Man in the middle attacks on wired networks.

How Wired Networks Work

Network communication boils down to voltages on conductors being processed by switches, routers, and hosts. Conducting a MITM attack on a wired network requires understanding how nodes build a representation of the network—and how that representation can be spoofed.

Hubs vs. Switches

Hubs (Layer 1, largely obsolete)

A hub repeats every incoming frame out every port. Every host sees all traffic. Passive sniffing on a hub requires no spoofing at all—just a promiscuous-mode network card.

Switches (Layer 2, universal today)

A switch maintains a CAM table (Content Addressable Memory) mapping MAC addresses to physical ports. When a frame arrives, the switch looks up the destination MAC and forwards the frame only to that port. This isolates traffic and is the fundamental obstacle every wired MITM attack must overcome.

MAC + IP = ARP

The Address Resolution Protocol (ARP) maps IP addresses (Layer 3) to MAC addresses (Layer 2). Each host maintains an ARP cache—a table of (IP → MAC) mappings learned from ARP replies. When Host A wants to send a packet to IP 10.0.0.5, it first checks its ARP cache for the corresponding MAC. If absent, it broadcasts an ARP request ("Who has 10.0.0.5?") and caches the reply.

The Trust Problem

ARP is a trust-based, stateless protocol with no authentication. Any host can send an ARP reply at any time, and receiving hosts will update their cache. This is the root vulnerability that makes ARP-based MITM attacks possible—and it is inherent to the protocol design, not an implementation bug.

Classic Approaches (1990s–2000s)

These techniques flourished when networks were built on hubs or unmanaged switches, HTTP was predominantly plaintext, and OS/browser defenses were minimal.

Passive Sniffing on Hubs

On a hub-based network, an attacker simply enables promiscuous mode on their NIC and runs a sniffer. No spoofing required. Tools: Wireshark (formerly Ethereal), Tcpdump, Dsniff.

ARP Spoofing / ARP Poisoning

The classic wired MITM attack. The attacker sends gratuitous (unsolicited) ARP replies to both the gateway and the target, poisoning each ARP cache so both send traffic to the attacker's MAC instead of each other. The attacker forwards packets between them, becoming an invisible relay.

Gateway ←→ Attacker ←→ Target

This works on any switched network because switches cannot validate ARP payloads at Layer 2.

Classic Tools

• Arpspoof (part of Dsniff suite by Dug Song, 1999): Command-line, single-purpose. arpspoof -i eth0 -t 10.0.0.5 10.0.0.1
• Ettercap: Full-featured GUI/TUI tool (2001). Unified and bridged sniffing modes, built-in credential harvesting, plugin system. The go-to MITM tool for over a decade.
• Dsniff suite: arpspoof, dnsspoof, macof, mailsnarf, urlsnarf, webspy.

Symptom: Duplicate IP Warnings

Classic ARP spoofing is noisy. The attacker's gratuitous ARP replies cause the switch to see the same IP claimed by two different MAC addresses, triggering "Duplicate use of IP" messages visible in packet captures.

MAC Flooding (CAM Table Overflow)

If ARP spoofing is impractical, an attacker can force a switch to behave like a hub by flooding it with frames carrying random source MAC addresses. The switch's CAM table fills up, and—depending on the switch model and firmware—it may "fail open" and broadcast all frames to all ports.

Tool: macof (part of Dsniff). macof -i eth0 can flood a switch with thousands of random MACs per second.

This attack was effective against many unmanaged and older managed switches through the mid-2000s. Modern switches from reputable vendors typically have hard limits, isolated failure modes, or simply enough CAM table capacity to make flooding impractical.

Physical Network Tap

The attacker physically inserts a device between the target and the switch/router, using two network interfaces bridged together. All traffic passes through the attacker, who can sniff or modify it transparently.

This is a Layer 1 attack—it bypasses all switch-level and ARP-level defenses. It requires physical access and is essentially undetectable by network monitoring. Historically, this was done with a laptop and a crossover cable; modern variants use dedicated tap hardware or low-power devices like Raspberry Pis.

