Detecting and analyzing man-in-the-middle attacks

Cuckoo's Egg

Simulated Ettercap MITM Attack

To understand and ultimately defend yourself against an MITM attack, it can be helpful first to simulate an MITM attack yourself. Always keep in mind that this kind of experiment on a third-party network – including public WiFi – is likely to be punishable by law. On your own network, however, the security functions and barriers on the managed switches can easily be tested. Tools such as Wireshark in combination with Ettercap [2] help to flood the network traffic with fake ARP data. The tool is available for Linux and is included in the Kali Linux distribution, as is Wireshark. On Ubuntu, install Ettercap with the commands:

sudo apt update
sudo apt install ettercap-common

After starting Ettercap, you can start the sniffing process and display the list of local network hosts (Figure 3). Special settings are not necessary. Ettercap then displays the network devices it has found, which you can use for attacks. To start an MITM attack, click on a computer in the host list and select the Add to Target 1 tab.

Figure 3: Ettercap helps perform MITM attacks, which you can then analyze with Wireshark.

For an effective test, create a share and a text file with arbitrary content on the computer. You can then track access to the share, see when the file is opened, and view its content in Wireshark. Check the ARP cache on the computer beforehand with arp -a and make a note of the original MAC address of the computer with the share (see the "Another Analysis Tool: XArp" box). In the attack, swap the MAC address of the original computer with the MAC address of another computer, in this case the one on which you launched Ettercap. Up to this point, Ettercap has not performed any actions but has only read data on the network, just as an attacker would do.

Another Analysis Tool: XArp

In addition to Wireshark, tools such as XArp help detect fake entries in ARP tables. A combination of different tools can be useful, which together perform a comprehensive analysis or stress test on your own security architecture. One way to detect this kind of attack is to keep a close eye on the ARP table on the victim's computer. XArp does just that, effectively helping to detect ARP spoofing.

Unfortunately, XArp is no longer being maintained [3], although it might persist in distribution repositories, or someone might eventually revive the project.

Next, select another computer that you want to sniff for the test and click Add to Target 2 . The target definitions can also be seen at the bottom of the window. The Ettercap computer can now sniff the data between the two devices, and you can, in turn, analyze the operations with Wireshark.

In Ettercap's upper right menubar is an icon with a globe. If you click on it, you can choose from different MITM attacks. To test an attack, it is best to select ARP poisoning and confirm that you want to start. The attack is now active and can be observed with Wireshark. Ideally, you will want to launch Wireshark on the computer that is running Ettercap. This attack can also be done with Kali Linux, as mentioned before; both tools are integrated. At any time, you can stop ARP poisoning in Ettercap or define other targets. After stopping the attack, the selected target systems again have the correct MAC address assignments after a short time.

Laughing Third Party

Launching Wireshark in parallel on the computer that you have defined as Target 2 is the easiest way to trace the attack. Open the share you created earlier and the file on the Target 2 computer, which is exactly what users would do when accessing data on the network. The two Wireshark instances capture the actions performed in the background.

If you again query the ARP cache on the Target 2 computer by typing arp -a, you will see that during an active MITM attack courtesy of Ettercap, the MAC addresses for Target 1 are identical to those of the Ettercap computer. The MITM computer has succeeded with its ARP attack and can spoof another computer. The client you defined as Target 2 assumes that the Kali computer with Ettercap is the Target 1 computer with the active share, allowing traffic to be recorded on the Kali computer, even though the data is running back and forth between Target 2 and Target 1 and the Kali computer is not involved – a typical MITM case.

Other computers will not notice this activity because the attack does not disturb the network. The entries you have made let the computer with Ettercap and its active Wireshark instance read data that is exchanged between Target 1 and Target 2. If the data is not encrypted, the Wireshark instance on the Ettercap/Kali client will help you extract the content of the data packets. You will find the corresponding captures on the Kali/Ettercap computer. Closing Ettercap on the MITM machine also ends ARP poisoning, and the attack is no longer visible.


Wireshark is as useful a tool for performing MITM attacks as it is for analyzing them. For this reason, it makes sense to take a close look at the tool's capabilities. One important feature is the filters: If you enable an ARP filter in Wireshark, using the example of the attack described previously, you can focus on the ARP-related network traffic (Figure 4). If you then use the SMB or SMB2 filter, you will also see the SMB traffic between the clients. With the SMB filter, all exchanges between Target 1 and Target 2 show up, including the content of the text file created and opened for this test.

Figure 4: An MITM attack can be detected quite quickly by changing the display filters for ARP and SMB.

Wireshark also has the filters arp.duplicate-address-frame and arp.duplicate-address-detected , which tell Wireshark to display, from a saved or live capture, the packets that have duplicate MAC addresses for different IP addresses. Precisely this information can be seen in the Info column. If you find such packets on the network, you can assume that an attacker is trying to duplicate MAC addresses. If you click on such packets, the original MAC address of the respective systems can also be found during the analysis.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=