{
	"id": "7b19625d-69e5-41d6-a7d6-831654ec68b7",
	"created_at": "2026-04-06T00:14:13.084552Z",
	"updated_at": "2026-04-10T03:23:52.24718Z",
	"deleted_at": null,
	"sha1_hash": "39c3e3844b34181b82cdb30a756549076518da04",
	"title": "Rapid7",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50333,
	"plain_text": "Rapid7\r\nBy Rapid7\r\nArchived: 2026-04-05 14:11:48 UTC\r\nWhat is a man-in-the-middle (MITM) attack?\r\nMan-in-the-middle attacks (MITM) are a common type of cybersecurity attack that allows a threat actor to\r\neavesdrop on the communication between two targets—often as part of a broader phishing attack or credential\r\nharvesting campaign. The attack takes place in between two legitimately communicating hosts, allowing the\r\nattacker to “listen” to a conversation they should normally not be able to listen to, hence the name “man-in-the-middle.”\r\nMITM attack analogy\r\nHere’s an analogy: Alice and Bob are having a conversation; Eve wants to eavesdrop on the conversation but also\r\nremain transparent. Eve could tell Alice that she was Bob and tell Bob that she was Alice.\r\nThis would lead Alice to believe she’s speaking to Bob, while actually revealing her part of the conversation to\r\nEve. Eve could then gather information from this, alter the response,  and pass the message along to Bob (who\r\nthinks he’s talking to Alice). As a result, Eve is able to transparently hijack their conversation.\r\nTypes of man-in-the-middle attacks\r\nRogue access point \r\nDevices equipped with wireless cards will often try to auto-connect to the access point that is emitting the\r\nstrongest signal. Attackers can set up their own wireless access point and trick nearby devices to join its domain.\r\nAll of the victim’s network traffic can now be manipulated by the attacker. This is dangerous because the attacker\r\ndoes not even have to be on a trusted network to do this—the attacker simply needs a close enough physical\r\nproximity.\r\nARP spoofing\r\nARP is the Address Resolution Protocol. It is used to resolve IP addresses to physical MAC (media access control)\r\naddresses in a local area network. When a host needs to talk to a host with a given IP address, it references the\r\nARP cache to resolve the IP address to a MAC address. If the address is not known, a request is made asking for\r\nthe MAC address of the device with the IP address.\r\nAn attacker wishing to pose as another host could respond to requests it should not be responding to with its own\r\nMAC address. With some precisely placed packets, an attacker can sniff the private traffic between two hosts.\r\nValuable information can be extracted from the traffic, such as the exchange of session tokens, yielding full access\r\nto application accounts that the attacker should not be able to access.\r\nhttps://www.rapid7.com/fundamentals/man-in-the-middle-attacks/\r\nPage 1 of 4\n\nmDNS spoofing\r\nMulticast DNS is similar to DNS, but it’s done on a local area network (LAN) using broadcast like ARP. This\r\nmakes it a perfect target for spoofing attacks. The local name resolution system is supposed to make the\r\nconfiguration of network devices extremely simple. Users don’t have to know exactly which addresses their\r\ndevices should be communicating with; they let the system resolve it for them.\r\nDevices such as TVs, printers, and entertainment systems make use of this protocol since they are typically on\r\ntrusted networks. When an app needs to know the address of a certain device, such as tv.local, an attacker can\r\neasily respond to that request with fake data, instructing it to resolve to an address it has control over. Since\r\ndevices keep a local cache of addresses, the victim will now see the attacker’s device as trusted for a duration of\r\ntime.\r\nDNS spoofing \r\nSimilar to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP\r\naddresses. When using a DNS spoofing attack, the attacker attempts to introduce corrupt DNS cache information\r\nto a host in an attempt to access another host using their domain name, such as www.onlinebanking.com. This\r\nleads to the victim sending sensitive information to a malicious host, with the belief they are sending information\r\nto a trusted source. An attacker who has already spoofed an IP address could have a much easier time spoofing\r\nDNS simply by resolving the address of a DNS server to the attacker’s address.\r\nMan-in-the-middle attack techniques\r\nThese attack techniques are often used during or after the MITM setup to extract or manipulate sensitive data.\r\nSniffing\r\nAttackers use packet capture tools to inspect packets at a low level. Using specific wireless devices that are\r\nallowed to be put into monitoring or promiscuous mode can allow an attacker to see packets that are not intended\r\nfor it to see, such as packets addressed to other hosts.