | Alert on CAM anomalies | Detection only |
Virtual LANs (VLANs) provide logical network segmentation, separating hosts into isolated broadcast domains. Security-conscious networks use VLANs to isolate sensitive systems (e.g., VLAN 10 for servers, VLAN 20 for workstations, VLAN 30 for guests). VLAN hopping attacks bypass this isolation.
Attack 1: Switch Spoofing
Trunk ports carry traffic for multiple VLANs using 802.1Q tagging. If an access port is misconfigured for dynamic trunking (DTP enabled), an attacker can negotiate a trunk connection:
1. Attacker connects to access port
2. Port is misconfigured with DTP auto-negotiation
3. Attacker sends DTP frames claiming to be a switch
4. Port transitions to trunk mode
5. Attacker can now send/receive traffic for ANY VLAN
Attack 2: Double Tagging
Even without trunk access, attackers on the native VLAN can reach other VLANs using double-tagged frames:
Normal frame: [Ethernet Header][Payload]
802.1Q frame: [Ethernet Header][VLAN Tag][Payload]
Double-tagged: [Ethernet Header][VLAN Tag1][VLAN Tag2][Payload]
Double Tagging Requirements:
Defense Configuration:
! Disable DTP on all access ports
interface range Fa0/1-24
switchport mode access
switchport nonegotiate
! Set native VLAN to unused VLAN (not VLAN 1)
interface Gi0/1
switchport trunk native vlan 999
! Enable native VLAN tagging on trunks
vlan dot1q tag native
! Use private VLANs for additional isolation
vlan 10
private-vlan isolated
Key Takeaway:
VLAN security is not absolute—it depends on correct configuration. Default switch configurations are often vulnerable. Never rely on VLANs as your only security boundary for truly sensitive traffic.
Layer 3 MITM attacks manipulate IP routing to redirect traffic through attacker-controlled systems. These attacks can have broader impact than Layer 2 attacks since they can affect traffic across network segments.
ICMP Redirect Attack:
Internet Control Message Protocol (ICMP) includes a "redirect" message type, originally designed to inform hosts of more efficient routes. Attackers can abuse this:
1. Victim sends packet to gateway for destination X
2. Attacker sends ICMP Redirect: "For destination X, use ME instead of gateway"
3. Victim updates routing table to route X through attacker
4. All traffic from victim to X now flows through attacker
123456789101112131415161718192021222324
# ICMP Redirect Attack using hping3 or scapy # Attack scenario:# Victim: 192.168.1.100# Gateway: 192.168.1.1# Attacker: 192.168.1.50# Target: 10.0.0.100 (external server) # Attacker sends ICMP redirect claiming to be the gateway# "For traffic to 10.0.0.100, route through me (192.168.1.50)" from scapy.all import * # Craft ICMP Redirect packeticmp_redirect = IP(src="192.168.1.1", dst="192.168.1.100") / \ ICMP(type=5, code=1, gw="192.168.1.50") / \ IP(src="192.168.1.100", dst="10.0.0.100") / \ ICMP() # Send the redirectsend(icmp_redirect) # Victim's routing table now shows:# 10.0.0.100 via 192.168.1.50 (attacker!)Defenses Against ICMP Redirect:
Most modern operating systems disable ICMP redirect acceptance by default:
# Linux - disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Windows - ICMP redirects disabled by default in Vista+
# Verify: netsh interface ipv4 show global
# Should show: "ICMP Redirects = disabled"
BGP Hijacking:
Border Gateway Protocol (BGP) is the routing protocol that connects the Internet. BGP attacks can intercept traffic on a massive scale:
1. BGP relies on trust between Autonomous Systems (AS)
2. Attacker with BGP access announces routes for victim IP prefixes
3. Other networks route victim traffic to attacker
4. Attacker can inspect traffic before forwarding to real destination
Notable BGP Hijacking Incidents:
| Year | Incident | Impact |
|---|---|---|
| 2008 | Pakistan Telecom/YouTube | Global YouTube outage (accidental) |
| 2018 | Route53/Cryptocurrency | $150K cryptocurrency theft |
| 2019 | China Telecom | Traffic rerouting through China |
| 2020 | Russian ISP | Major European traffic misdirected |
BGP security improvements (RPKI, BGPsec) are being deployed but adoption is incomplete.
BGP hijacking requires significant infrastructure access (controlling a BGP speaker), making it primarily a nation-state or major ISP capability. However, the impact can be global—a single BGP announcement can redirect traffic for millions of users across the Internet.
The Domain Name System (DNS) translates human-readable domain names to IP addresses. Because nearly all Internet communication begins with a DNS lookup, controlling DNS resolution gives attackers powerful MITM capabilities.
DNS Spoofing/Poisoning:
Attackers inject false DNS records, redirecting victims to attacker-controlled servers:
Local DNS Spoofing (Same Network):
1. Victim sends DNS query: "What is the IP for bank.com?"
2. Attacker races to respond before legitimate DNS server
3. Attacker's response: "bank.com is 192.168.1.50" (attacker's IP)
4. Victim connects to attacker thinking it's bank.com
5. Attacker proxies to real bank.com while capturing credentials
DNS Cache Poisoning (Kaminsky Attack):
In 2008, Dan Kaminsky disclosed a fundamental DNS vulnerability. Rather than attacking individual queries, this attack poisons the DNS server's cache:
1. Attacker sends thousands of queries to DNS resolver
2. Simultaneously sends forged responses with guessed transaction IDs
3. If a forged response matches a pending query's transaction ID...
4. DNS server caches the forged record
5. ALL users of that DNS server now receive the poisoned answer
DNS Attack Variations:
| Attack Type | Target | Scope | Technique |
|---|---|---|---|
| Local Spoofing | Single victim | Low | Race condition on same network |
| Cache Poisoning | DNS resolver | High | Poison cache serving many users |
| DNS Hijacking | Authoritative NS | Very High | Compromise domain's nameserver |
| Rogue DNS | Network DHCP | Medium | Provide malicious DNS via DHCP |
| DNS Rebinding | Browser | Medium | Bypass same-origin via DNS TTL |
Defenses:
Encrypted DNS (DoH/DoT) prevents local DNS spoofing but doesn't protect against cache poisoning at the resolver. DNSSEC provides authentication of DNS records but requires adoption by both domain operators and resolver operators. Defense in depth requires multiple DNS security mechanisms.
