• About Us

  • Blog
  • Contact
Blog Security What Is a Man-in-the-Middle Attack (MitM)? 


May 10 2023


Table of Contents

What Is a Man-in-the-Middle Attack?

A Man-in-the-Middle (MITM) attack is a form of cyber-attack where an attacker intercepts and manipulates communication between two parties. The attacker can then eavesdrop on the communication or even alter it without the knowledge of the legitimate parties involved. MITM attacks can be executed on various communication channels such as email, instant messaging, and web browsing.

Meaning of the Man-in-the-middle (MiTM) Attack

Man in the Middle Attack

Man in the middle MITM attacks in cryptography and computer security when threat actors secretly relay and, if necessary, change the connection between two parties who believe that they are directly communicating with each other. It is a method of compromising a communication channel, in which an attacker, having connected to a channel between counterparties, intervenes in the transmission protocol, deleting or distorting information.

One example of a man-in-the-middle attack is active eavesdropping, in which the attacker establishes independent links with victims and relays messages between them. By doing so, he makes the victims believe that they are talking directly to each other through a private connection, in fact, the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages transmitted between the two victims, as well as introduce new ones. In most cases, this is quite simple: for example, an attacker can behave like a “man in the middle” within the range of a wireless Wi-Fi hotspot.

This attack aims to bypass mutual authentication or lack of it, and can only succeed when an attacker has the ability to impersonate each endpoint or remain undetected as an intermediate host. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.

How Do MitM Attacks Work

Suppose Alice wants to give Bob some information. Mallory wants to intercept the message and possibly change it so that Bob gets the wrong information.

Malory begins her attack by establishing a connection with Bob and Alice, while they cannot guess that someone else is present in their communication channel. All messages Bob and Alice send go through Mallory.

Alice asks Bob for his public key. Malory introduces herself to Alice as Bob and sends her public key. Alice, believing it to be Bob’s key, encrypts a message with it and sends it to Bob. Mallory receives the message, decrypts it, then modifies it if necessary, encrypts it with Bob’s public key, and sends it to him. Bob receives a message and thinks it came from Alice:

  1. Alice sends a message to Bob, which Mallory intercepts:

“Hi Bob, this is Alice. Send me your public key.”

  1. Malory forwards the message to Bob; Bob cannot guess that this message is not from Alice:

“Hi Bob, this is Alice. Send me your public key.”

  1. Bob sends his key.
  2. Malory replaces Bob’s key with hers and forwards the message to Alice:
  3. Alice encrypts the message with Mallory’s key, believing it to be Bob’s key and only he can decrypt it:

“Meet me at the bus stop!” [encrypted with Mallory’s key]

  1. Malory decrypts the message, reads it, modifies it, encrypts it with Bob’s key, and sends it:

“Meet me at the entrance to the museum at 18:00.” [encrypted with Bob’s key]

  1. Bob thinks this is Alice’s message.

This example demonstrates the need to use methods to verify that both parties are using the correct public keys, i.e. that party A has party B’s public key and party B has party A’s public key. in the middle.”

What Are the Types of Man-in-the-Middle Attacks?

Attack on public key systems. In the case of a public key system, a cryptanalyst can intercept the public key exchange messages between the client and the server and modify them, as in the example above. In order to remain undetected, the cryptanalyst must intercept all communications between client and server and encrypt and decrypt them with the appropriate keys. Such actions may seem too complicated to carry out an attack, but they pose a real threat to insecure networks (electronic business, Internet banking, payment gateway). To prevent “a man with an active cryptanalyst” attack, which would replace the public key of the recipient during its transmission to the future sender of messages, as a rule, public key certificates are used.

Injection of malicious code. Code injection in a man-in-the-middle attack is mainly used to hijack an already authorized session, execute custom commands on the server, and send false responses to the client. A man-in-the-middle attack allows a cryptanalyst to inject his code into emails, SQL statements, and web pages (i.e., allows SQL injection, HTML/script injection, or XSS attacks), and even modify user-uploaded binaries to to access a user account or change the behavior of a program downloaded by the user from the Internet.

Public means of communication. The most common public means of communication are social networks, public e-mail services and instant messaging systems. The owner of the resource that provides the communication service has full control over the information exchanged by the correspondents and, at his own discretion, can attack the intermediary without hindrance at any time. Unlike previous scenarios based on the technical and technological aspects of communications, in this case, the attack is based on mental aspects, namely, on the rooting in the minds of users of the concept of ignoring information security requirements.

Man-in-the-Middle Attack Techniques

Downgrade attack. The term “Downgrade Attack” refers to such an attack in which the cryptanalyst forces the user to use less secure functions, protocols that are still supported for compatibility reasons. This type of cyberattack can be carried out on the SSH, IPsec, and PPTP protocols. To protect against Downgrade Attack MITM techniques, insecure protocols must be disabled on at least one side; simply supporting and using secure protocols by default is not enough.

SSH V1 instead of SSH V2. An attacker may try to change the connection parameters between the server and the client when a connection is established between them. According to a talk at the Blackhat Conference Europe 2003, a cryptanalyst can “force” a client to start an SSH1 session by changing the version number “1.99” of the SSH session to “1.51” instead of SSH2, which means using SSH V1. The SSH-1 protocol has vulnerabilities that a cryptanalyst can exploit.

IPsec. In this attack scenario, the cryptanalyst misleads his victim into thinking that an IPsec session cannot start at the other end (server). This causes messages to be forwarded explicitly if the host machine is in rollback mode.

