Airzero Sec

We Do Not Give Up ! Trust US !

What Are The MITM Techniques, Detection, and Best Practices For Prevention?

- Posted in Website Security by

enter image description here

What is a MITM attack?

Man-in-the-middle attacks are a common type of cyber threat that enables attackers to listen to the communication between two points. The attack takes place within two legitimately corresponding hosts, leaving the attacker to “listen” to a discussion they should usually not be ready to listen to, hence the name “man-in-the-middle.

What are the types of MITM attacks?

Rogue Access Point :

Machines provided with broadcast cards will often try to auto-connect to the access point that is transmitting the most important signal. Criminals can set up their own wireless entrance point and deceive nearby plans to join its domain. All of the victim’s network traffic can now be controlled by the attacker. This is critical because the attacker does not also have to be on a dedicated network to do this—the attacker simply needs a close enough physical proximity.

ARP Spoofing

ARP is the Address Resolution Protocol. It is used to determine IP addresses to physical MAC addresses in a local area network. When a host requires to talk to a host with a given IP address, it references the ARP cache to determine the IP address to a MAC address. If the address is not recognized, a question is made asking for the MAC address of the machine with the IP address.

An attacker wanting to pose as another host could return to requests it should not be returning to with its own MAC address. With some definitely placed packets, an attacker can sniff the private traffic between two hosts. Valuable knowledge can be extracted from the traffic, such as the replacement of session tokens, allowing full access to application accounts that the attacker should not be able to access.

mDNS Spoofing

Multicast DNS is related to DNS, but it’s done on a local area network using broadcasts like ARP. This gives it a certain point for spoofing attacks. The local name resolution system is thought to make the configuration of network devices remarkably simple. Users don’t have to know precisely which addresses their agents should be interacting with they let the system choose it for them. Devices such as TVs, printers, and production systems take advantage of this protocol since they are typically on trusted networks. When an app requires to know the address of a certain device, such as tv. locally, an attacker can quickly respond to that request with fake data, telling it to resolve to an address it has control over. Since things have a local cache of addresses, the victim will now see the attacker’s device as trusted for a duration of time.

DNS Spoofing

Related to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. When using a DNS spoofing attack, the criminal attempts to open corrupt DNS cache data to a host in an effort to access another host using their domain name, such as This points to the victim sending delicate data to a malicious host, with the hope they are sending information to a trusted source. An attacker who has previously tricked an IP address could have a much more comfortable time duping DNS solely by resolving the address of a DNS server to the attacker’s address.

What is the MITM attack technique?


Attackers use packet recovery tools to inspect packets at a deep level. Using specific broadcast machines that are allowed to be put into monitoring or mixed-mode can allow an intruder to see containers that are not selected for it to see, such as packets addressed to other hosts.

Packet Injection

An attacker can also leverage their equipment monitoring mode to inject malicious packets into data message streams. The packets can combine with valid data communication streams, resembling to be part of the communication, but wicked in nature. Packet injection normally includes first smelling to determine how and when to craft and send packets.

Session Hijacking

Most web applications use a login mechanism that generates a temporary session token to use for future requests to avoid requiring the user to type a password at every page. An attacker can sniff sensitive traffic to identify the session token for a user and use it to make requests as the user. The attacker does not need to spoof once he has a session token.

SSL Stripping

Since using HTTPS is an actual safeguard against ARP or DNS spoofing, attackers use SSL stripping to prevent packets and alter their HTTPS-based address applications to go to their HTTP equivalent endpoint, requiring the host to secure requests to the server unencrypted. Sensitive details can be leaked in plain text.

How to detect a man in the middle attack?

Catching a Man-in-the-middle attack can be hard without taking the individual steps. If you aren't actively examining to determine if your messages have been prevented, a Man-in-the-middle attack can probably go ignored until it's too late. Monitoring for proper page authentication and completing some sort of tamper illness are typically the key systems to detect a probable attack, but these ideas might require extra forensic analysis after the fact. It's important to take careful measures to stop MITM attacks before they occur, rather than striving to detect them while they are actively happening. Being aware of your browsing disciplines and identifying possibly harmful areas can be crucial to keeping a strong network. Below, we have involved five of the best practices to prevent MITM attacks from compromising your communications.

What are the practices to prevent man-in-the-middle attacks?

Strong WEP/WAP Encryption on Access Points

Having a secure encryption mechanism on wireless access points blocks unwanted users from meeting your network just by being nearby. A vulnerable encryption mechanism can enable an enemy to make his way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.

Strong Router Login Credentials

It’s necessary to make sure your error router login is developed. Not just your Wi-Fi password, but your router login credentials. If a criminal gets your router login credentials, they can turn your DNS servers into their wicked servers. Or even worse, infect your router with malicious software.

Virtual Private Network

VPNs can be used to build a safe environment for sensitive data within a local area network. They use key-based encryption to produce a subnet for a secure connection. This way, even if an attacker appears to get on a system that is shared, he will not be able to decipher the traffic in the VPN.


HTTPS can be used to securely transfer over HTTP using a public-private key exchange. This limits an intruder from having any use of the information he may be sniffing. Websites should only use HTTPS and not give HTTP options. Users can install browser plugins to enforce always using HTTPS on requests.

Public Key Pair Based Authentication

Man-in-the-middle attacks typically include spoofing something or another. Public key pair-based authentication like RSA can be used in various layers of the stack to help ensure whether the questions you are interacting with are actually the things you want to be communicating with.

If you have any doubts about this topic or have to get advice and get the best services and consultation against MITM attacks. Feel free to contact us. AIRZERO SEC will be your strong digital solution. Email id: [email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: