Man-in-the-middle (MITM) attacks are a valid and extremely successful threat vector. Exploitation usually needs knowledge of various tools and physical access to the network or proximity to an access point. MITM attacks usually take advantage of ARP poisoning at Layer 2, even though this attack has been around and discussed for almost a decade.
An MITM attack can take a few different forms. ARP poisoning is the most popular, but DHCP, DNS, and ICMP poisoning are also effective, as well as the use of a malicious wireless access point (AP). Fake access points have become a common threat vector, exploiting the habit in which clients automatically connect to known SSIDs. This allows an attacker to connect and intercept the victim’s network traffic without the victim noticing any indication they are under attack. To hasten a connection, attacks against the legitimate access point can be made to help the malicious AP become the last AP standing.
ARP poisoning works by simply replying to Address Resolution Protocol (ARP) requests with the attacker’s MAC address. The attacker tells the device that needs to communicate with the victim’s computer that the attacker knows how to reach the victim, and then the attacker tells the network that the attacker’s computer is the victim’s computer, completely masquerading as the victim’s computer and replying on its behalf. The switch then updates its table of MAC addresses with the attacker’s MAC address. The switch uses this to route traffic and now believes the attacker’s system is the victim’s system. This creates an MITM situation where the victim routes its traffic through the attacker and out through the gateway to wherever it needs to go.