top of page

Man in the Middle Attack by ARP Spoofing: Tutorial and Examples

What is Man in The Middle (MITM) Attack?

A man in the middle (MITM) attack is a general term for when a machine positions itself in between a connection between a client/user and the server/internet — either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. This is nicely depicted in the diagram below.

The MiTM attacker will be able to place himself/herself between the user and the internet server to see what is happening. We will be using an ARP spoofing attack to achieve this. Before starting let’s know what is ARP protocol and how we are going to exploit it to become the man-in-the-middle.

What is ARP?

ARP stands for Address Resolution Protocol. It links the IP addresses to the device MAC addresses. Each computer in a network will have a table storing IP addresses of the device in a network with their MAC addresses. So whenever data is sent in a network, it will be sent to the device having the MAC address associated with the destination IP of the packet. We can see this ARP table by running the following command.

$ arp -a

For me, this is the output:

Result of `arp-a`

ARP Spoofing

ARP Spoofing can be achieved by telling the router that the user’s IP corresponds to our MAC address. We will also tell the user that the router’s IP address corresponds to my MAC address. And guess what !!! all the traffic between the user and router will now flow through our machine.

The reason that this exploit is possible is because the ARP protocol is not secure, the client machines will accept responses even if they didn’t send requests and the client machines won’t even verify before updating their ARP table. You can look at the image below for a graphical representation of what we will be achieving.

Image Credits: ZSecurity

As mentioned, we will be using an ARP spoofing attack to be the Man-In-The-Middle. ARP Spoofing will redirect the flow of packets. So instead of packets flowing directly between the client and access point, it would redirect through our system. This means that we will be able to see all the websites, usernames, passwords, images that the user is browsing.

Let’s practically see how this would work. I am using Ubuntu 20.04 for executing all the below commands. The commands will remain the same for any Debian-based Linux Machine. Kali Linux is preferred since it will have most of the tools pre-installed. The tool I will be using is bettercap . It’s an open-source tool. Let’s download it and install it by running the following commands in your terminal :

$ wget "`curl -s | grep -E -o '/bettercap/bettercap/releases/download/v[0-9.]+/bettercap_linux_amd64_(|v)[0-9.]+zip' | head -n 1`"
$ unzip bettercap_linux_amd64_*zip
$ sudo mv bettercap /usr/local/bin/
$ rm bettercap_linux_amd64_*

Run bettercap -h to see that the installation is proper

$ bettercap -h

Note : There’s an optional step. If you want you can change your MAC address. This is a way to hide your identity on the network. To do this, you can follow the steps here: How to change MAC Address?

Being the Man In The Middle

1. Get the interface name by running ‘ifconfig' in the terminal