Conducting Man-in-the-Middle Attack Simulation

When to Use

• Testing whether applications properly validate TLS certificates and enforce encrypted communications
• Demonstrating the risk of cleartext protocols (HTTP, FTP, Telnet, SMTP) to organization stakeholders
• Validating that HSTS, certificate pinning, and other anti-MITM controls are correctly implemented
• Assessing network detection capabilities for ARP spoofing, DHCP spoofing, and DNS spoofing attacks
• Training incident response teams to identify and respond to MITM attack indicators

Do not use on production networks without explicit written authorization and a rollback plan, against systems you do not own or have permission to test, or for intercepting communications of uninvolved third parties.

Prerequisites

• Written authorization specifying in-scope targets and approved MITM techniques
• Bettercap 2.x, Ettercap, and mitmproxy installed on the attacker machine
• Layer 2 access to the same network segment as target hosts
• Custom CA certificate for TLS interception testing (generated specifically for the engagement)
• Wireshark or tshark for capturing and verifying intercepted traffic
• Isolated lab environment or approved production test window with rollback procedures