MITM in detail

A Man-in-the-Middle (MITM) attack always happens inside a network. You cannot perform this attack from outside the network. But how does this attack actually work?

This attack takes advantage of MAC addresses. A MAC address is like the name or identity of a device on the network. Let me give you an example: Imagine someone finds your national ID and all the documents needed to impersonate you. He now becomes "you" to everyone else.

Still confused? Don’t worry — I’m here to help. When an attacker wants to impersonate your identity, he performs a technique called ARP Spoofing. In simple terms, he tricks the network by pretending to be another device — but he’s not interested in pretending to be you. Instead, he targets something more valuable: the router.

When you want to visit a website like Google, your device sends a request to the router saying, “Hey, I want to visit Google.” (Yes, the process is actually more complex, but we’ll keep it simple for now.) The attacker’s goal is to steal the router’s identity, so your device unknowingly sends all its requests to the attacker instead of the real router.

Now imagine that. Every request the victim sends goes directly to the attacker.

What Can the Attacker Do?

• Read the Data: The attacker can monitor what websites you visit, what data you send, and even capture sensitive information like passwords or personal messages — especially if the traffic isn’t encrypted.
• Modify the Data: He can change what you receive. For example, he could redirect you to a fake login page that looks like the real one, or inject malicious scripts into the websites you visit.

This makes MITM attacks extremely dangerous, especially in public Wi-Fi networks where attackers can easily position themselves between you and the router.

Summary

A Man-in-the-Middle attack relies on spoofing the router’s MAC address and tricking the victim’s device into thinking it’s communicating with the router — while in reality, it’s talking to the attacker.