How does someone become a man in the middle?

There are many, many ways you can become a MITM, virtually at all layers of the networking stack - not only the physical one. Being physically close to your target can help, but is by no means a necessity.


At the physical layer, the attacks you can get are very overt: splice a ethernet cable, use a optical tap, or capture radio signals.

A passive optical network,  tap - photo by Roens

A passive optical network, tap - photo by Roens

Some active attacks can have physical access as a precondition - many others do not.


At the data link layer, passive attacks are incredibly easy: just put your network card into promiscuous mode and you can see all traffic on your network segment. Even on a modern (switched) cabled network, MAC flooding will ensure you can see more than you ought to.

For active attacks on local networks, ARP spoofing is quite popular and easy to perform - it basically makes your computer pretend it's someone else - usually a gateway, so that you trick other devices to send traffic to you instead.

ARP spoofing - diagram by 0x55534C ARP spoofing - diagram by 0x55534C

Data link attacks work as long as you are connect to the same local network as your target.


Attacking the network layer is easy if you have physical access - you can just impersonate a router using any modern linux machine.

If you don't have physical access, ICMP redirect attacks are kind of obscure, but sometimes usable.

Of course, if you have enough money on your pocket you can do it NSA-style and intercept routers when they are shipped to their destination by (snail) mail - just tweak the firmware a bit and you're good to go.

Attacks at the network layer can be performed from any point in the (internet) network route between the two participants - although in practice these networks are usually well defended.


I'm not personally aware of any attacks at the transport layer.


At the application layer, attacks can be a bit more subtle.

DNS is a common target - you have DNS hijacking and DNS spoofing. Cache poisoning attacks against BIND in particular were very popular a couple of years back.

DHCP spoofing (pretending to be a DHCP server) is quite easy to perform. The end result is similar ARP spoofing, but less "noisy" on the network and possibly more reliable.

The broadest application layer attacks can be performed from anywhere in the internet.


TL;DR: Get the traffic routed through a system under your control and have MITM whereever you, the victim or the destination are.

A: Not quite.

First off, the internet is packet switched, so there might not be a single actual wire all packets go through.

To establish a MITM, that MITM must make sure the requests from the user get routed to him instead of the correct destination. There are several ways this can be done, for example:

  • In the local network by ARP spoofing of the gateway and/or DNS server,
  • In all networks on the route,
  • By returning his IP instead of the correct one from the victims DNS server

After that is established, the MITM interacts with the actual destination on the victims behalf, modifying data in between as the MITM likes.

The easiest way to establish this is in fact within the local network because those are usually less well monitored and/or governed. Also, they regularly have more consumer devices with more security risks that can after being compromised be used to redirect DNS requests to a server under MITM-control.

Yet, as you can see from above: If you manage to set the DNS server of the victim to one under your control, you may very well do MITM from whereever you like.

The same is true for routing nodes/ISPs: You may advertise cheap routes to the destination using the BGP to get all traffic routed through your system. Yet this is usually not feasible and/or possible for consumer connections.


The adversary doesn't necessarily need to be physically located on the network route that they're hacking. They may have previously compromised a network device that is on the route, and thus be able to login to it and conduct their attack from any location.