Classic Countermeasures (Weak)

• Static ARP entries: Manually configured, unscalable beyond tiny networks.
• Switched networks: Migrating from hubs to switches defeated passive sniffing—but ARP spoofing still worked.
• HTTPS adoption: Encrypted traffic content, but destination IPs remained visible. Early SSL stripping tools (SSLStrip, 2009) could downgrade HTTPS to HTTP transparently.
• Promiscuous-mode detection: Tools like snort or sentinel could detect NICs in promiscuous mode, but were easy to evade.

Modern Approaches (2010s–Present)

Modern wired MITM is an arms race. Attack tools have become more sophisticated, modular, and stealthy. Simultaneously, switch-level defenses, OS hardening, and browser protections have raised the bar considerably.

Modern Attack Tools

Bettercap

The successor to Ettercap. Written in Go, released 2015. Features:

• Full and half-duplex ARP spoofing (half-duplex evades routers that resist ARP cache corruption)
• Built-in HTTP/HTTPS proxy with SSL stripping and HSTS bypass
• Modular design: inject HTML/CSS/JS into target traffic
• DNS, NDP (IPv6), and DHCP spoofing
• Credential harvesting for HTTP POST, FTP, IRC, POP, IMAP, SMTP, SNMP, etc.
• PCAP recording and real-time packet filtering
• REST API for scripted/remote control

Example one-liner:

sudo bettercap -I eth0 -S ARP -X --target 10.0.0.5

MITMf

MITM Framework (by byt3bl33d3r, Python, ~2014): Plugin-based architecture. Notable for its Beef integration (browser exploitation), Javascript keylogger injection, and SSLstrip+ (HSTS bypass via DNS hijacking of the HSTS preload domain). Largely superseded by Bettercap but historically important.

mitmproxy

A modern interactive HTTPS proxy (Python). Primarily used for debugging and web testing, but capable of full MITM when combined with ARP spoofing or a network tap. Features a scriptable Python API, web UI, and transparent proxy mode. Project page: https://mitmproxy.org/

Responder

While primarily an internal-network tool for poisoning LLMNR, NBT-NS, and MDNS name resolution, Responder (Python, by Laurent Gaffié) is frequently used in wired environments to capture NetNTLM hashes. Combined with relay tools like ntlmrelayx (Impacket), this enables credential theft and lateral movement on Windows networks.

Modern Switch Defenses

Enterprise and managed switches now implement countermeasures that make classic ARP spoofing difficult or impossible:

Dynamic ARP Inspection (DAI)

DAI intercepts ARP packets on untrusted ports and validates them against a trusted binding database (populated by DHCP snooping). Gratuitous ARP replies with mismatched IP-to-MAC bindings are dropped. DAI is available on Cisco IOS, Juniper, Aruba, and most managed switch platforms. It effectively neutralizes ARP spoofing on configured ports.

DHCP Snooping

DHCP snooping classifies ports as trusted (uplink to legitimate DHCP server) or untrusted (end-user ports). It builds a binding table of (IP, MAC, port, lease time) and filters DHCP server replies from untrusted ports. This is a prerequisite for DAI and also blocks rogue DHCP servers.

IP Source Guard

Works with DHCP snooping to filter IP packets on untrusted ports. Only packets with a source IP matching the binding table entry for that port are forwarded. Prevents IP spoofing at the port level.

Port Security

Limits the number of MAC addresses allowed on a switch port. Can be configured to shut down the port (shutdown), restrict traffic (restrict), or just log violations (protect) when an unapproved MAC appears. Mitigates MAC flooding by capping entries per port.

802.1X / NAC

Network Access Control (NAC) via 802.1X requires authentication before a device is granted network access. Combined with RADIUS, it can dynamically assign VLANs and enforce per-user policies. Unauthenticated devices never reach the ARP layer. Common implementations: Cisco ISE, Aruba ClearPass, FreeRADIUS + hostapd/wpa_supplicant.

Private VLANs / Port Isolation

Some switches support PVLANs or "protected ports" that prevent peer-to-peer communication between ports in the same VLAN. Even if ARP spoofing succeeds, traffic cannot flow directly between two isolated ports. Common in hosting/cloud environments.

