sends HTTP form
192.168.1.100
Reconnaissance — Find the Target Network
The attacker identifies a network with HTTP traffic — a coffee shop, hotel, school Wi-Fi, or corporate LAN. Tools like nmap scan for active hosts and open ports. The goal is to find a victim and a server communicating without encryption.
Positioning — Get Between Victim and Server
ARP Spoofing: The attacker sends forged ARP replies telling the victim "I am the router" and telling the router "I am the victim." Both devices update their ARP tables and begin sending traffic through the attacker's machine. Tools: arpspoof, ettercap, bettercap.
Rogue Hotspot: The attacker creates an open Wi-Fi network with a familiar name ("Coffee_Shop_Free"). Victims connect voluntarily — all their traffic flows through the attacker's machine by design.
Intercept — Capture the Plaintext
With the attacker in the middle, packet capture begins. Because HTTP is unencrypted, the POST body of every form submission — including usernames, passwords, and session cookies — arrives as readable ASCII text. tcpdump, Wireshark, or mitmproxy log everything automatically. No cracking, no brute force — the credentials are just there.
Exploit (Optional) — Modify Traffic in Transit
Beyond passive reading, the attacker can modify responses before forwarding them. A page returned by the server can have malicious JavaScript injected into its HTML before the victim's browser receives it. This enables drive-by malware drops, credential form replacements, or cryptocurrency wallet address swaps — all invisible to the victim.
Exit — Cover Tracks
The attacker stops the ARP spoof (ARP tables restore themselves quickly), disconnects, and walks away with harvested credentials. The victim typically has no idea the attack occurred — their login appeared to work normally.
Always Use HTTPS
TLS encrypts the entire session. Even with a perfect network position, the attacker reads only indecipherable ciphertext. This is the single most important defense.
HSTS
HTTP Strict Transport Security tells browsers to never connect to a domain over plain HTTP, even if a user types the URL without https://. Prevents SSL-stripping attacks.
Certificate Pinning
Applications can pin a specific TLS certificate or public key, rejecting connections to impostors even if a rogue CA issues a fraudulent cert.
Multi-Factor Authentication
Even if credentials are stolen, MFA requires a second factor (TOTP, hardware key) that the attacker cannot intercept from a network packet alone.
Use a VPN on Untrusted Networks
A VPN encrypts all traffic between your device and the VPN server, even on hostile networks. An MITM attacker on the local network sees only the encrypted VPN tunnel.
Check the Padlock
Before entering credentials, verify the URL begins with https:// and shows a padlock. Click the padlock to inspect the certificate's issuer and domain.