Wireless networks present unique MITM opportunities. Unlike wired networks where attackers need physical access, wireless attackers can operate from parking lots, adjacent buildings, or anywhere within radio range.
The Evil Twin Attack:
An "evil twin" is a malicious access point that impersonates a legitimate network:
1. Attacker identifies target network (e.g., "CoffeeShop-WiFi")
2. Attacker creates AP with identical SSID and similar appearance
3. Attacker's AP broadcasts stronger signal than legitimate AP
4. Victims' devices auto-connect to evil twin
5. All victim traffic flows through attacker
Why Evil Twins Work:
Advanced Wireless MITM Techniques:
Karma Attack: Devices constantly probe for previously connected networks. A Karma attack responds to ALL probe requests:
Victim device: "Is 'HomeNetwork' available?"
Karma AP: "Yes, I am HomeNetwork!" (lie)
Victim device: "Is 'WorkWiFi' available?"
Karma AP: "Yes, I am WorkWiFi!" (also a lie)
Victim auto-connects to attacker's AP
Deauthentication Attack: For WPA networks, attackers can force disconnection then capture handshake:
1. Send deauth frames to victim (pretending to be AP)
2. Victim disconnects
3. Victim reconnects and performs WPA handshake
4. Attacker captures 4-way handshake
5. Attacker can attempt offline password cracking
OR set up evil twin during victim's confused state
Tooling:
Once an attacker has achieved traffic redirection (via any method from previous sections), they typically use proxy software to actually intercept, analyze, and potentially modify the traffic.
Transparent Proxies:
A transparent proxy intercepts traffic without requiring client configuration. The client doesn't know a proxy exists:
# Set up transparent proxy with iptables + mitmproxy
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Redirect HTTP (port 80) to mitmproxy (port 8080)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j REDIRECT --to-port 8080
# Redirect HTTPS (port 443) to mitmproxy (port 8080)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 \
-j REDIRECT --to-port 8080
# Start mitmproxy in transparent mode
mitmproxy --mode transparent --showhost
HTTP Traffic Interception:
Unencrypted HTTP is trivially intercepted. The proxy sees:
HTTPS Traffic Interception (Certificate Issues):
HTTPS complicates interception because traffic is encrypted. The attacker must perform TLS interception:
1. Client connects to proxy thinking it's the real server
2. Proxy presents a forged certificate for the target domain
3. Client must accept this certificate (this is the weak point)
4. Proxy decrypts client traffic, re-encrypts to real server
5. Proxy has access to plaintext of all communications
The Certificate Problem:
For TLS interception to work transparently, one of these must be true:
This is why proper certificate validation is the primary defense against MITM.
| Tool | Features | Use Case | Learning Curve |
|---|---|---|---|
| mitmproxy | Interactive, scriptable, web UI | Security testing, debugging | Medium |
| Burp Suite | Full web security platform | Web app penetration testing | High |
| Charles Proxy | User-friendly, macOS native | Mobile app debugging | Low |
| Fiddler | Windows-native, .NET support | Windows development | Low |
| SSLstrip | HTTPS downgrade attacks | Credential capture | Low |
| Ettercap | Network MITM suite | Network penetration testing | Medium |
Many enterprises deploy corporate TLS inspection proxies that perform the same technical operation as MITM attacks—but with organizational authorization. These systems install corporate CA certificates on managed devices, enabling the organization to inspect encrypted traffic for security purposes. Users should understand when their traffic is subject to such inspection.
We've surveyed the major techniques attackers use to achieve MITM position. Each method has different requirements, capabilities, and detection characteristics:
| Attack Method | Layer | Requirements | Detection | Defense |
|---|---|---|---|---|
| ARP Poisoning | L2 | Same LAN segment | ARP monitoring | DAI, static ARP |
| CAM Overflow | L2 | Switch access | High traffic, alerts | Port security |
| VLAN Hopping | L2 | Misconfigured switches | VLAN monitoring | Proper trunk config |
| ICMP Redirect | L3 | Same network | ICMP monitoring | Disable in OS |
| BGP Hijacking | L3 | BGP access | Route monitoring | RPKI, BGPsec |
| DNS Spoofing | L7 | Same network | DNS monitoring | DNSSEC, DoH |
| Evil Twin | L2 | Wireless range | WIDS/WIPS | WPA3, VPN |
| TLS Interception | L7 | Traffic redirect | Cert validation | Pinning, HSTS |
What's Next:
The next page focuses on one of the most impactful MITM techniques: SSL Stripping. We'll examine how attackers downgrade secure HTTPS connections to unprotected HTTP, enabling credential theft even when users believe they're protected by encryption.
You now understand the major MITM attack techniques across network layers. This knowledge enables you to assess network security posture, implement appropriate defenses, and recognize attack indicators during incident response.