PPTP. At the stage of negotiating PPTP session parameters, the attacker can force the victim to use a less secure PAP authentication, MSCHAP V1 (that is, “roll back” from MSCHAP V2 to version 1), or not use encryption at all. An attacker can force his victim to repeat the stage of negotiating the PPTP session parameters (send a Terminate-Ack packet), steal the password from the existing tunnel and repeat the attack.


ARP cache poisoning. The basis of the ARP Cache Poisoning attack is a vulnerability in the ARP protocol. Unlike protocols such as DNS, which can be configured to only accept secure dynamic updates, devices using ARP will receive updates at any time. This property of the ARP protocol allows any device to send an ARP response packet to another host to require it to update its ARP cache. Sending an ARP response without generating any requests is known as sending a self-directed ARP. If there is malicious intent, well-directed self-redirected ARP packets used in this way can result in hosts believing they are communicating with a single node, but in reality, they are communicating with the attacker’s intercepting node.

Man-in-the-Middle Attack

MITM Attack Progression

To implement some types of middle attack techniques, two preparatory steps are necessary. First of all, this is the interception of traffic or the introduction into the communication system, the second is the decryption of the intercepted message. Let’s consider interception and decryption in more detail.


IP spoofing. This method involves changing the IP address to redirect traffic to the attacker’s site. An attacker forges an address by changing packet headers to masquerade as a legitimate application or website.

ARP spoofing. This passive attack associates the attacker’s MAC address with the victim’s IP address on the local area network using forged ARP messages. Any data sent by the victim to the local network is instead redirected to the cybercriminal’s MAC address, allowing the cybercriminal to intercept the data and manipulate it at will.

DNS spoofing. An attacker accesses a website’s DNS server and changes the web address record, after which the modified DNS record redirects incoming traffic to the cybercriminal’s website.


HTTPS spoofing. When a user connects to a secure site with the https:// prefix, the attacker sends a fake security certificate to the browser. This “tricks” the browser into thinking the connection is secure, when in fact the cybercriminal is intercepting and possibly redirecting the data.

SSL spoofing. This method involves forging the address of a secure site so that the victim goes to the fake address. Cybercriminals intercept communications between the victim and the web server of the site they want to access, disguising the malicious site as the real one.

SSL Stripping. A cybercriminal intercepts a TLS message from an application or website and modifies it so that the site loads over an insecure HTTP connection instead of HTTPS. Because of this, the user’s session becomes viewable by a cybercriminal who can now extract sensitive information.

SSL BEAST. This is a type of session hijacking when cybercriminal infects a user’s computer with malicious JavaScript code. The malware then intercepts cookies and website authentication tokens for decryption, allowing the attacker access to the victim’s entire session.

How to Prevent Man-in-the-Middle Attacks

Prevent MitM Attack

Checking the time delay can potentially detect an attack in certain situations and help with middle attack prevention. For example, with long calculations of hash functions that are performed within ten seconds. To identify potential attacks, parties check for discrepancies in response time. Assume that two parties typically take a certain amount of time to complete a particular transaction. However, if one transaction takes an anomalous period of time to reach the other party, this may indicate the intervention of a third party introducing additional delay to the transaction.

To detect a man-in-the-middle MITM attacks, network traffic must also be analyzed. For example, to detect an SSL attack, you should pay attention to the following parameters:

  • Server IP
  • DNS server
  • 509 server certificate
  • Is the certificate self-signed?
  • Is the certificate signed by a certificate authority?
  • Has the certificate been revoked?
  • Has the certificate changed recently?
  • Have other clients on the Internet received the same certificate?

Examples of Man-in-the-Middle Attacks

One of the well-known middle attack examples was carried out by a Belkin wireless network router in 2003. Periodically, a new router model would choose a random HTTP connection and redirect it to its manufacturer’s advertising page. Such an unceremonious behavior of the device, of course, caused an uproar among users, after which this “feature” was removed from later versions of the router’s firmware.

In 2011, a security breach by the Dutch certificate authority DigiNotar led to fraudulent issuance of certificates. Subsequently, fraudulent certificates were used to carry out man-in-the-middle attacks.

In 2013, Nokia’s Xpress Browser was reported to decrypt HTTPS traffic at Nokia’s proxy servers, giving the company clear text access to its customers’ encrypted browser traffic. To which Nokia stated that the content was not stored permanently and that the company had organizational and technical measures in place to prevent access to private information.

In 2017, Equifax withdrew its mobile phone apps for fear of a man-in-the-middle attack vulnerability.


Man-in-the-middle MITM attacks are third party data interceptions in communication between two parties and can access or alter the data being transmitted. This attack can be used to steal personal information, such as login credentials, financial information, or personal data. To protect against this type of attack, it is important to use secure connections and implement security measures such as encryption and authentication. Helenix has been providing data transmission security at the most critical points of enterprises for a long time. You can learn more about our competencies in the Custom Development section.


The most common type of man-in-the-middle attack is eavesdropping, where the attacker intercepts communication between two parties to gather sensitive data, such as login credentials, financial information, or personal data. The attacker can then use this information for fraudulent purposes, including identity theft, unauthorized access to accounts, or financial fraud.

Several measures can be used to mitigate man-in-the-middle attacks, including encryption, digital certificates, and two-factor authentication. Encryption ensures that the data being transmitted is protected and cannot be read by anyone other than the intended recipient.

Firewalls can be an effective tool in preventing man-in-the-middle attacks by blocking unauthorized access to a network. However, they are not foolproof and may not be sufficient to prevent all types of attacks.

Man-in-the-middle attacks on ATMs can be prevented by implementing a range of security vulnerability management, including secure internet protocols, physical security measures, and regular software updates. Secure communication protocols such as HTTPS and SSL/TLS ensure that the data being transmitted between the ATM and the bank’s servers is encrypted and secure and could be used to MitM attack prevention.