MITM cheat sheet

1 May 2023 30 minutes Author: Cyber Witcher

MITM attacks and methods of protection against them

One of the oldest and most dangerous attacks is the Man-In-The-Middle (MITM) attack. Literally, it translates as “man in the middle”, that is, when a hacker acts as an intermediary in the transmission of information. This type of attack is widespread and destructive. The essence of a man-in-the-middle attack is quite simple: a criminal secretly intercepts traffic from one computer and sends it to the final recipient, having previously read and modified it for his benefit. MITM attacks provide an opportunity to perform actions such as changing a cryptocurrency wallet to steal funds, redirecting a browser to a malicious website, or simply passively collecting information for further criminal use. The most obvious way someone can do this is when you’re using an unencrypted, public Wi-Fi network, like in airports or coffee shops. MITM attacks also occur at the network level.

DNS spoofing is a similar type of attack. Another approach is to create a rogue access point or place a computer between the end user and a router or remote server. Fortunately, there are ways you can protect yourself from MITM attacks. The main ones are don’t use public Wi-Fi hotspots and use a VPN that encrypts all traffic between your computer and the outside world. We tried to collect all known MITM attacks and methods to protect against these attacks. It also contains the tools for performing MITM attacks, some interesting attack cases and some techniques related to them. Almost all the attack tools described here do not have a sniffer. It only provides attack. A man-in-the-middle attack cheat sheet for pentesters and defense teams.


Difficulty: low. Relevance: high

Description: Address Resolution Protocol (ARP) designed to convert IP addresses to MAC addresses. All network devices that need to communicate on the network use broadcast ARP requests to learn the MAC addresses of other machines. Almost all ARP spoofing tools use a free ARP response. A free ARP response is a response without an ARP request. Although gratuitous ARP is effective, it is particularly dangerous because it can be used to convince a remote host that the MAC address of a system on the same network has changed and indicate which address is currently in use.

A typical example of an arp spoofing attack

  1. Before performing ARP spoofing, the ARP tables of nodes A and B have entries with each other’s IP and MAC addresses. Information is transferred between nodes A and B.

  2. During the ARP spoofing process, the attacking computer C sends ARP replies (no requests received = free arp) =>

  3. Since the computers support gratuitous ARP, they modify their own ARP tables and place entries where the MAC address of computer C is instead of the true MAC address of computers A and B.

There is also the possibility of a successful attack in another way. When you monitor ARP activity on a network segment and suddenly notice a victim arp request, you can try to send an arp reply to the victim faster than to the recipient of the request. Some providers may accept this trick.

Attack tools:

  1.  Arpspoof  -i eth0 -t

  2.  Intercepter-NG – It can now be installed on Linux

  3.  Bettercap -T -X --httpd --proxy-https --proxy – The old version of the tool is simpler, but there is also a new one written in Go. Note: Bettercap has a great sniffer inside.

Detection of attacks

  1.  XArp – Arpwatch for Windows

  2.  remarp – Arpwatch via SNMP

  3.  arpwatch – The program monitors all ARP activity on selected interfaces. When it notices anomalies, such as a MAC address changing while keeping an IP address or vice versa, it reports it to the syslog.

Prevention of attacks

Manual ARP tables

It has limitations as it will cause network scalability difficulties. And for a wireless network, it is difficult and almost impossible.

Creating encrypted connections

This method is also suitable for public networks, since all traffic is encrypted and it is impossible to intercept any user data.

Creating a VLAN on the switch

A VLAN is created on a switch that contains only the switch itself and a specific network device.


Utilities such as Anticap and Antidote can play an important role in preventing ARP spoofing. Anticap prevents the ARP cache from being updated by a different MAC address with an existing ARP cache, which effectively prevents ARP spoofing, but breaks the ARP protocol specification, which is really the problem. On the other hand, Antidote prevents ARP poisoning in another way. It parses the newly received ARP response using the available cache. If the new cache is different from the previous one, then it looks for the MAC address if it is still active. If it finds the previous cache MAC address alive, it rejects the new one and adds the attacker’s MAC address to the MAC blacklist to prevent further ARP poisoning attempts on the same target computer.


