IP Attacks - Man in the middle

TL;DR : By positioning themselves between the victim and the legitimate server, attackers can monitor, redirect, and manipulate network traffic. We cover setting up interception, monitoring traffic, redirecting communication, and altering data. We also discusses the severe security implications, such as data theft and manipulation.

In Layerman"s terms
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.

Jack wants to intercept and manipulate the communication between Bob and Alice.

When Bob tries to send a message to Alice through a messenger, Jack intercepts the messenger halfway.

Jack then pretends to be the messenger and receives Bob's message. Instead of delivering it directly to Alice, Jack reads the message, alters its content, and then passes it on to Alice as if nothing happened.

Alice responds to Bob, and Jack intercepts her response, altering it before it reaches Bob.

Both Bob and Alice are unaware that Jack is intercepting and manipulating their communication.

Scenario: Man-in-the-Middle (MitM) Attack to Intercept and Alter Communication

Step 1: Setting Up the Interception

The attacker positions themselves between the victim and the communication endpoint. This can be achieved through various methods such as compromising a router, using a rogue Wi-Fi access point, or exploiting a vulnerability in the network. This is done to gain the ability to intercept and manipulate the traffic between the victim and the legitimate server. For total efficacy, the attacks are designed to be covert and transparent (like in WW2).

Step 2: Monitoring Network Traffic

The attacker uses network sniffing tools like Wireshark or Ettercap to monitor the traffic between the victim and the server. They capture the data packets being transmitted, which may include sensitive information such as login credentials or personal details. Here we observe and analyze the communication, looking for valuable or actionable information.

Step 3: Redirecting Traffic

The attacker uses ARP (Address Resolution Protocol) spoofing or DNS spoofing techniques to redirect the victim's traffic through their own device. This makes the victim believe they are communicating with the legitimate server, while in reality, their traffic is passing through the attacker's device. By doing this the attacker control the communication channel and enable the interception and modification of data.

Step 4: Intercepting and Altering Communication

The attacker intercepts the traffic. From there, the attacker can be passing and only relisten to the re-transmission, or can alter the communication between the victim and the server. For example, attackers can redirect the victim to a fake website on the inbound, or modify the content of the messages on the outbound to inject code. Here we deceive the victim and gain unauthorized access to sensitive information or disrupt normal communication.

Step 5: User Interaction

To exploit the victim's trust in the communication channel, attackers would allow victims to continue their interaction with what they believe is the legitimate server, unaware that their communication is being intercepted and potentially altered by the attacker.


There are multiple techniques to perform public Wi-Fi MITM Attacks:

  • Evil Twin Attack: The rogue access point mimics the name of a legitimate Wi-Fi network. Users inadvertently connect to it, allowing attackers to intercept traffic.
  • SSL Stripping: When users attempt to visit secure websites (HTTPS), the attacker downgrades the connection to an unencrypted HTTP. This allows the attacker to capture sensitive information such as login credentials and personal data without the user's knowledge.
  • DNS Spoofing: Attackers manipulate the DNS responses, redirecting users to malicious websites even when they type the correct URLs into their browsers. Read more here

Effect on Privacy, Anonymity, and Hacking Concerns

Most users today are particularly vulnerable to man-in-the-middle (MITM) attacks because mobile connectivity protocols are designed to connect to any available network, automatically reconnect to known services, and switch providers to ensure the best internet service. This is a common threat in places like cafes, airports, and hotels. This behavior can be exploited by attackers who set up rogue access points mimicking legitimate networks, such as "Starbucks Wi-Fi," to intercept user data. Unsuspecting users connected to this network, believing it to be the official Wi-Fi provided by the establishment. Once connected, the attackers positioned themselves between the users and the actual internet connection, intercepting and relaying all data.

The direct consequences are data theft where (where attackers can steal login credentials, credit card numbers, and other personal information), impersonation (attackers can impersonate the user on various websites, potentially leading to unauthorized transactions and information breaches) and the painfull loss of privacy ( where sensitive communications, such as emails and chat messages, can be intercepted and read while users digital signatures are identified and stored to be re-coupled through databases aggregations online ).

Real world example

  • In 2013, the Syrian Electronic Army (SEA) targeted several staff members of The Onion, a satirical news website, through a series of phishing attacks. The hackers sent emails posing as Google, claiming there was a security breach. These emails prompted the recipients to enter their login credentials on a fake Google login page. Once the employees entered their information, it was captured by the attackers, giving them access to The Onion's internal systems. This attack allowed the SEA to compromise The Onion's Twitter account, from which they posted pro-Syrian government messages and anti-Western propaganda.

  • In 2012, Trusteer, a cybersecurity company, reported a significant man-in-the-middle (MITM) attack involving the TorRAT malware. Cybercriminals used this malware to infect victims' computers, intercepting internet banking transactions. As users believed they were securely communicating with their bank, the attackers redirected the transactions to their accounts. This sophisticated attack highlighted the vulnerabilities in online banking systems and the need for robust cybersecurity measures to protect financial transactions from such threats.

  • A notable real-world example of a man-in-the-middle (MITM) attack via a public Wi-Fi network involves Russian hackers known as APT 29. They used Wi-Fi spoofing devices to attempt to hack into the network of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague. The attackers set up a rogue access point that mimicked the legitimate network, tricking users into connecting to it. Once connected, the attackers could intercept and manipulate the data transmitted by the users, gaining access to sensitive information.

  • In 2019, an elaborate man-in-the-middle (MITM) attack orchestrated by hackers intercepted a $1 million wire transfer intended for an Israeli startup from a Chinese venture capital firm. The attackers used spoofed email domains closely resembling the legitimate ones to deceive both parties. They monitored and altered communications to redirect the funds to their account. This sophisticated attack demonstrates the critical need for robust security measures and verification processes in financial transactions to prevent such cyber threats (Threatpost)

  • DarkHotel attack This sophisticated campaign targeted high-profile executives and government officials by compromising Wi-Fi networks in luxury hotels. The attackers would set up rogue Wi-Fi access points or compromise existing ones to intercept the victims' internet traffic. Once connected, the attackers used a variety of techniques, including ARP spoofing and DNS hijacking, to steal sensitive information such as login credentials and personal data​ (VPNOverview.com)​​ (DevX)​.


Thanks and Congratulations for reading this to the end. We hope this article brings a little clarity over XSS attacks.