What is a man-in-the-middle (MITM) cyberattack?

What is a man-in-the-middle attack?

In practical terms, a man-in-the-middle attack exploits the lack of or weak authentication at certain points in the network to intercept packets and establish the attacker between two communication points. By doing this, the attacker creates two channels: one between the attacker and the client, and another between the attacker and a server.

The main purposes of MITM attacks are:

• Espionage
• Credential theft
• Script injections
• Redirection to fake websites
• Message manipulation
• Session hijacking

This is a very common attack, accounting for around 35% of current cyberattacks online.²

The case of MITM and ARP

For example, in the case of the Address Resolution Protocol (ARP), which was created to translate IP addresses into MAC addresses, there is a central vulnerability: ARP believes that any response it receives is legitimate, without need of verification.

Therefore, ARP seeks to connect layers 2 and 3 of the OSI model — which we will detail shortly — which have different address records. Layer 2, specific to LANs and switches, comprises MAC addresses, but layer 3, specific to routers, understands IP addresses.

Thus, deceiving communications between different network protocols and exploiting the vulnerability of this connection is at the heart of a man-in-the-middle attacks.

Understanding vectors of MITM attacks

Low-level attacks and local network (Layers 1, 2, and 3)

At the base of the OSI model are the layers that deal with the physical medium and local delivery of frames: cables, fibers, radio signals, network cards, switches, and routers.

Layer 1 (Physical)

At this level, the risk is eminently physical: any access to the medium (an exposed cable, an installed TAP, a rogue device connected to the infrastructure) allows direct capture of signals converted into bits.

In wireless environments, the broadcast nature of the medium makes the physical layer even more vulnerable: clients and devices can be lured to a fake access point (evil twin) and have all their traffic made available to the attacker. Furthermore, it is possible to perform cable tapping³ directly on the connection cables of that network.

Layer 2 (Link/MAC)

Here, ARP and Ethernet dominate local communication. The aforementioned Address Resolution Protocol (ARP) translates IP addresses into MAC addresses without any authentication mechanism. As already pointed out, this flaw is the root cause of classic ARP spoofing/cache poisoning in which a malicious host sends fake ARP replies to convince victims to associate the gateway IP with the attacker's MAC.

The practical result is that local traffic passes through the attacker, who can simply spy on, manipulate, or inject content.

In the context of Layer 2 wireless, the evil twin works on the same principle: getting the client to connect to a point controlled by the attacker.

Layer 3 (Network/IP)

Finally, this later deals with routing and forwarding between subnets. Its main vulnerabilities are:

• IP spoofing: a technique in which the attacker falsifies the source IP address in packets sent over the network, making them appear to come from another machine. In MITM, this technique can be used to deceive routing tables or to impersonate a legitimate host, facilitating redirects or forged responses that divert traffic through the attacker.
• Unauthenticated routing and traffic redirection (DNS spoofing/cache poisoning): the absence of mechanisms that verify the authenticity of routes and resolution service responses. In routers/services without authentication, an attacker can inject false routes (or manipulate DNS caches) so that names or prefixes are resolved by paths controlled by them. The practical effect is the same as ARP spoofing, but at the network level: traffic is rerouted to malicious points, allowing inspection, alteration, or blocking.

High-level attacks (Layers 4, 5, 6, and 7)

Moving up the OSI stack, Layers 4–7 deal with transport, session state, presentation/encryption, and application logic — vectors that have their protocol, configuration, and design weaknesses exploited, often without the need for direct physical access to the network.

Layer 4 (Transport)

This layer's role is to ensure end-to-end transport via TCP or connectionless delivery via UDP, relevant vulnerabilities occur when the flow is not protected by higher layers. The absence of encryption at the transport level (or above) leaves payloads and headers readable to any interceptor along the route, facilitating credential capture and data exfiltration.

In addition, the design of TCP allows for injection techniques and forged packets: an attacker who can predict or manipulate sequence numbers can insert segments, force resets (RST), or cause reconnection conditions that enable session hijacking or alteration. In practice, these attacks are used to interrupt legitimate connections, force insecure reconnections, or insert payloads into unencrypted streams.

Layer 5 (Session)

This focuses on maintaining dialogue between client and server: cookies, tokens, session identifiers, and keep-alive mechanisms. Typical flaws — cookies without Secure/HttpOnly flags, tokens transmitted in plain text, or sessions not tied to the client — open the door to sidejacking and replay attacks: an attacker who captures a valid cookie or token can reuse it on another host and take over the user's session without needing credentials.

In MITM scenarios, this is often the next step after intercepting traffic: capturing a token at Layer 4 and using it at Layer 5 for unauthorized access.

Layer 6 (Presentation/TLS)

This should be the defense layer: this is where TLS/SSL encrypts data before it is delivered to the transport. However, weak configurations, poorly managed certificates, or the absence of mechanisms such as HSTS⁴ allow downgrade⁵ and SSL-stripping⁶ attacks.