Dynamic ARP inspection on Cisco systems helps prevent man-in-the-middle attacks by not forwarding invalid or invalid ARP replies to other ports on the same VLAN. Dynamic ARP inspection intercepts all ARP requests and all replies on untrusted ports. Each intercepted packet is checked for valid IP-to-MAC bindings using DHCP snooping. Denied ARP packets are either dropped or logged by the switch for auditing to stop ARP poisoning attacks. Incoming ARP packets on trusted ports are not checked.


Difficulty: high. Relevance: average

Description: Spanning Tree Protocol is designed to detect and prevent loops in a network if there are redundant paths between switches. Anyone who can emulate a device with a (lower) root switch ID (by connecting a new virtual device with a lower priority or using an STP packet generation tool) can partially or fully intercept virtual network traffic. As a rule, the attacker does not have a physical connection with the two switches, so the described method of attack is hardly possible. However, in wireless networks, the situation changes, because the cable connection (socket in the office) and the wireless connection (access point) can end at different switches.

Attack tools

  1.  Ettercap – Tool for Linux. You need to select the interfaces, then tap the “stp mangier” plugin and run it.

  2.  Yersinia -G -Yersinia has a GUI and an interactive console, you need to select network interfaces and run a MITM attack. The graphical interface works unstable, so you can use the interactive interface: yersinia –I

Protection technique

  1.  Засоби налаштування, which protect STP (Cisco).

  2. Disabling STP on access ports (to stop receiving BDPU from users), enabling port security on all user ports, and restricting physical access to network equipment.

VLAN hopping

Difficulty: medium. Eligibility: none

Description: A virtual local area network (LAN) is a logical subnet that can group together a set of devices from different physical local area networks. Larger business computer networks often install VLANs to re-partition their network for better traffic management. VLANs work by applying tags to network frames and processing those tags in network systems, creating the appearance and functionality of network traffic that physically resides on the same network but acts as if it were separated between separate networks. VLAN hopping is a general name for attacks that involve accessing a VLAN that was initially (prior to the attack) inaccessible to the attacker.

It could be done in two ways:

1. The basic VLAN Hopping attack (using DTP) works only on old Cisco switches. An attacker acts as a switch to trick a legitimate switch into creating a trunk connection between them. Packets from any VLAN are allowed to pass through the trunk connection. Once the trunk is established, an attacker gains access to traffic from any VLAN. This method is only effective when the legitimate switch is configured for trunk negotiation. This occurs when the interface is set to dynamic preferred, dynamic auto, or trunk mode. If the target switch is configured in one of these modes, an attacker can generate a DTP message from their computer and a trunk can be formed.

2. Double tagging occurs when an attacker adds and changes tags in an Ethernet frame to allow packets to be sent over any VLAN. This attack takes advantage of how many switches are processing tags. Most switches only remove the outer tag and forward the frame to all their own VLAN ports. That being said, this method is only successful if the attacker belongs to the trunk’s native VLAN. Another important point is that this attack is purely one-way, as it is not possible to encapsulate the return packet.

Attack tools

  1.  Yersinia -G – Yersinia has a GUI and an interactive console, you need to select network interfaces and run a MITM attack. The graphical interface works unstable, so you can use the interactive interface: yersinia –I.

  2.  Scapy — is a Python program that allows the user to send, analyze, and spoof network packets. It can be used to create the specially crafted frames needed to handle this attack.

  3. -i eth0 sends a DTP Trunk packet to eth0 using the mac address of eth0. DTP-spoof is a security tool for verifying the Dynamic Trunking Protocol (DTP) configuration of switches. If the target switch is configured to negotiate port mode, you can potentially set the target switch port to Trunk mode, thereby gaining access to additional VLANs.