\r\nPacket injection\r\nAn attacker can also leverage their device’s monitoring mode to inject malicious packets into data communication\r\nstreams. The packets can blend in with valid data communication streams, appearing to be part of the\r\ncommunication, but malicious in nature. Packet injection usually involves first sniffing to determine how and\r\nwhen to craft and send packets.\r\nSession hijacking\r\nMost web applications use a login mechanism that generates a temporary session token to use for future requests\r\nto avoid requiring the user to type a password at every page. An attacker can sniff sensitive traffic to identify the\r\nsession token for a user and use it to make requests as the user. The attacker does not need to spoof once he has a\r\nsession token.\r\nhttps://www.rapid7.com/fundamentals/man-in-the-middle-attacks/\r\nPage 2 of 4\n\nSSL stripping\r\nSince using HTTPS is a common safeguard against ARP or DNS spoofing, attackers use SSL stripping to intercept\r\npackets and alter their HTTPS-based address requests to go to their HTTP equivalent endpoint, forcing the host to\r\nmake requests to the server unencrypted. Sensitive information can be leaked in plain text.\r\nHow to detect a man-in-the-middle attack\r\nDetecting a Man-in-the-middle attack can be difficult without taking the proper steps. If you aren't actively\r\nsearching to determine if your communications have been intercepted, a Man-in-the-middle attack can potentially\r\ngo unnoticed until it's too late. Checking for proper page authentication and implementing some sort of tamper\r\ndetection are typically the key methods to detect a possible attack, but these procedures might require extra\r\nforensic analysis after-the-fact. \r\nIt's important to take precautionary measures to prevent MITM attacks before they occur, rather than relying on\r\ndetection during an active attack. Being aware of your browsing habits and recognizing potentially harmful\r\nscenarios is essential to maintaining a secure network. Incorporating regular security awareness training can help\r\nusers identify early warnings signs of MITM tactics like suspicious certificates, misleading redirects, or insecure\r\nlogin prompts. If signs of a MITM attack are detected, having a clearly defined incident response plan is essential\r\nto contain the threat, investigate the breach, and restore secure communications.\r\nBelow, we have included five of the best practices to prevent MITM attacks from compromising your\r\ncommunications.\r\nMan-in-the-middle (MITM) attack prevention\r\nStrong WEP/WAP encryption on access points\r\nHaving a strong encryption mechanism on wireless access points prevents unwanted users from joining your\r\nnetwork just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a\r\nnetwork and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.\r\nStrong router login credentials \r\nIt’s essential to make sure your default router login is changed. Not just your Wi-Fi password, but your router\r\nlogin credentials. If an attacker finds your router login credentials, they can change your DNS servers to their\r\nmalicious servers. Or even worse, infect your router with malicious software.\r\nVirtual private network\r\nVPNs can be used to create a secure environment for sensitive information within a local area network. They use\r\nkey-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on\r\na network that is shared, he will not be able to decipher the traffic in the VPN.\r\nForce HTTPS\r\nhttps://www.rapid7.com/fundamentals/man-in-the-middle-attacks/\r\nPage 3 of 4\n\nHTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an\r\nattacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide\r\nHTTP alternatives. Users can install browser plugins to enforce always using HTTPS on requests.\r\nPublic key pair based authentication\r\nMan-in-the-middle attacks typically involve spoofing something or another. Public key pair based authentication\r\nlike RSA can be used in various layers of the stack to help ensure whether the things you are communicating with\r\nare actually the things you want to be communicating with.\r\nSource: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/\r\nhttps://www.rapid7.com/fundamentals/man-in-the-middle-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/"
	],
	"report_names": [
		"man-in-the-middle-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39c3e3844b34181b82cdb30a756549076518da04.pdf",
		"text": "https://archive.orkl.eu/39c3e3844b34181b82cdb30a756549076518da04.txt",
		"img": "https://archive.orkl.eu/39c3e3844b34181b82cdb30a756549076518da04.jpg"
	}
}