What is a man-in-the-middle attack? How MITM attacks work

What is MITM?

Man in the middle attack is carried to intercept the communication between two parties either to eavesdrop or to modify the content of the data that is being shared. In this attack, the attacker put himself between the two communicating parties to sniff all the outgoing and incoming traffic. The targets of these attacks are usually financial applications, SaaS businesses, e-commerce sites, and other websites to steal login credentials or valuable information like credit cards.

Proof of Concept (PoC)

To carry out this attack, we are going to use Kali Linux and Windows 10. The first software we are going to use is Ettercap. Ettercap is a free and open-source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team. (“Ettercap,” n.d., para, 1).

To launch the Ettercap GUI, we navigated applications>Sniffing & Spoofing>ettercap-gui in our kali machine.

The GUI of the Ettercap tool has been launched:

Firstly, we have to select our network interface. We selected eth0, which is our default network interface because we are using Ethernet. If we were using WiFi, then the WLAN0 interface is the correct network interface to select.

In the below illustration we can see that there is no activity started yet. We have successfully selected the network interface which is eth0.

As mentioned earlier, in this testing we are using two operating systems. Kali Linux as MITM machine and windows 10 as a target machine. To launch the MITM attack, IP address and the MAC address of the target machine is required. For this purpose, we are going to scan all the connected hosts by pressing Ctrl+S.

Ettercap is now scanning all the alive hosts.

After scanning, 4 hosts are added to the list.

We can view the list by navigating into hosts>hosts list.

This is the list of 4 hosts with IP and MAC addresses.

In our windows machine, we opened the CMD and entered the command “ipconfig”. In the below illustration, we can see and verify the IP address. The default gateway of the windows machine is and IP address is

We selected, which is the IP address of the windows machine and add it as a target 1. For target 2, we selected, which is the default gateway of the windows machine. We did this because we want to sniff all the outgoing and incoming traffic.

We selected unified sniffing in the sniff section to start sniffing.

Also, we started ARP poisoning and checked the sniff remote connection option.

In the below illustrations we can see that ARP poisoning is started.

To verify that our MITM attack is working, we established a remote FTP connection from the windows machine to McAfee. First, we established an FTP connection. After a few seconds, we are prompted with a username and password authentication and we entered a dummy username and password.

Yes, our MITM attack is working. We can see that Ettercap has captured the username and password we entered in our windows machine to authenticate.

We can also validate the working of our MITM attack by logging into a website. We have selected a website that does not use secure encryption to validate login credentials. In the website login field. We entered a username “test” and password “test” to validate our attack.

We opened the Wireshark tool and entered the parameters http.request.method==post. We can see at the bottom that Wireshark has captured the login credentials. Which proves that our MITM attack is working.