Protection technique

Basic VLAN Hopping attack using DTP. This can only be done when the interfaces are configured for trunk negotiation. To prevent VLAN hopping, we can implement the following mitigations:

  • Ensure that the ports are not configured to auto-negotiate trunks by disabling DTP

  • Do not configure any access point with the following modes: dynamic preferred, dynamic auto, or trunk.

  • Disable all interfaces not currently in use.

Double tagging. To prevent a double-tagging attack, keep the native VLAN of all trunk ports different from the user VLAN.


SLAAC Attack

Difficulty: low. Relevance: high

Description: SLAAC is stateless address autoconfiguration. SLAAC is one way to configure a host network, like DHCPv4. SLAAC provides an IPv6 host prefix value, prefix length, and local default gateway address without a DHCPv6 server maintaining the state of the assigned addresses (that’s why it’s called stateless). The SLAAC process is performed during SLAAC-only and SLAAC+DHCPv6 Stateless configurations. The main problem with this process is that an attacker can create a rogue RA to give hosts their own configuration (for example, to become the default router on a connection). All IPv6-enabled hosts are potentially vulnerable to SLAAC attacks. Especially in cases where IPv6 is enabled as the OS default, but the organization has not deployed IPv6 in any form. Another threat in RA comes from the ability to send DNS configuration through RA so an attacker can also spoof it: RFC 6106 – IPv6 Router Advertisement Options for DNS Configuration.

Attack tools

  1.  Suddensix – is a script that pre-installs the tools used by security researcher Alec Waters in his post about SLAAC attack. The script is slightly outdated and works fine on Ubuntu 12.04 LTS. It is better to create a separate VM for it.

  2.  EvilFOCA – a great Windows tool for IPv6 MITM attacks. A GUI tool written in C# that allows IPv6 attacks, including SLAAC attack, DHCPv6 spoofing, and even SLAAC DoS, which means advertising fake routes to multiple RAs per link.

  3.  THC-IPv6 – a C IPv6 attack toolkit that, among many other options, allows you to perform RA attacks.

Protection technique

The easiest way to mitigate SLAAC attacks is to simply disable IPv6 on all hosts on the network. But this solution is only suitable for networks where the IPv6 stack is not in use and was only enabled due to misconfiguration.

Implementation of suppliers

Cisco implemented “IPv6 First Hop Security” technology, which is included in the Catalyst 6500, 4500, 3850, 3750, and 2960 series switches, 7600 series routers, and Cisco 5700 series wireless LAN controllers. RA Guard, DHCP Guard, and IPv6 Snooping are implemented. More information can be found here.

Juniper implemented RA Guard. There is one strange fact: the router-ad-guard documentation page mentions that only EX series platforms are supported. But on the page in Configuring Stateless IPv6 Router Advertisement Guard та Configuring Stateful IPv6 Router Advertisement Guard it is mentioned that as EX, так і деякі платформи серії QFX підтримують RA Guard: EX2300(15.1X53-D56), EX2300-VC(15.1X53-D56), EX3400(15.1X53-D55), EX3400-VC(15.1X53-D55) , EX4300(16.1R1), EX4300-VC(16.1R1), EX4300 Multigigabit(18.2R1), EX4600(18.3R1), EX4600-VC(18.3R1) і QFX5100(18.2R1), QFX5110(17.2R1), QFX5200( 18.2R1).

Unfortunately, Mikrotik did not implement such technologies. There is a presentation from a Mikrotik user meeting and the author advised to simply isolate the layer 2 network segment. No other valuable advice was found. The issue was also mentioned on the Mikrotik user forum in 2012.

Unfortunately, there are techniques to enhance traffic analysis that compromise the performance of security methods (eg hiding RAs in the Hob-By-Hop header). There is a draft RFC that describes evasion of RA Guard. The evasion technique is based on the use of IPv6 packet fragmentation. Some additional fragmentation guidance is provided in  RFC 6980 – Implications of IPv6 Fragmentation for Security with IPv6 Neighbor Discovery.

