A man-in-the-middle attack comes in many variants and forms, but they are always based on the same principle: that of "silent mail".
Communication between two participants is conducted via a third, unknown or supposedly trustworthy participant, who intercepts, forwards and changes the information sent between them if it is useful to him.
Based on this principle, proxies, VPNs and firewalls, which use deep packet inspection, also as a man in the middle – albeit here to protect users.
A man-in-the-middle attack can take place in internal networks, the Internet, as well as all forms of wireless networks.
Man in the middle attacks are primarily time-based attacks. The longer they can be operated, the more successful and disastrous are their effects.
The most common goal is to obtain personal information, such as usernames, passwords, pins or hashes for access or identity theft. This information can also be obtained in the form of message histories or telephone transcripts. But the distribution of malware is also common.
In internal networks, a man-in-the-middle attack can e.g. B. using NBTNS (NetBIOS Name Services) or LLMNR (Link-Local Multicast Name Resolution) by linking the MAC address of the attacker with the IP address of another host (so-called spoofing).
In the course of the increasing spread of IPv6, an attacker can also offer himself as a router based on IPv6 in a network that is actually only based on IPv4, and thus gain access to sensitive data.
An attacker could also manipulate the DNS cache (DNS poisining) in order to guide their victims to fake websites or via a proxy in order to then carry out clickjacking, for example.
With WiFi networks, man-in-the-middle attacks can sometimes be carried out without much effort.
An attacker only has to set up a free WLAN hotspot and rely on the human factor or on the automatic connection function of the devices.
But even apart from the human factor and automatism, a man-in-the-middle attack can be carried out by an evil twin or rogue access point. By impersonating a legitimate access point by broadcasting the same SSID (Service Set Identifier), the attacker will dial up to devices for which its signal is the stronger one.
By flooding the devices or the legitimate access point with deauthentication frames, the attacker can get devices that are already dialed in at the other access point to log on to their evil twin.
