From charlesreid1

Man in the middle attacks on wired networks.

Review of How Wired Networks Work

Let's start with a little review of how wired networks actually work. Ultimately network communications boils down to a series of on-off voltages that travel through conductors (the wires in your network cable). These voltages are processed, passed on, modified, forwarded, and routed by networking infrastructure. Conducting a man-in-the-middle attack on a wired network requires knowing how nodes on a network create a representation of the network, and how that representation can be spoofed.


The basic target of a wired network man in the middle attack is the ARP table. This is a table maintained by each node on a network that maps IP addresses to MAC addresses. During normal operation of the network, nodes sending or receiving packets use the ARP table to link physical devices to specific ports to help route traffic. (For example, if my ARP table says that Alice is on port 5, and I want to send a message to Alice, I put port 5 into the header of my message, and my computer and the network ensure it gets to Alice and only Alice.)

Attacking ARP

There are several attacks that can be carried out on ARP tables, depending on your objective.

The most basic kind of attack is an ARP Poisoning or ARP spoofing attack, in which an attacker convinces the gateway and the client that they are talking to each other, but in fact each of their ARP tables has been poisoned so that they are actually sending and receiving messages from the attacker.

Another type of attack is an ARP table overflow, which is useful for turning network switches (which broadcast traffic selectively to specific ports) into network hubs (which broadcast all traffic to all ports). In this type of attack, special packets create multiple fake entries in the switch's ARP table, until the table is completely full. Once that happens, the network switch can't find other clients, and so broadcasts all traffic to all ports.

MITM Scenarios

Network Tap

The network tap scenario is one in which the attacker must have physical access to the wired network. They are physically conducting a man-in-the-middle attack by using two network devices, one connected to the sheep, one connected to the gateway,

Man in the Middle/Wired/Network Tap - you can build a bridge between the two network devices, and sniff traffic crossing the bridge

In the network tap setup, the attacker physically sits between the sheep and the network router or network switch:

    +--------[Target computer]
[ Attack computer ]

This is a Physical Layer 1 attack.

Network Near Neighbor

The first scenario is that the attacker is a near-neighbor of the target. This means the attacker and the sheep that is the target of the attack are both connected directly to a router or network switch (see diagram below).

Man in the Middle/Wired/ARP Poisoning - an ARP poisoning attack works in this case.

+----[Target computer]
|      +---[Attack computer]
|      |
|      |

With this type of configuration, a MITM attack can be carried out via ARP spoofing. Arpspoof or Ettercap are the tools for this type of job.


Ettercap - for setting up and executing a man in the middle attack. It has a variety of different methods that include ARP poisoning.

Wireshark - for viewing packets and plaintext HTTP traffic during a man in the middle session

Driftnet - for viewing images during a man in the middle session


Arpspoof - a command-line utility for ARP poisoning.