10 main ideas for solving the problem

RFC 6104 – IPv6 Rogue Router Advertisement Problem Announcement presented 10 main ideas to solve the Rogue RA problem:

  1. Configure the IPv6 address manually and disable auto-configuration to ignore RA messages.

  2. RA Snooping in L2 switches like DHCP Snooping, so RAs from wrong sources can be dropped.

  3. ACLs on managed switches can be used if the switch has an ACL mechanism that can block outbound ICMPv6 RAs on user ports (used for user access to the local network). Therefore, if such an ACL can be implemented on the platform in use, no user on the local network will be able to broadcast/unicast the RA.

  4. Secure Neighbor Discovery – SEND – RFC 3971 is a protocol that proposes the use of public key cryptography to secure communications between a router and hosts.

  5. Router Preference Option – This method is only suitable for random RAs from users. The idea is that the administrator can set all legitimate RAs to a “High” privilege level so that IPv6 hosts do not overwrite the configuration received by such RAs if they have a “Medium” or “Low” privilege level. The Router Preference Option is present in RFC 4191 – Default Router Options and More Specific Routes.

  6. Rely on Layer 2 Admission Control – The idea is based on deploying 802.1x so that attackers cannot join the LAN to send RA and perform an attack.

  7. Using Host-Based Packet Filters – If there is an option to send configuration to user computers, host-based packet filters can be configured to only accept RAs from specific IPv6 addresses.

  8. Using “Intelligent” Deprecation Tool – The idea is to watch channel traffic for fake RAs and deprecate them for hosts by sending a deprecated RA with the rogue router address in it and the router duration field set to 0. Attack the attack traffic.

  9. Using Layer 2 Partitioning – The idea is that if each user or system is partitioned into a different Layer 2 environment, the impact of a particular rogue RA can be limited. This method causes increased costs for software and hardware.

  10. Adding Default Gateway/Prefix Options to DHCPv6 – Leaving SLAAC autoconfig for DHCPv6 autoconfig partially solves the problem of default gateways and prefixes being sent by fake RAs, but also leads to problems with fake DHCPv6 servers. The second problem is that RA is still used to inform hosts to use DHCPv6.

У 4th section of RFC 6104  This is a table that contains mitigation eligibility methods for 2 Rogue RA cases: administrator error and user error.

Appropriate monitoring tools

There are some tools that can be useful for detecting and monitoring fake RA:

 NDPMon allows you to select the following configuration options before compilation:

  • –enable-mac-resolv Determine the provider by OUI in the MAC address.

  • –enable-countermeasures The functionality of responding to attacks (it is not described which ones and how).

  • –enable-syslogfilter Save the syslog to /var/log/ndpmon.lo.

  • –enable-lnfq Use libnetfilter_queue instead of PCAP (there are some installation requirements and ip6tables rules).

  • –enable-webinterface Publish HTML reports (requires a web server like nginx/apache).

Ramond allows you to whitelist MAC addresses of defined legitimate routers, the prefix used for 6to4, and unknown prefixes. Based on this configuration, the tool monitors RA traffic to find fraudulent ones.

6MoN allows you to monitor the network status, monitor the DAD process and NS messages. DAD stands for Duplicate Address Discovery and it determines if there is a duplicate address conflict on the network. NS stands for Neighbor Solicitation (ICMPv6 type 135) and is used to identify a neighbor on a link.

Hijacking HSRP (VRRP, CARP)

Difficulty: high. Relevance: high.

Description: Scapy attack tools are the easiest way to create a PoC and capture the status of an active node:



RIPv2 Routing Table Poisoning

Difficulty: medium. Relevance: average. Conditions: RIP implemented; RIPv1 in use; RIPv2 authentication is disabled.

