On Path Attacks MITM

On-Path Attacks (Man-in-the-Middle)

  • On-path attacks occur when an adversary positions themselves between two communicating parties to intercept, modify, or inject malicious traffic
  • The attacker becomes a relay point for all communication, allowing them to eavesdrop on sensitive data or manipulate network flows
  • Also known as Man-in-the-Middle (MITM) attacks - the attacker sits in the communication path like a wiretap on a phone line

Common Attack Vectors

  • ARP Poisoning/Spoofing: Attacker sends fake ARP replies to associate their MAC address with the victim’s IP gateway
    • For example, attacker tells victim “I’m 192.168.1.1 (the gateway)” when they’re actually 192.168.1.50
    • All traffic destined for the gateway now flows through the attacker’s machine first
  • DNS Spoofing: Malicious DNS responses redirect victims to attacker-controlled servers
    • Used for credential harvesting when users think they’re visiting legitimate sites
  • DHCP Spoofing: Rogue DHCP server provides malicious network configuration (gateway, DNS servers)
  • SSL/TLS Interception: Attacker presents fake certificates to decrypt HTTPS traffic
    • Requires certificate installation on victim machines or exploitation of certificate validation weaknesses

Attack Methodology

  • Phase 1: Position between victim and target (network reconnaissance to identify communication flows)
  • Phase 2: Intercept traffic using protocol manipulation (ARP, DNS, routing table poisoning)
  • Phase 3: Forward traffic to maintain connectivity while logging/modifying data
  • Phase 4: Exfiltrate captured credentials, session tokens, or sensitive information

Vulnerability Table

Protocol/Service Attack Method Impact Level Detection Difficulty
HTTP Direct interception High Low
HTTPS Certificate spoofing Medium-High Medium
Email (SMTP/POP3) Protocol downgrade High Low
FTP Credential capture High Low
Telnet/SSH Session hijacking Critical Medium
SNMP (v1/v2c) Community string capture High Low

Defense Mechanisms

  • Static ARP Entries: Manually configure ARP tables to prevent ARP poisoning
    • Use arp -s <IP> <MAC> on endpoints for critical network devices
  • Port Security: Limit MAC addresses per switchport and enable violation actions
    • Configure switchport port-security maximum 1 for single-device ports
  • DHCP Snooping: Enable on access layer switches to prevent rogue DHCP servers
    • Creates binding table of legitimate IP-to-MAC mappings
  • Dynamic ARP Inspection (DAI): Validates ARP packets against DHCP snooping database
  • Certificate Pinning: Applications verify specific certificates rather than trusting any valid cert
  • DNSSEC: Cryptographically signs DNS responses to prevent spoofing
  • Network Segmentation: VLANs and subnets limit attack scope (containment strategy)

Vocabulary

  • ARP Poisoning: Sending fake ARP replies to redirect traffic through attacker’s machine
  • Certificate Pinning: Hardcoding expected certificates in applications to prevent fake cert acceptance
  • DHCP Snooping: Switch feature that validates DHCP messages and builds IP-to-MAC binding tables
  • Dynamic ARP Inspection: Uses DHCP snooping database to validate ARP packet legitimacy
  • SSL Stripping: Forcing HTTPS connections to downgrade to unencrypted HTTP
  • Session Hijacking: Stealing authenticated session tokens to impersonate legitimate users

Detection Indicators

  • Duplicate IP addresses in network (multiple devices claiming same IP)
  • Unexpected certificate warnings from browsers (users often ignore these - major security gap)
  • Unusual network latency or connection drops during attacks
  • ARP table inconsistencies showing different MAC addresses for same IP over time
  • Network monitoring tools detecting MAC address changes for static devices

Notes

  • Critical Rule: On-path attacks are often undetectable to end users because connectivity appears normal - the attacker forwards traffic after inspection
  • Modern networks should implement defense in depth - multiple overlapping security controls rather than relying on single solutions
  • Wireless networks are particularly vulnerable due to shared medium - use WPA3-Enterprise with 802.1X authentication for corporate environments
  • Consider on-path attacks during network design - isolate management VLANs and use out-of-band management where possible
  • Exam Tip: Remember that MITM attacks require the attacker to be on the same network segment or control routing between segments - physical network security is foundational