MITM (Man in The Middle) Attack using ARP Poisoning

Photo by Google

In this article, I will explain ARP poisoning. Before starting we must want to know about the MITM which referred to as a Man In The Middle. So we start with MITM it provides a good understanding of ARP poisoning.

What is Man In The Middle(MITM) Attack?

It implies that attackers or hackers should be attacked within the targets. The target defined as two legitimately communicating hosts or persons who share information. So attackers or hackers are worked in between them. The hosts(client and server) think that they were to control their communication. But the reality, The hackers control the hosts’ communications to hack the important data. Such that take sensitive information such as account details, login credentials, credit card numbers.. etc.

Let’s take the word “Man-in-The-Middle”, its rectified meaning directly. A man which is worked as a middle in some medium. This attack must have a specific condition that was attacker must have access to the network in the targetted machine.

It is a common type of cybersecurity attack.

man-in-the-middle attack in a network consisting of a switch and 3 computers:

1. Server/Host
2. Client
3. Man In The Middle

Simply says the Man in The Middle means Intercept communication between two or more devices.

“The aim could be spying on individuals or groups to redirecting efforts, funds, resources, or attention.”

Man In The Middle Attacks Works

Real-World MITM Attacks

In 2011, Dutch registrar site DigiNotar was breached, which enabled a threat actor to gain access to 500 certificates for websites like Google, Skype, and others. Access to these certificates allowed the attacker to pose as legitimate websites in a MITM attack, stealing users’ data after tricking them into entering passwords on malicious mirror sites. DigiNotar ultimately filed for bankruptcy as a result of the breach.

In 2017, credit score company Equifax removed its apps from Google and Apple after a breach resulted in the leak of personal data. A researcher found that the app did not consistently use HTTPS, allowing attackers to intercept data as users accessed their accounts.

Man-in-the-middle attack techniques

  1. Sniffing- An attacker uses software to intercept (or “sniff”) data being sent to or from your device. (Attackers use packet capture tools to inspect packets at a low level)
  2. Packet Injection- Attackers have injected their malicious packets into communications. The packets can blend in with valid data communication streams and it’s appearing as the component of the communication but it’s made harmful (malicious).
  3. Session Hijacking- if the attacker obtains a session ID, they can gain access to accounts the user is currently logged into. An attacker sniffs data packets to steal session cookies from your device, allowing them to hijack a user session if they find unencrypted login information.
  4. SSL Stripping- SSL is referred Secure Socket Layer, it provides security to the data that is transferred between web browser and server. HTTPS is a common safeguard. Attackers use SSL stripping to intercept packets and alter their HTTPS-based address requests to go to their HTTP equivalent endpoint, forcing the host to make requests to the server unencrypted.

Detect a man-in-the-middle attack

Finding the Man-in-the-middle attack can be difficult without taking the proper steps. If a Man-in-the-middle attack can potentially go unnoticed until it’s too late, then communication is intercept and hacked.

Man In The Middle attacks are having three types,

1. ARP Spoofing
2. DNS Spoofing
3. mDNS Spoofing

ARP Spoofing

ARP implies the Address Resolution Protocol. This protocol used to resolving IP addresses to machine MAC addresses in a local area network. All the devices which want to communicate in the network, broadcast ARP-queries in the system to find out the MAC addresses of other machines.

ARP spoofing called APR Poisoning. ARP poisoning forces to send data to the hacker’s machine. The main role of the ARP is to convert 32-bit addresses to 48-bit addresses and the other way round. ARP functions between network the 2nd and 3rd layers of the OSI model(As the MAC address exists on 2nd layer, and the IP address exists on 3rd layer)

The ARP protocol was not designed for security, so it does not verify that a response to an ARP request really comes from an authorized party. It also lets hosts accept ARP responses even if they never sent out a request. This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks.

ARP Spoofing Example

How to Detect an ARP Cache Poisoning Attack

Using the command line

There is a simple way to detect that a specific device’s ARP cache has been poisoned, using the command line. Used “arp -a” command to display the ARP table, on both Windows and Linux:

ARP table shown

Here the Internet Address says that IP address and the Physical Address says that MAC address. So if the table contains two different IP addresses that have the same MAC address, this indicates an ARP attack is taking place.


Wireshark is the most widely-used network analyzer. It can be used to get a microscopic view of the user’s network. It can be used -

● Network troubleshooting.
● Education purposes
● Software and communication protocol development.

This tool is widely used by large networks to analyze their network traffic and keep systems secure.

WireShark Looks Like

These ways to find the APR spoofing that happened in-network or machine.

ARP Spoofing Prevention

  1. Use a Virtual Private Network (VPN)⁠- VPN creates a tunnel between connections. This makes all communication encrypted, and worthless for an ARP spoofing attacker.
  2. Use static ARP- static ARP entry for an IP address provided the prevent devices from listening on ARP responses for that address
  3. Use packet filtering- This solution provides the identify poisoned ARP packets by seeing that they contain conflicting source information, and stop them before they reach devices on your network.⁠

Man in Middle Attack using ARP spoofing :

We already discussed Man in Middle Attack, Now we got a clear view of ARP spoofing. Then let’s see how Man Middle Attack happens using ARP spoofing.

There are several steps to explained it;

Step 1: ARP spoofing allows us to redirect the flow of packets in a computer network.

Example of Network

Step 2: But when the hackers are middle in the victim, ARP spoofing allows to send all the requests, and responses start flowing through the hacker’s system.

After Spoofing

Step 3: So by doing this a hacker spoof’s the router by pretending to be the victim, and similarly, he spoofs the victim by pretending to be the router.

DNS Spoofing

DNS is called Domain Name System. It is the Phonebook of the internet. Every human accessing the data information online through the domain name, like or By using the internet protocol(IP) addresses the web browsers are interacting. So web browsers can load the internet resources by DNS translates domain names to IP addresses.

Each and every device connected with the internet has a unique IP address which the other machines use to find the device.DNS servers eliminate the need for humans to memorize IP addresses such as IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb50:2098:1:c629::67a2(in IPv6).

If you need a clear explanation about this DNS Spoofing please refer to my previous blog:

mDNS Spoofing

It Multicast DNS is similar to DNS, this will happen on a local area network (LAN) using broadcast like ARP. mDNS spoofing makes a perfect target for spoofing attacks. An mDNS enabled client will perform a mDNS query on a multicast address.

from Wikipedia article:
Multicast DNS (mDNS) is a protocol that uses similar APIs to the unicast DNS system but implemented differently. Each computer on the LAN stores its own list of DNS records (e.g. A, MX, PTR, SRV, etc), and when an mDNS client wants to know the IP address of a PC given its name, the PC with the corresponding A record replies with its IP address.

Prevent Man-In-The-Middle Attacks

1. Strong WEP/WAP Encryption on Access Points — Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby.
2. Strong Router Login Credentials — Make sure the default router login is changed not just your Wi-Fi password, but your router login credentials. because if attackers log in credentials they can change your DNS servers to their malicious servers.
3. Virtual Private Network — It creates a secure environment for sensitive information within LAN. It is created as a tunnel to prevent information from being encrypted.
4. Forces HTTP — It is given secure communication using public-private exchanges. If hackers use sniffing techniques it is given as the security to the information and also the communication.


Software Engineer at Virtusa (Pvt) Ltd.