Description: There are three versions of RIP:

  1. RIPv1: The first version that appeared and was described in  RFC 1058;

  2. RIPv2: Improved by adding a version of the authentication mechanism described in   RFC 2453;

  3. RIPv3 or RIPng (Next Generation): Supports IPv6, described in RFC 2080.

The most common protocol is RIPv2. RIPv1 is not secure at all because it does not support message authentication. Although there is a detailed description about exploiting RIPv1 by implementing a fake route. As specified in RFC 2453, a RIPv2 router must exchange routing information every 30 seconds. The idea behind the attack is to send fake RIP Response messages that contain a route that the attacker should add. Although there is a special multicast for RIPv2 routers –, replies sent as unicast can also be accepted. This can, for example, increase the detection of an attack compared to the case of spoofed multicast routing. There is a good short detailed description of using a RIPv2 network without RIPv2 authentication with an example using Scapy.

Attack tools

 t50 – multi-protocol traffic injection and network penetration testing tool. It supports RIP among many other protocols.

Protection technique

If a router is not configured to authenticate RIPv2 messages, it will accept unauthenticated RIPv1 and RIPv2 messages. The safest configuration in this way is to configure RIPv2 authentication so that the router does not accept unauthenticated RIPv1 and v2 messages and thus prevents an unauthenticated router from injecting a route. This mechanism is described in  RFC 2082 – RIP-2 MD5 Authentication, but it describes the use of MD5, which is recognized as a weak hash function. The best one, which means using SHA-1, is described in RFC 4822 – RIPv2 Cryptographic Authentication.

Unfortunately, RIPv2 only supports plaintext and MD5 authentication. The former is useless for network sniffing, MD5 Auth is better for a passive attacker intercepting packets because it does not transmit the password in plain text. The RIPv2 Authentication configuration guide describes how to configure this feature on Cisco devices. Instructions for setting up MD5 authentication for Mikrotik are presented here. Instructions for configuring MD5 authentication on Juniper devices are provided here.

EGRP Routing Table Poisoning

Difficulty: medium. Relevance: average. Conditions: the EIGRP protocol is implemented in the network; no authentication of EIGRP messages is configured.

Description: EIGRP stands for Enhanced Interior Gateway Routing Protocol. This is Cisco’s own remote vector routing protocol that uses the distributed update algorithm – DUAL. The main purpose of this protocol is to dynamically update the routing table and distribute routes to other routers. The main security problem is possible in case of falsification of data in the Update message, e.g. enter an illegitimate route. In this case, the routing table of the router is changed to allow traffic through the device controlled by the attacker, so a MitM attack is present.

Attack tools

Eigrp Tools – cperl script that allows you to create EIGRP packets and send them to the network. It even allows you to set K1-K4 metrics, all EIGRP packet flags and fields. The script requires the libnet-rawip-perl and libnetpacket-perl packages to be installed. Some examples of use:

  • ./ –sniff –iface eth0 – perform an interface analysis

  • ./eth0 ./ –file2ip update.dat –source – play traffic from a file

  • ./ –update –external –as 65534 –source – send and update messages

EIGRP Security Tool – A Python script that allows you to create and send various EIGRP packets. The problem is that attempts to run the script failed because the scapy_eigrp module was not found. Also, the authors did not write any documentation for the tool even in the study description.

t50 – multi-protocol traffic injection and network penetration testing tool. Among many other protocols, it supports EIGRP traffic manipulation.

Protection technique

To protect the network from the propagation of unreliable routes, the EIGRP protocol provides a mechanism for verifying the authenticity of router updates. It uses an MD5-keyed digest to sign each packet to prevent unauthorized devices from sending updates to the network. It protects legitimate routers from illegal router upgrades and router spoofing. A key is simply a specified string that must be set on other devices that must be legitimate. A detailed guide to configuring EIGRP MD5 authentication can be found here.

Unfortunately, MD5 is recognized as a weak hashing algorithm due to hash collisions. Cisco devices also support authentication of EIGRP hmac-sha-256 updates. A hash collision attack on SHA-256 is much more difficult than on MD5. A guide to EIGRP HMAC-SHA-256 authentication can be found here. An EIGRP stub routing area is configurable because it allows you to define the types of routes that the stub router should receive queries on or not. More information about EIGRP Stub Routing can be found here.

