A man in the middle attack is a network interception technique where an attacker secretly relays and potentially modifies communications between two parties who believe they are talking directly to each other. The attacker reads the traffic, and neither endpoint knows they are there. That opacity is what makes MITM attacks particularly difficult to detect and particularly valuable to attackers.
The Core Mechanic: Interception Without Visibility
For a man in the middle attack to work, the attacker needs two things: a position between the communicating parties, and the ability to decrypt or read the traffic once intercepted. These correspond to the two phases every MITM attack runs through: interception, then decryption.
Interception gets traffic flowing through the attacker. Once that is in place, decryption makes it readable. Modern encryption raised the cost of that second phase significantly, but did not eliminate it. Several techniques bypass HTTPS entirely, and the rise of adversary-in-the-middle (AiTM) attacks means MFA is no longer a reliable backstop.
Common Man in the Middle Attack Techniques
ARP Spoofing
The Address Resolution Protocol maps IP addresses to MAC addresses on local networks and was designed without authentication. An attacker on the same subnet can broadcast fake ARP responses claiming their hardware address corresponds to the network gateway’s IP. Other hosts accept this without verification and update their ARP caches. Traffic meant for the router arrives at the attacker’s machine instead.
This is the foundational local-network MITM technique. It works on shared Wi-Fi, on unsegmented corporate LANs, and anywhere switches lack dynamic ARP inspection. Tools like Bettercap and Ettercap automate ARP spoofing with a few commands, which is why it remains a staple of network penetration tests.
Rogue Wi-Fi Access Points
An attacker stands up a wireless access point broadcasting the same SSID as a legitimate network. Devices set to auto-reconnect join the strongest available signal. If the rogue AP is physically closer, or simply configured with higher transmit power, devices silently connect. All unencrypted traffic is visible immediately; encrypted traffic can be targeted with additional techniques.
This attack was used operationally in 2024 when Australian authorities arrested a man for running evil twin hotspots at airports and on aircraft. He captured email addresses and social media credentials from passengers whose devices automatically connected to his rogue network.
DNS Spoofing
Domain Name System spoofing corrupts resolver caches so that legitimate domain names resolve to attacker-controlled IP addresses. A victim who types a real banking URL ends up at a cloned phishing site. If the attacker presents a plausible certificate, many users proceed without noticing the substitution. Their credentials go to the attacker, who then forwards them to the real server and relays back a valid session so nothing appears wrong.
SSL Stripping
SSL stripping targets the gap between a user’s HTTP request and the server’s HTTPS redirect. If an attacker intercepts the initial request before the redirect lands, they can fetch the HTTPS content themselves while serving the victim plain HTTP. The victim sees no lock icon and may not notice. All traffic is now cleartext.
HTTP Strict Transport Security (HSTS) closes this gap for browsers that have previously visited the site or for domains on the HSTS preload list, because the browser refuses to make the initial HTTP connection at all.
Session Hijacking
Once traffic is intercepted in cleartext, session cookies (the tokens that keep you logged in after authentication) can be extracted and replayed. The attacker imports the cookie into their own browser and has full authenticated access without needing the victim’s credentials. This is why Secure and HttpOnly cookie flags exist, and why session tokens should expire frequently.
Where MFA Fits, and Where It Fails
Multifactor authentication is widely presented as the answer to credential theft. Against network-layer MITM it helps, but not uniformly. Against adversary-in-the-middle attacks, standard TOTP and push-based MFA offer no protection.
An Adversary-in-the-Middle (AiTM) attack is an advanced phishing technique where hackers use a reverse proxy to secretly position themselves between a user and a legitimate website. AiTM attacks proxy the real authentication service in real time. The victim visits what looks like a login page, enters credentials, and completes their MFA challenge. All of this happens against the real service, relayed through the attacker’s transparent proxy. So the session token that comes back is fully authenticated, and it goes straight to the attacker. The Rockstar 2FA phishing kit, active throughout 2024, used this technique against Microsoft 365 tenants at scale.
The only MFA mechanism that defeats AiTM is one that binds the credential to the legitimate origin cryptographically. FIDO2 passkeys do this. A passkey registered at login.microsoft.com generates a response that is cryptographically tied to that specific origin. No proxy can relay it to a different URL and get a valid response. This is why phishing-resistant MFA is now a CISA requirement for certain federal systems and increasingly a condition of cyber insurance policies. Captured session tokens from AiTM attacks often enable attackers to attempt privilege escalation from an already authenticated position inside the network.
