After this lesson, you will be able to: Explain man-in-the-middle attacks and their vectors, use Bettercap/Ettercap/mitmproxy conceptually and in a lab, understand SSL stripping and why HSTS preloading defeats it, and the role of certificate pinning.
A man-in-the-middle sits between two parties without either knowing. This lesson covers MITM vectors (ARP poisoning, rogue Wi-Fi, DNS spoofing, BGP hijacking), the tools (Bettercap as the modern choice, Ettercap, mitmproxy), SSL stripping and HSTS, MITM against TLS and certificate pinning, and a Bettercap lab.
In a man-in-the-middle attack, the attacker relays and possibly alters communication between two parties who believe they are talking directly. Vectors include ARP poisoning (local LAN), rogue Wi-Fi access points (an 'evil twin' with the same SSID), DNS spoofing (answering lookups with attacker IPs), and at internet scale, BGP hijacking (announcing routes you do not own). The position is the same; only the technique to reach it differs.
Bettercap is the modern, actively maintained framework for LAN MITM: ARP spoofing, sniffing, and HTTP/HTTPS proxying in one tool. Ettercap is the older classic that automates MITM on a LAN. mitmproxy is an interactive HTTP/HTTPS intercepting proxy used heavily for app testing (you install its certificate on a device you control to inspect that device's traffic). Each is a different blend of automation and control.
SSL stripping downgrades a victim from HTTPS to HTTP: the attacker intercepts the initial plain-HTTP request (before TLS is negotiated) and keeps the victim on HTTP while talking HTTPS to the real server. The victim never gets the secure connection. HSTS defeats this by telling the browser to only ever use HTTPS for the domain, and HSTS preloading ships that rule in the browser itself, so even the very first request is HTTPS and there is no plain-HTTP moment to strip.
To MITM TLS itself, an attacker must present a certificate the victim trusts. Normally the victim's browser rejects an untrusted certificate with a warning. Two failure modes: users click through certificate warnings (a systemic human problem), and on managed devices a malicious root certificate may be installed. Certificate pinning (common in mobile apps) hardcodes the expected certificate or public key, so even a 'valid' attacker certificate is rejected. Pinning is strong but operationally tricky (rotating a pinned cert can brick clients).
Two containers and Kali on a private network.
1. On an isolated Docker network, run Kali plus a victim and a simple HTTP service container.
2. On Kali: bettercap -iface eth0, then in the session enable net.probe and arp.spoof on the victim.
3. Enable net.sniff and generate plain HTTP traffic from the victim; capture credentials.
4. Switch the service to HTTPS with HSTS and repeat; observe the interception fail.
5. For guided practice, complete the TryHackMe Bettercap room.
Pick one.
Assuming MITM 'breaks' TLS; it does not, it requires a trusted certificate the victim must accept. Relying on Ettercap when Bettercap is better maintained. Forgetting that a certificate warning is the defense working, not a bug to click past. Testing pinning bypass without realizing the app may have multiple pins. Running any of this outside an authorized lab.
Sign in and purchase access to unlock this lesson.