Another best practice to reduce unwanted network traffic is to install passive interfaces. The passive interface function must be set on access interfaces that communicate not with network devices but with end devices. Instructions for configuring a passive interface on EIGRP and an explanation of how it works are provided on Cisco’s documentation page.

ICMP Redirect

Difficulty: medium. Relevance: average.

Description: One of the purposes of the ICMP protocol is to dynamically change the routing table of network end systems. Dynamic routing of remote control was originally conceived to prevent the possible sending of a message by a suboptimal route, as well as to increase the fault tolerance of the Network as a whole. It was assumed that a network segment could be connected to the Internet through several routers (rather than through one, as is usually the case). In this case, we can reach the external network through any of the nearest routers. For example, the shortest path to goes through “router A”, and to – through “router B”. If one of the routers fails, communication with the outside world is possible through the other router. As an “ICMP Redirectest attack”, we change the route to a certain site (DNS name) in the routing table of node A (the victim) so that the traffic from node A to a certain site goes through the hacker’s PC.

Conditions for success:

  • The IP address of the new router must be in the same subnet as the attacked host itself.

  • You cannot add a new route for an IP address that is on the same subnet as the host itself.

  • The OS must support and handle ICMP redirect packets. ICMP redirection is enabled by default in Windows (HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersEnableICMPRedirect) and in some Linux distributions (cat /proc/sys/net/ipv4/conf/all/accept_redirects.)

Attack tools

  1. Responder (example)

  2. Hping3 (example)

  3. Mitmf

  4. Bettercap (documentation)

Protection technique

Disable icmp redirection (example)


Difficulty: low. Relevance: high

Description: If a Windows client cannot resolve a hostname using DNS, it will use the Link-Local Multicast Name Resolution (LLMNR) protocol to query neighboring computers. LLMNR can be used to specify both IPv4 and IPv6 addresses. If this fails, the NetBios Name Service (NBNS) will be used. NBNS is a protocol similar to LLMNR that serves the same purpose. The main difference between the two is that NBNS only works over IPv4. The problem with this nice thing is that when LLMNR or NBNS is used to resolve a query, any host on the network that knows the IP address of the host being queried can respond. Even if a host responds to one of these requests with incorrect information, it will still be considered legitimate. An attacker can request NTLM authentication from the victim, causing the victim’s device to send an NTLM hash that can then be used for a brute force attack.

It is also possible to perform WPAD spoofing. WPAD spoofing can be called a special case of LLMNR and NBNS spoofing. The Web Proxy Auto Discovery protocol is used for automatic HTTP proxy configuration. The device sends an LLMNR/NBNS request to the wpad host, obtains the corresponding IP address, and attempts to HTTP access the wpad.dat file containing the proxy configuration information. As a result, an attacker can spoof LLMNR/NBNS and provide the victim with their own wpad.dat file, causing all HTTP and HTTPS traffic to go through the attacker.

Attack tools

  1. Responder – it can respond to LLMNR and NBNS requests by specifying its own IP address as the destination for any requested hostname. The responder has support for poisoning WPAD requests and serving a valid PAC wpad.dat file.

  2. Mitm6 – is a pentesting tool designed to spoof WPADs and pass credentials.

  3. Inveigh – is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to help penetration testers/red teams who find themselves limited by Windows.

Protection technique

  1. Disable LLMNR and NBNS. You can do it with help GPO

  2. Create a DNS record with “WPAD” that points to the corporate proxy server. Therefore, the attacker will not be able to manipulate the traffic.

  3. Turn off “Automatic proxy settings”

DHCP spoofing

Difficulty: medium. Relevance: average.

Description: The goal of this attack is to use an attacker’s host or device as a default gateway and force clients to use a fake Domain Name Service (DNS) and Windows Internet Name Service (WINS server) configured by the attacker. The attacker’s task is to configure a fake DHCP server on the network to provide DHCP addresses to clients and exhaust the pool of IP addresses from other legitimate DHCP servers (DHCP Starvation attack).

Conditions for success

  • A client obtains an IP address from a fake DHCP server faster than from a legitimate DHCP server.

