Updated: Oct 22, 2021
A Man in the Middle attack (MitM) is a form of cyberattack where the attacker sits in between two parties who believe that they are directly communicating with each other.
How does a Man in the Middle attack happen?
The attacker secretly reads, relays, and possibly alters the communications between the source and destination points. An attacker might use MitM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications/corrupt data.
What are some interesting types of Man in the Middle attacks?
There are lots of variations of the MitM attack, some common forms of this attack are:
ARP Spoofing is where an attacker masquerades as the local network gateway and intercepts ARP traffic. As a result, data sent by the user to the gateway IP address is instead transmitted to the attacker, before being relayed to the destination.
Evil Twin attacks
Evil Twin attacks are where the attacker impersonates a wifi access point and intercepts the traffic, again before relaying traffic between the destination and the victim.
DNS cache poisoning
DNS cache poisoning is where DNS settings for a particular domain is changed, altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.
HTTPS Spoofing attacks use a fake URL that appears very similar to a legitimate address. The fake web application uses a legitimate security certificate, the user is tricked into accessing this URL and accepting the certificate, the fake application then relays the requests onto the authentic destination and replies back to the victim. All traffic to this URL is now monitored by the attacker.
LLMNR/NBT-NS Poisoning, an attacker on the same network as the victim can impersonate a destination that is not contained in DNS, (such as an incorrect server name). Both Link-Local Multicast Name Resolution and Netbios Name Resolution traffic can be poisoned and either communication hashes captured, or relayed to other devices on the network, granting the attacker access to internal devices.
How Man in the Middle attacks can be prevented
There are several ways to prevent this type of attack, depending on the specific attack vector.
Avoid using WiFi connections that aren’t password protected or using public wifi networks (coffee shops etc.) unless using a VPN to securely encrypt traffic.
Only connect to HTTPS web applications.
Keep the systems and infrastructure patched and updated.
Configure vendor anti-ARP spoofing protections on internal network switches (dynamic ARP tables).
Disable unnecessary multicast protocols and configure SMB signing where possible.
If you like this blog post, find more content in our Glossary.