A Man-in-the-Middle (MITM) attack is a type of cyberattack where an attacker secretly intercepts, relays, and possibly alters communication between two parties who believe they are communicating directly with each other.
Simple Explanation
Imagine Alice wants to talk to Bob securely. An attacker (Eve) positions herself between them:
- Alice sends a message → Eve intercepts it
- Eve may read, modify, or inject malicious data
- Eve forwards it to Bob as if it came directly from Alice
Neither Alice nor Bob realizes the attacker exists.
Goals of MITM Attacks
- Steal sensitive data (passwords, credit card details, cookies)
- Hijack user sessions
- Spy on communications
- Inject malware or false information
How MITM Attacks Work (General Steps)
- Interception – Attacker gains access to the communication channel
- Decryption / Manipulation – Data is read or altered
- Forwarding – Modified or original data is sent to the destination
Types / Subcategories / Ways of Performing MITM Attacks
1. ARP Spoofing (ARP Poisoning)
- Exploits the Address Resolution Protocol (ARP) in local networks
- Attacker sends fake ARP messages, associating their MAC address with the victim’s IP
- Traffic meant for the router or victim passes through the attacker
Used in: LAN attacks, Wi-Fi networks
2. DNS Spoofing (DNS Cache Poisoning)
- Attacker corrupts DNS responses
- Victim is redirected to a malicious website instead of the legitimate one
- Often used for phishing or malware delivery
Example: bank.com resolves to attacker’s IP
3. IP Spoofing
- Attacker alters packet headers to impersonate a trusted device
- Often combined with other attacks like session hijacking
Limitation: Harder for two-way communication alone
4. SSL/TLS Stripping
- Downgrades HTTPS connections to HTTP
- Victim believes the site is secure while traffic is unencrypted
- Attacker reads credentials in plaintext
Common in: Public Wi-Fi attacks
5. HTTPS Spoofing (Fake Certificates)
- Attacker presents a fake SSL certificate
- If victim accepts it, encrypted traffic can be decrypted
- Often relies on user negligence
6. Wi-Fi Eavesdropping
- Attacker listens to unsecured or weakly encrypted Wi-Fi traffic
- No modification—just passive monitoring
Example: Open public Wi-Fi hotspots
7. Evil Twin Attack
- Attacker creates a fake Wi-Fi access point with a legitimate name
- Victims connect unknowingly
- All traffic passes through attacker
Example: “Airport_Free_WiFi”
8. Session Hijacking
- Attacker steals session cookies or tokens
- Gains authenticated access without knowing credentials
Often combined with: ARP spoofing or XSS
9. Email Hijacking
- Attacker intercepts or compromises email communication
- Common in business email compromise (BEC)
- Used to manipulate transactions or steal credentials
10. Man-in-the-Browser (MITB)
- Malware infects the user’s browser
- Modifies web transactions in real time
- Very stealthy and hard to detect
Common target: Online banking
11. Replay Attacks
- Attacker captures valid data packets
- Replays them later to impersonate a legitimate user
Example: Reusing authentication tokens
12. Bluetooth MITM
- Exploits insecure Bluetooth pairing
- Attacker intercepts communication between devices
MITM Attack Categories (High-Level)
- Passive MITM – Attacker only listens (eavesdropping)
- Active MITM – Attacker modifies or injects data
Prevention Techniques (Brief)
- Use HTTPS with valid certificates
- Enable HSTS
- Use VPNs on public networks
- Avoid public/open Wi-Fi
- Use secure DNS (DNSSEC)
- Network monitoring and IDS/IPS
Summary Table: MITM Attack Types
| MITM Type | Technique Used | Target Environment | Main Impact |
|---|---|---|---|
| ARP Spoofing | Fake ARP messages | Local networks | Traffic interception |
| DNS Spoofing | DNS cache poisoning | Internet users | Redirection to fake sites |
| IP Spoofing | Fake IP headers | Networks | Impersonation |
| SSL Stripping | Downgrade HTTPS | Web traffic | Credential theft |
| HTTPS Spoofing | Fake certificates | Browsers | Decryption of traffic |
| Wi-Fi Eavesdropping | Packet sniffing | Public Wi-Fi | Data leakage |
| Evil Twin | Rogue access point | Wireless users | Full traffic control |
| Session Hijacking | Cookie theft | Web apps | Account takeover |
| Email Hijacking | Mail interception | Businesses | Financial fraud |
| MITB | Browser malware | End-users | Transaction manipulation |
| Replay Attack | Packet reuse | Authentication systems | Unauthorized access |
| Bluetooth MITM | Insecure pairing | IoT / Mobile | Data interception |