  • The legitimate server has exhausted the pool of addresses to be provided (DHCP Starvation attack).

DHCP Starvation attack

  • An attacker requests an IP address from a DHCP server and receives it.

  • The attacker’s MAC address changes and he requests the next, different IP address masquerading as a new client.

  • These actions are repeated until the entire pool of IP addresses on the server is exhausted.

Attack tools for DHCP starvation

  • DHCPig

  • nmap to discover a DHCP server (nmap -n –script=broadcast-dhcp-discover)

  • metasploit modules (example)

  • use scapy for starvation attack DHCP (example)

Attack tools for DHCP spoofing

  1. yersinia

  2. mitmf

  3. Ettercap

Protection technique

Enable DHCP snooping. This is an L2 switch feature designed to protect against DHCP attacks. For example, a DHCP spoofing attack or a DHCP starvation attack. On Cisco switches:

  • Switch(config)#ip dhcp snooping vlan 10 – enable DHCP snooping for vlan10

  • Switch(config)# interface fa 0/1 – go to the settings of a specific interface

  • Switch(config-if)#ip dhcp snooping trust – setting trusted ports on the interface (by default, all ports are untrusted, the DHCP server should not connect to them).

  • Switch(config)#ip dhcp-server – specify the address of a trusted DHCP server that is available through a trusted port.

Importantly. By default, when DHCP snooping is enabled, the switch is enabled to verify MAC address matching. The switch checks whether the MAC address in the DHCP request matches the MAC address of the client. If they do not match, the switch discards the packet.

Rogue DHCP (DHCPv6)

Difficulty: low. Relevance: high.

Description: An IPv6 client sends a Solicit message to All_DHCP_Relay_Agents_and_Servers to find available DHCP servers. Any server that meets the client’s requirements responds with an Advertise message. The client then selects one of the servers and sends a Request message to the server asking it to confirm the address assignment and other configuration information. The server responds with a response message that contains the confirmed addresses and configuration. This scheme looks similar to DHCPv4, so the attacker’s main goal is to use a fake DHCPv6 server to redirect the victim’s traffic to itself. An attacker can intercept the client’s DHCP request message and can actually respond by pretending to be a DHCPv6 server and assign credentials (such as a DNS address) to be used by the victim.

Attack tools

  1. mitm6

  2. Some scenarios scapy python (example)

  3. snarf

Protection technique

  1. On Cisco devices, enable the policy dhcpv6 guard (example)

  2. Disable Ipv6 if you are not using it


Karma attacks (Wi-Fi)

Difficulty: low. Relevance: high.

Description: The KARMA attack uses the characteristics of clients sending requests to determine which wireless networks are nearby. A Wi-Fi access point periodically sends a beacon request with the network SSID, which identifies the Wi-Fi network. When a client receives a beacon frame with an SSID it remembers, it can be associated with a wireless network. Vulnerable client devices transmit a “preferred network list” (PNL) that contains the SSIDs of access points to which they have previously connected and are ready to automatically reconnect without user intervention. These broadcasts can be received by any Wi-Fi access point in range. The KARMA attack is where the access point obtains this list and then assigns itself an SSID from the PNL, thus becoming the evil twin of an access point that the client already trusts. As a result, the client connects to a network different from the one the user expects. And now an attacker can perform MITM or other attacks on the client system.

Today, however, most modern network managers have countered the KARMA attack by switching to passive scanning; instead of randomly sending probe request frames, network managers now wait for a beacon frame with a known ESSID before contacting the wireless network. Although this countermeasure reduced the effectiveness of the KARMA attack, a second feature exploited by KARMA, the Auto-Connect flag, which allows stations to automatically join previously connected networks, has remained intact in almost every modern operating system. An attacker who can guess the SSID in a victim’s preferred network list will be able to transmit the appropriate beacon frame and automatically associate that device with an access point controlled by the attacker. In a more sophisticated version of the attack, the attacker can use a “dictionary” of common SSIDs that the victim has likely connected to in the past.