State-Level MITM: Salt Typhoon
Nation-state threat actors do not always target individual endpoints. The Salt Typhoon campaign, attributed to Chinese state-linked operators and disclosed in 2024, placed persistent access inside US telecommunications carriers including AT&T, Verizon, and T-Mobile. Rather than attacking individual devices, the group positioned themselves inside carrier routing infrastructure, intercepting voice calls and obtaining call records at carrier scale. While most man in the middle attacks target single victims, this is MITM elevated to infrastructure level: a position inside the backbone itself.
Detecting Man in the Middle Attacks
MITM attacks are designed to be invisible, so passive monitoring is the primary detection path. However, some signals are worth watching:
- ARP cache anomalies. Multiple IP addresses sharing a single MAC address, or sudden changes to a gateway MAC, indicate ARP spoofing. Run
arp -aand compare against expected values. - Certificate fingerprint changes. If a regularly visited site presents a different certificate or CA than expected, investigate. Certificate pinning in apps forces hard failures on unexpected certs.
- DNS resolution discrepancies. Cross-check a local resolution against an external trusted resolver. Differences may indicate cache poisoning.
- Unusual latency. Traffic relayed through an intermediate host introduces measurable delay. Sustained latency increases to a single destination with no network change are worth investigating.
- NDR and IDS alerts. Network detection tools can flag ARP floods and unusual SSL certificate presentations. Passive detection is the primary path here, since MITM attacks leave no server-side footprint.
Defences That Work
Layered controls are the right model because no single technology eliminates the full attack surface against man in the middle attacks.
- HSTS preloading for web properties: eliminates SSL stripping on enrolled domains for compliant browsers.
- Dynamic ARP inspection on managed switches: rejects unsolicited ARP replies, limiting ARP spoofing to VLAN boundaries.
- DNSSEC: cryptographically signs DNS responses, blocking cache poisoning on compliant resolvers.
- Certificate pinning: binds applications to expected certificate fingerprints, detecting forged TLS certificates.
- FIDO2 passkeys: the only commonly available MFA mechanism that defeats AiTM by binding credentials to the origin.
- VPN on untrusted networks: moves the interception attack surface from the local network to the VPN endpoint, where the organisation has more visibility and control.
- Short session lifetimes: limits the value of captured session tokens.
FAQ
What is the simplest example of a man in the middle attack?
The clearest example is a rogue Wi-Fi access point. An attacker sets up a hotspot with the same name as a legitimate network. A user’s device auto-connects. All unencrypted traffic (DNS queries, HTTP requests, any application traffic not using TLS) is visible to the attacker. No malware is needed on the victim’s device; no server is compromised.
What is the difference between eavesdropping and a MITM attack?
Passive eavesdropping only captures traffic; the attacker does not interact with either party. A MITM attack actively relays traffic and can modify it. In practice, most MITM attacks include an eavesdropping component, but the defining feature is the active relay: the attacker is between the parties, not just observing from the side.
Can MITM attacks be performed against TLS-encrypted traffic?
Yes, through multiple routes. SSL stripping attacks the negotiation phase before TLS is established. Forged certificates allow a legitimate-looking TLS session with the attacker. AiTM proxies relay a real TLS session while sitting between user and server. Each technique has specific mitigations: HSTS for stripping, Certificate Transparency and pinning for forged certs, FIDO2 for AiTM.
Is a proxy server a man in the middle?
A proxy server is architecturally similar to a MITM setup, and corporate TLS inspection proxies are technically MITM devices. The difference is consent: corporate proxies are deployed with the knowledge of the organisation and, ideally, disclosed to users. MITM attacks intercept without knowledge or consent. The underlying mechanics are identical; the ethical and legal context is not.
What pen testing tools simulate man in the middle attacks?
Bettercap handles ARP spoofing, DNS spoofing, and HTTP/HTTPS interception in a unified framework. mitmproxy provides a scriptable HTTP/HTTPS proxy for intercepting and modifying traffic. Responder performs LLMNR and NBT-NS poisoning on Windows networks. EvilGinx2 is an AiTM framework for phishing-resistant credential capture. All are standard tools in network and red team assessments.