In these attacks, the attacker, often in a MITM position, forces the client to negotiate an insecure connection (HTTP) or takes advantage of the lack of certificate validation to insert a proxy that sees the traffic in clear text. The result is that the protection expected by the application disappears exactly where it should exist.

Layer 7 (Application)

This is the final stage: protocols and services (HTTP/S, REST APIs, SMTP, FTP, DNS in its resolution role) offer rich surfaces for exploitation — credential theft, content injection (XSS), endpoint exposure, and authentication/authorization failures. When lower layers (especially TLS) fail, the application layer is fully exposed: a user redirected to a cloned website (via DNS spoofing) or connecting via HTTP may have their credentials, cookies, and tokens exfiltrated or manipulated.

Hands-on tests combine DNS manipulation, proxies, and fake servers to demonstrate phishing, HTTPS spoofing, and exfiltration through poorly protected APIs.

Attack and defense tools

A well-known tool for performing MITM tests is Bettercap⁷, a modular tool written in Go, developed as an evolution of Ettercap⁸ and the old MITMf⁹. This tool allows you to discover local networks, rogue APs, ARP spoofing, DNS/HTTP proxies, TLS inspection, and packet capture in a single lightweight framework. It is important to note that it requires elevated privileges and should only be used in controlled environments or with explicit authorization.

Some of its main modules and utilities are described in this table. For more information, see the official documentation.¹⁰.

Famous cases of MITM

Tesla account phishing & MITM (2024)

Attack used: Using a phishing-based MITM, attackers phished Tesla users and interposed themselves in the auth/registration flow (e.g., tricking users into registering a new “phone key”), enabling credential/session capture and remote vehicle control (unlock/start) via the mobile-app path.¹¹

Vulnerability/weakness exploited: Social engineering & weaknesses in the authentication/registration flows were exposed via HTTP(S) interactions (user tricked into revealing one-time codes or authorizing device links) and the ability to intercept or proxy the relevant mobile app/web traffic during the registration flow.

OpenSSH session hijacking vulnerabilities (Feb. 2025)

Attack used: Active man-in-the-middle and denial-of-service scenario where a malicious host impersonated a legitimate SSH server to a client that relies on DNS-host-key verification.¹²

Vulnerability/weakness exploited: A logic/verification bug in OpenSSH’s handling of VerifyHostKeyDNS (how hostkey verification and error codes are handled), allowing the attacker to spoof DNS responses (or otherwise manipulate verification) and trick clients into accepting a forged hostkey.

Salt Typhoon and U.S. telecom breach (2024–2025)

Attack used: Compromise of carrier management infrastructure followed by router reconfiguration (creation of GRE/IP-in-IP tunnels, policy routes and traffic mirroring) and deployment of persistent implants — effectively turning provider routers into transparent interception points for signaling and media (carrier-scale MITM).¹³

Vulnerability/weakness exploited: Chained device-level flaws and operational weaknesses: exploitation of Cisco IOS/XE web-UI and privilege-escalation CVEs (to gain root on routers) combined with credential compromise and misuse of management interfaces, allowing attackers to modify routing/forwarding state and establish covert tunnels for traffic interception.

Conclusion

Man-in-the-middle attacks persist because they exploit both technological gaps and misplaced trust in the network. From large-scale intrusions like Salt Typhoon to targeted phishing campaigns such as the Tesla case, these incidents reveal how attackers continue to bypass weak encryption practices, poor authentication, and outdated routing protocols.

Mitigation depends on layered defense: encrypting all traffic with strong TLS configurations, enforcing HSTS and certificate pinning, securing routers and DNS with authenticated mechanisms, and constantly monitoring for anomalies.

Ultimately, protecting against MITM means eliminating blind trust. Their persistence and repercussions also indicate that we should question the systems left behind by internet designers — systems built for openness and interoperability, not for adversarial resilience. The future of secure communication depends on rebuilding that trust layer by layer, ensuring that every interaction, from local packets to global routing, is verifiable, encrypted, and beyond manipulation.

And it is logical that all technology, no matter how robust, will always have vulnerabilities.

But sometimes it just seems too easy, don't you think?

References

1. Imperva: OSI Layer
2. Netwrix: Man in the Middle represents 35% of cyber attacks
3. PMC: Cable-tapping
4. Princeton: HSTS Pinning
5. Alashwali & Rasmussen: Downgrade
6. Nikiforakis, Younan & Joosen: SSL Striping
7. GitHub: BetterCap
8. Github: Ettercap
9. GitHub: Mitmf
10. Bettercap.org: Bettercap Documentation
11. Sysnet Shielf: MITM attack on Tesla
12. National Vulnerability Database: OpenSSH Vulnerability
13. Recorded Future: US Telecom Breach