Man-in-the-middle attacks: techniques, detection and protection
Man-in-the-middle (MITM) attacks position an attacker between communicating parties—silently, often invisibly. All techniques explained: ARP spoofing, SSL stripping, DNS spoofing, BGP hijacking, AiTM phishing.
Table of Contents (6 sections)
A man-in-the-middle attack (MITM, also known as adversary-in-the-middle, AiTM) is one of the oldest and most effective attack techniques in IT security. The attacker inserts themselves unnoticed into an existing communication connection and can eavesdrop on it, manipulate it, or misuse it for their own purposes. The tricky part: Both parties believe they are communicating directly with each other.
Why MITM attacks are so dangerous
Encryption alone does not protect against MITM attacks if authentication of the remote party is missing or bypassed. An attacker positioned in the middle can present their own keys—and the encrypted connection then runs through them.
MITM enables:
- Interception of encrypted communication (if encryption is broken)
- Manipulation of content (fake banking sites, tampered software updates)
- Credential theft (intercepting login credentials)
- Session hijacking (stealing session cookies and using them for their own requests)
- MFA bypass (Adversary-in-the-Middle phishing)
MITM Techniques in Detail
ARP Spoofing (LAN)
How it works: The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses on the local network—without authentication. An attacker sends forged ARP responses and claims to have the MAC address of the default gateway. All other devices on the network forward their traffic to the attacker.
Normal: Victim ──→ Router ──→ Internet
MITM: Victim ──→ Attacker ──→ Router ──→ InternetTools: Arpspoof, Ettercap, Bettercap
Countermeasures:
- Dynamic ARP Inspection (DAI) on switches
- 802.1X authentication for LAN ports (authorized devices only)
- TLS for all connections (the MITM position alone is then insufficient)
- Static ARP entries for critical systems
SSL Stripping
How it works: The attacker in the MITM position presents the victim with an unencrypted HTTP connection while establishing an HTTPS connection to the real server. The victim sees no encryption but often does not notice the attack—especially if HSTS is not active.
Victim ──HTTP──→ Attacker ──HTTPS──→ ServerHistory: SSL stripping was demonstrated by Moxie Marlinspike at the Black Hat Conference in 2009 and remained a practical attack tool for years.
Countermeasures:
- HSTS (HTTP Strict Transport Security): Browsers enforce HTTPS for known domains
- HSTS Preloading: Domain in browser-embedded HTTPS list (strongest protection)
- HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
DNS Spoofing / DNS Cache Poisoning
How it works: The attacker forges DNS responses and redirects domain resolution to their own servers. Visitors to bank.example.com end up on the attacker’s fake server.
Attack Vectors:
- DNS Cache Poisoning: Injecting forged responses into the DNS resolver cache
- Rogue DHCP Server: The attacker distributes their own DNS server via DHCP
- BGP Hijacking (at the routing level, leading to DNS redirects)
- Pharming: Manipulation of the local hosts file on the victim’s system (via malware)
Countermeasures:
- DNSSEC: Cryptographic signing of DNS responses
- DNS over HTTPS (DoH) / DNS over TLS (DoT): Encrypted DNS communication
- DNS resolvers with robust implementation (random source port, TXID randomization)
- Monitoring for unusual DNS resolutions
Rogue Access Points (Wi-Fi)
How it works: An attacker operates a Wi-Fi access point with the same or a similar name (SSID) as the legitimate network. Devices connect automatically or are lured by a stronger signal. The attacker can see all traffic.
Evil Twin Attack: The rogue Wi-Fi network with an identical SSID and stronger signal displaces the genuine access point.
Captive Portal Attack: Fake hotel/café Wi-Fi with a login page that phishes for credentials.
Countermeasures:
- 802.1X for corporate Wi-Fi networks (authenticated devices only)
- VPN on all devices, even on trusted Wi-Fi networks
- Wi-Fi IDS (detects rogue access points)
- Do not automatically connect to known SSID names
- Certificate pinning in corporate apps
BGP Hijacking (Internet Layer)
How it works: The Border Gateway Protocol (BGP) controls Internet routing—which networks are accessible via which paths. By announcing false BGP routes, entire IP address ranges can be redirected to one’s own servers.