Attack tools

  1. Wifiphisher – The Rogue Access Point Framework

  2. Hostapd-mana – it is a functional Wi-Fi hotspot tool. It can be used for a variety of purposes, from tracking and de-anonymizing devices (called Snoopy), collecting corporate credentials from devices trying to use EAP (aka WPE), or getting as many devices as possible to connect to perform MitM attacks.

  3. WIFI PINEAPPLE – Wi-Fi Pentest Cheats and Toolkit. How to power up MK5 Karma’s attack with a mod Dogma PineAP тут.

  4. FruityWIFI – is an open source tool for auditing wireless networks. This allows the user to deploy advanced attacks by directly using the web interface or by sending a message to it. The app was originally built for use with Raspberry-Pi, but can be installed on any Debian-based system.

Protection technique

  • Pay attention to the Wi-Fi networks your device connects to

  • Don’t use public Wi-Fi or use it very sparingly

  • Create an encrypted connection (VPN, etc.)

Data sniffing

Data injections

  • Malicious JS in HTML

  • HTA

Modification of data

  • Wsus

  • DNS hijacking

Notes of a hacker

The difference between the technology stack (or why most of these attacks are not possible from your laptop.)

Network equipment has the same general-purpose CPUs. MIPS or ARM for basic SOHO routers, multi-core x86 in more serious boxes. It’s the NICs with multiple hardware queues and special NIC<->software communication methods (explicit ring buffering, heavy DMA usage) that matter. So you can’t just connect to the network and enable spoofing, it can crash the network right away. Your small network adapter for a laptop simply will not be able to cope with the large flow of data and will start dropping it. You need to choose the optimal number of hosts to spoof at the same time (~<4).

Attack device

Possible candidate: MikroTik hAP AC.

SSLStrip, SSLStrip+, HSTS

SSLStrip is a technique that replaces a secure (HTTPS) connection with an open (HTTP) connection. This attack is also known as HTTP downgrade It intercepted HTTP traffic and whenever it detected redirects or links to sites using HTTPS, it transparently removed them. Instead of connecting the victim directly to the website; the victim connected to the attacker and the attacker initiated a reverse connection to the website. The interceptor establishes an encrypted connection to the web server via HTTPS and returns the traffic to the site visitor in unencrypted form. But with the advent of HSTS, this no longer works. Specifically, it doesn’t work where HSTS is enabled.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from protocol downgrade (SSL stripping) attacks. It allows web servers to declare that web browsers should interact with it using only secure HTTPS connections and never over insecure HTTP.

HSTS is an IETF standards-tracking protocol described in RFC 6797. HSTS works by having the server respond with a special header called Strict-Transport-Security that contains the response telling the client that when it reconnects to the site, it should use HTTPS. This response contains a “max-age” field that specifies how long the rule should be in effect since it was last used. It also has includeSubDomains (optional). If this optional parameter is specified, this rule also applies to all subdomains of the site. But not everyone configures HSTS the same way.

That’s how SSLstrip++ was born, a tool that transparently intercepts HTTP traffic on the network, traces HTTPS links and redirects, and then maps those links to lookalike HTTP links or homographic HTTPS links. One of the disadvantages of HSTS is that it requires prior connection to connect securely to a particular site. When a visitor first connects to a website, they don’t receive an HSTS rule that tells them to always use HTTPS. Only on subsequent connections does the visitor’s browser become aware of the HSTS rule requiring HTTPS connections.

HSTS preload lists are one potential solution to these problems. They work effectively by hard-coding a list of websites that you only want to connect to using HTTPS. There is a file in the Google Chrome source code that contains a hardcoded file listing the HSTS properties for all domains in the preload list. Each record is formatted in JSON.

Attack tools

  1. sslstrip – is a MITM tool that implements Moxie Marlinspike’s SSL stripping attacks.

  2. sslstrip2 – this is the new version [Moxie´s SSLstrip] ( with a new feature to bypass the HTTP Strict Transport Security (HSTS) protection mechanism.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.