In MITM attacks, the attacker gets between the user and the application they are trying to access to successfully become the proxy. They point a gateway's IP address to their MAC address, so when a user makes a request, it's sent to the attacker instead of the gateway, routing all traffic through a proxy.
Here’s how MITM attacks work:
First, the attacker gains access to a vulnerable environment by connecting to or compromising a weak point in the communication path. Common targets include:
Public Wi-Fi Networks: Open, password-free networks let attackers easily join and intercept traffic.
Insecure Routers: Routers with default passwords or outdated firmware can be hijacked.
Phishing Emails: Victims may be tricked into installing malware that facilitates interception.
Hijacked Web Servers: Legitimate sites can be cloned or compromised to act as MITM proxies.
Next, the attacker positions themselves in the middle.
They use techniques like address resolution protocol (ARP) spoofing or domain name server (DNS) spoofing to impersonate a trusted part of the network, usually the router or server, so that traffic is redirected through their device.
The attacker then begins to intercept traffic. All data that the victim sends or receives now flows through the attacker’s system. This includes anything from browsing activity to sensitive login credentials.
If the data is encrypted (e.g., HTTPS), the attacker may decrypt the traffic.
Attackers use SSL stripping to downgrade the connection to HTTP, install fake certificates to break encryption, and use malware to read encrypted traffic locally.
After intercepting and decrypting the data, the attacker captures or manipulates the data.
Attackers can now steal information like usernames, passwords, credit card details, or inject malicious code into web pages the victim visits.
Finally, the attacker forwards the traffic to avoid detection
To keep the communication flowing and stay hidden, the attacker forwards requests and responses between the victim and the real destination, making the attack invisible to most users.