Modern OS and Browser Protections

HSTS (HTTP Strict Transport Security)

Websites can send an HSTS header instructing browsers to always use HTTPS. HSTS Preload lists (built into Chrome, Firefox, Edge) enforce HTTPS for registered domains from the very first connection—before any HTTP request is made. This defeats classic SSL stripping.

Certificate Transparency (CT)

Since 2018, Chrome requires Certificate Transparency for all new TLS certificates. CAs must publicly log all issued certificates to append-only CT logs. MITM attackers using forged certificates leave forensic evidence. Browsers can detect and reject unlogged certificates.

Modern Certificate Validation

Browsers now enforce strict certificate chain validation, revocation checking (OCSP stapling), and distrust of weak hashes (SHA-1). The "Proceed Anyway" button has been removed or deeply buried in most modern browsers, eliminating the social-engineering vector that classic SSL stripping relied on.

Encrypted DNS (DoH/DoT)

DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries. This prevents MITM attackers from reading DNS lookups to determine browsing destinations. Major OSes (Windows 11, macOS, iOS, Android) and browsers now support encrypted DNS natively.

ARP Cache Hardening

Modern OSes have hardened their ARP implementations:

• Gratuitous ARP replies that would overwrite existing entries may be ignored if the existing entry was recently validated.
• Some implementations rate-limit ARP cache updates.
• Windows Vista+ introduced IPv6 privacy extensions and more aggressive ARP cache timeout policies.

Detection Tools

ARPWatch

A classic but still-maintained tool that monitors Ethernet activity and logs IP/MAC pairings. Alerts on changes or flip-flops that indicate ARP spoofing.

Passive Monitoring (Snort/Suricata)

IDS/IPS rules can detect ARP spoofing signatures:

• Rapid gratuitous ARP replies
• ARP replies with mismatched source MAC and Ethernet frame MAC
• Multiple ARP replies claiming the same IP from different MACs

XArp / ArpON

• XArp: Windows/Linux tool that performs active and passive ARP spoofing detection with a GUI.
• ArpON (ARP handler inspection): A daemon that validates ARP packets against a static configuration and blocks spoofed replies.

SIEM Integration

In enterprise environments, switch syslog events (DAI violations, DHCP snooping denials, port-security violations) feed into SIEM platforms (Splunk, ELK, Wazuh) for correlation and alerting.

IPv6 Considerations

Modern networks increasingly run dual-stack (IPv4 + IPv6). IPv6 uses NDP (Neighbor Discovery Protocol) instead of ARP. NDP is susceptible to analogous spoofing attacks (RA spoofing, neighbor advertisement spoofing). Defenses include:

• RA Guard: Filters rogue Router Advertisements on switch ports.
• SEND (SEcure Neighbor Discovery): Cryptographically signed NDP messages (rarely deployed in practice due to complexity).
• NDP Inspection: Analogous to DAI for IPv6, available on some enterprise switches.

Tool support: Bettercap and the THC-IPv6 attack suite include NDP spoofing modules.

MITM Scenarios

Network Tap (Layer 1)

Physical access required. Attacker sits between target and switch/router with two bridged interfaces. Undetectable by network-layer defenses. Classic technique, still relevant today. Modern variants use dedicated hardware taps or single-board computers.

ARP Poisoning (Layer 3)

The workhorse of wired MITM. Works on any switched network without DAI. See MITM/Wired/ARP Poisoning with Ettercap for a walkthrough using classic tools, and Bettercap for the modern approach.

MAC Flooding (Layer 2)

Overflowing the CAM table to force a switch into hub-like behavior. Effective against older/unmanaged switches; largely mitigated by port-security and large CAM tables on modern hardware. Tool: macof (part of Dsniff).

Port Stealing

A Layer 2 technique where the attacker floods frames with the target's source IP but the attacker's source MAC. This can confuse some switches into updating their CAM table to associate the target's MAC with the attacker's port. Rarely used now; modern switches resist this. See MITM/Port Stealing.

DHCP Spoofing

The attacker runs a rogue DHCP server. When a target requests an IP, the attacker responds faster than the legitimate server and assigns a configuration pointing DNS or gateway to the attacker's machine. Mitigated by DHCP snooping on managed switches. See MITM/DHCP.

Nutshell: Classic vs. Modern

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e