Charles Martin Reid - Man in the Middle

From charlesreid1

Man in the Middle Attacks

Welcome to the Man in the Middle (MITM) attacks page. This page will describe the many, many forms that a MITM attack may occur and the tools that are used to carry them out. It will also cover several laboratories, which cover specific, applied MITM scenarios.

The overarching way to think about these types of attacks is to use the 7-layer OSI model of networking:

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Man in the middle attacks can occur on Level 1 on up through Level 7, and at every level in between.

Let's run through a few specifics about MITM attacks first, then talk about what attacks at different layers look like.

What Are MITM Attacks

A man-in-the-middle attack is a general concept from encryption. It consists of two parties, Alice and Bob, trying to have an encrypted conversation. However, it is foiled by an attacker, Eve, who gets in the middle. This means that Alice and Eve communicate with one encryption key, while Bob and Eve communicate with another key.

Important Parts

Any man in the middle attack on a computer network must have the following four important pieces:

1. Recon

2. Tricking the router/network device/destination into thinking they are connected to the Sheep, when they are really connected to the Attacker

3. Tricking the Sheep into thinking they are really connected to their router/network device/destination, when they are really connected to the Attacker

4. Building a bridge between the two connections so that traffic can continue to pass between the two parties and be observed/modified.

Attack Layers Perspective on MITM

Layer 1 and Layer 2: Physical/Data Layer MITM Attacks

MITM attacks at the physical level involve interference with a normal physical channel of communication. On a wireless network, this might be a wireless radio that an attacker uses to transmit radio signals at high power at a victim, thus swamping out another radio signal. It may be physical tampering with a connection - security professionals always prefer physical network taps when possible as a way to obtain a reliable ear on a network.

These types of attacks involve not just the first layer, but also several layers up - for example, the attacker must be able to establish a connection to the sheep, which involves implementing more than just Layer 1 of the network stack. However, the main MITM mechanism occurs at Layer 1.

Main page: Man in the Middle/Layer 1 and 2

Evil twin attack: Evil Twin

Layer 3 and Layer 4: Network and Transport MITM Attacks

This is Wall of Sheep territory - Layer 3 and 4 are the layers where the protocols governing network highways are implemented. Most MITM attacks at this layer consist of maliciously rerouting network traffic so that instead of the sheep talking directly to the gateway, all of the traffic first passes through an attacker.

Layer 6 and Layer 7: Presentation and Application MITM Attacks

You can use the Nishang tool to deliver malicious payloads (executables) onto a machine. One such payload is a MITM tool for eavesdropping on HTTPS sessions: Nishang/MITM Interceptor. This executable, which requires administrator permissions, generates its own certificate for each site, and installs it onto the sheep's system. The HTTPS session is thus MITMed, but the attack is not detected by the sheep because the tool installs whatever certificate is required to verify the other site's identity.

This is an example of a presentation and application layer attack, as it occurs at the level of a system application's HTTPS certificate check. This tool manipulates the trust chain for that information.

Other Perspectives



  • ARP Poisoining
  • DNS Spoofing
  • STP Mangling
  • Port Stealing

Local to Remote

  • ARP Poisoining
  • DNS Spoofing
  • DHCP Spoofing
  • ICMP Redirection
  • IRDP Spoofing
  • Route Mangling


  • DNS Poisoning
  • Traffic
  • Route Mangling


  • Access Point Reassociation

Software Tools

Ettercap use Bettercap

Dsniff  · Arpspoof  · Dnsspoof



SSLStrip  · SSLSniff


MITMf - Man in the Middle framework (Python)


Wherein we run experiments applying MITM techniques to a sandbox network and observe the results.

Man in the Middle Labs:


ARP Poisoning:

Dsniff ARP Poisoning: MITM Labs/Dsniffing Over Wifi

Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi

Traffic Injection:

Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images

MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers


Decrypting HTTPS Traffic with Stolen Private Key: MITM Labs/Decrypting HTTPS Traffic with Stolen Private Key


Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo

Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone