How it typically works?
- Interception: the attacker gains the ability to see messages between two endpoints (e.g., by controlling a Wi-Fi access point or using ARP/DNS spoofing).
- Relaying / impersonation: the attacker forwards messages while masquerading as one or both parties.
- Exfiltration or manipulation: credentials or data are stolen, or messages are altered (e.g., payment details replaced).
These basic steps apply across different MITM techniques.
Common techniques & variants
- ARP poisoning / local network spoofing (classic local-LAN MITM).
- HTTPS interception / TLS downgrade or forged certificates (active interception of web traffic).
- DNS spoofing / pharming (redirecting traffic to attacker-controlled hosts).
- Proxying and AITM (Adversary-in-the-Middle) phishing (malicious sites that proxy real sites to capture credentials).
Impact
MITM attacks can result in credential theft, session hijacking, fraudulent transactions, data leakage, or injection of malware. Even short-lived interception can expose highly sensitive data (tokens, OTPs, personal information).
Further reading
- NIST: Man-in-the-Middle Attack. Read more
- OWASP: Manipulator-in-the-middle attack (attack description & mitigations). Read more
- CISA: Mobile Communications Best Practice Guidance (secure end-to-end communications) [PDF / guidance page]. Read more
- Rapid7: Man-in-the-Middle attacks: detection & analysis (overview + detection guidance). Read more
- Fortinet: Man-in-the-Middle Attack: types & examples. Read more