Notable examples:
- 2010: China Telecom rerouted 15% of global internet traffic through China for 18 minutes
- 2018: BGP hijacking against Amazon Route53 → DNS redirects for MyEtherWallet
- 2022: Multiple BGP hijacking incidents targeting cryptocurrency infrastructure
Countermeasures:
- RPKI (Resource Public Key Infrastructure): Cryptographic validation of BGP routes
- BGP monitoring services (BGPStream, ThousandEyes)
- DNSSEC protects DNS integrity even in the event of BGP hijacking
SSL/TLS Interception (Corporate MITM)
Interesting special case: Companies operate legitimate MITM positions to perform security checks on outgoing encrypted traffic (Deep Packet Inspection).
Procedure: The corporate firewall (e.g., Palo Alto, Fortinet) decrypts outgoing HTTPS connections, inspects the content for malware and data loss, and establishes a new encrypted connection to the destination server. Clients must trust the corporate CA certificate.
Data protection aspects: In Germany, SSL interception of employee communications is legally complex—a works council, data protection officer, and clear guidelines are required.
Adversary-in-the-Middle Phishing (AiTM) – the modern threat
AiTM phishing is the most significant MITM variant for 2024/2025 and bypasses multi-factor authentication:
How AiTM works:
- Victim receives a phishing email with a link to "login.microsoftonline-support.com"
- The victim enters their credentials on the phishing page
- The phishing server forwards requests in real time to the genuine login.microsoftonline.com
- When the MFA challenge appears: The victim enters the OTP → is redirected to the genuine Microsoft server
- Microsoft successfully authenticates → a session cookie is issued
- The phishing server has the session cookie → uses it without requiring MFA again
The attacker thus has a valid session, even though MFA was enabled.
Affected: Microsoft 365, Google Workspace, Okta, all web-based SSO services.
Detection signs:
- Login from an unusual location / IP address (shortly after a legitimate login)
- Token from Country X, normal login from Country Y (Impossible Travel)
- Unusual API activity shortly after login
Protection against AiTM:
- FIDO2/Passkeys: Hardware keys or platform authenticators are phishing-resistant. FIDO2 binds authentication to the domain—the genuine FIDO2 key does not work on a phishing domain.
- Conditional Access with Token Binding (Microsoft Entra ID)
- Anomaly Detection: Identity Protection in Microsoft Entra, Google BeyondCorp
- Phishing-Resistant MFA as a policy for privileged accounts
MITM Attacks in Penetration Testing
MITM is a standard tool in network penetration testing (internal testing). Typical procedure:
# ARP spoofing with Bettercap (pentest tool)
# (ONLY in authorized test environments!)
bettercap -iface eth0
» net.probe on
» set arp.spoof.targets 192.168.1.100
» arp.spoof on
» net.sniff onFindings from MITM penetration tests:
- Plaintext protocols internally (HTTP, Telnet, FTP, LDAP without TLS)
- Missing certificate validation in applications
- Weak Wi-Fi configurations
- LLMNR/NBT-NS vulnerabilities (Windows-specific, leads to credential capture)
Detection Measures
Network Monitoring:
- ARP table monitoring: Changes in MAC-IP mapping → Alert
- Certificate monitoring: If the SSL certificate for a domain changes → Alert
- DNS resolution monitoring: Deviations from expected IP addresses
- NDR/IDS: Signature-based detection of known MITM tools
Certificate Transparency: CT logs allow monitoring whether new certificates have been issued for your own domains. Services such as crt.sh or Cert Spotter alert you when new certificates are issued.
Honeypots: Strategically placed honeypot systems with unique credentials—if these credentials are used anywhere, an MITM is active on the network.
Summary: Protective Measures by Attack Type
| Attack Type | Primary Protective Measure | Additional |
|---|---|---|
| ARP spoofing | DAI on switches | 802.1X, TLS |
| SSL stripping | HSTS preloading | TLS everywhere |
| DNS spoofing | DNSSEC + DoH/DoT | Monitoring |
| Rogue AP | 802.1X (WPA3-Enterprise) | VPN, WIDS |
| BGP Hijacking | RPKI | BGP Monitoring |
| AiTM Phishing | FIDO2/Passkeys | Conditional Access |
| TLS Interception | Certificate Pinning | Anomaly Detection |
Sources & References
- [1] NIST - Man-in-the-Middle Attack Definition - NIST
- [2] Microsoft Security: AiTM Phishing Attacks - Microsoft Security
- [3] ENISA Threat Landscape 2024 - ENISA
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
