Common Attacks: MITM And Sniffing
In computer networking and cybersecurity, two very common types of attacks are Man-In-The-Middle (MITM) and Sniffing. These attacks focus on intercepting communication between systems.
What Is Network Communication?
When you browse a website, send an email, or log in to an application:
This communication travels through networks using packets (small chunks of data).
If the communication is not properly secured, an attacker can intercept or manipulate it.
What Is Sniffing?
Definition
Sniffing is the act of capturing and analyzing network traffic.
A person performing this attack uses a tool called a packet sniffer to monitor data flowing through a network.
Think of it like wiretapping a phone call — except it is digital.
How Sniffing Works
If passwords or sensitive data are sent without encryption, they can be stolen.
Types Of Sniffing
Passive Sniffing
Active Sniffing
Example Of Sniffing Using Python (Educational Purpose Only)
The following example shows how packet sniffing can be done using Python and the Scapy library.
from scapy.all import sniff
def packet_callback(packet):
print(packet.summary())
sniff(prn=packet_callback, count=10)
Explanation:
sniff() captures packets.prn specifies the function to call for each packet.count=10 captures 10 packets.packet.summary() prints basic information.Important: This code must only be used in controlled lab environments.
What Is MITM (Man-In-The-Middle) Attack?
Definition
A Man-In-The-Middle attack occurs when an attacker secretly intercepts and possibly alters communication between two parties who believe they are communicating directly.
The attacker places themselves in the middle of the communication.
How MITM Works
Imagine:
User <----> Attacker <----> Server
Instead of:
User <----> Server
The attacker can:
Common Techniques Used In MITM
ARP Spoofing
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses.
An attacker sends fake ARP messages to trick devices into sending traffic to them.
DNS Spoofing
The attacker redirects users to fake websites by manipulating DNS responses.
SSL Stripping
The attacker downgrades HTTPS connections to HTTP to read traffic in plain text.
Simple ARP Spoofing Example (Educational Only)
Below is a simplified educational example using Scapy.
from scapy.all import ARP, send target_ip = "192.168.1.5" gateway_ip = "192.168.1.1" arp_response = ARP(op=2, pdst=target_ip, psrc=gateway_ip) send(arp_response, count=5)
Explanation:
ARP(op=2) means ARP reply.pdst is the target.psrc is the spoofed source.Again, this must only be used in ethical and controlled environments.
Difference Between MITM And Sniffing
| Feature | Sniffing | MITM | |--------------|---------------------|------------------------------------| | Purpose | Capture traffic | Intercept and manipulate traffic | | Modification | No (passive) | Yes (often modifies data) | | Complexity | Lower | Higher | | Risk | Data exposure | Data theft and manipulation |
Why These Attacks Are Dangerous
They can lead to:
If traffic is not encrypted, attackers can see everything.
How To Prevent Sniffing And MITM
Use HTTPS
HTTPS encrypts communication using SSL/TLS.
Use VPN
VPN encrypts network traffic.
Enable Network Encryption
Use WPA3 instead of open Wi-Fi.
Use Certificate Validation
Prevents fake websites.
Use ARP Inspection
Enterprise switches can detect ARP spoofing.
Keep Systems Updated
Security patches fix vulnerabilities.
from scapy.all import sniff, ARP, send
# Sniffing example
def packet_callback(packet):
print(packet.summary())
print("Sniffing 10 packets...")
sniff(prn=packet_callback, count=10)
# ARP spoofing example
target_ip = "192.168.1.5"
gateway_ip = "192.168.1.1"
arp_response = ARP(op=2, pdst=target_ip, psrc=gateway_ip)
print("Sending spoofed ARP packets...")
send(arp_response, count=5)