PenTest Edition: Creating A Man-in-the-Middle Attack using Cain & Abel [Tutorial]

A man-in-the-middle attack occurs when an attacker sits in the middle of the communication between two victim devices, secretly relaying information back-and-forth on their behalf. It can be thought of as active eavesdropping. The attacker cannot only see the communication traveling to-and-from the victim devices, but can also inject his own malicious traffic. With this attack, the hacker possesses the ability to capture personal identifiable information, login credentials, decrypt information, and so on. Furthermore, the man-in-the-middle attack is often the initiator for more dangerous attacks. In this demonstration, I’ll be sitting in between a target device and the router/gateway on a private network using Cain & Abel. This will allow me to see the target’s Web traffic.

As you read, you can follow along on this video demonstration I put together. All the IP addresses displayed are private or not globally routable.

The information provided on the cybersecurityman is for educational purposes only. I am in no way responsible for any misuse of the information provided. All the information here is meant to provide the reader with the knowledge to defend against hackers and prevent the attacks discussed here. At no time should any reader attempt to use this information for illegal purposes.

Step 1: Open Cain & Abel

Open up Cain & Abel. Navigate to the “Sniffer” tab on the top and then click the “Start/Stop Sniffer” button on the tool bar. Then, click the “+” or “Add to list” button to the right. This is going to open up Cain & Abel’s “MAC address scanner.”


Step 2: Scan for the Target

We can use the MAC address scanner to scan all the available hosts on the network with a ARP Request broadcast storm. Since I’m on a private network (, Cain & Abel is going to scan for all the available hosts between and As you recall from networking and IP addressing topics, the network ID address and the broadcast address are not reserved for hosts, so they won’t be matter.

Essentially, the scanner is asking each host, “who has the IP address 10.0.0.x? Please respond.” This is where is the host address number. Every available host address should respond if they have the IP address, including our target. So, make sure the “All Tests” checkbox is selected and then click OK.

mac address scanner.png

After the scan, the available hosts (their MAC address and matching IP address) should be now be displayed. The target should also be displayed: My target is 

scan results

It’s not the end of the world if your target did not show up. Just wait a few minutes and then scan again. Or, if you know the target’s IP address, you can open up the command prompt and ping it. Then scan again.


The target should reply with an ICMP echo reply, and this should make it active on the network and display on Cain & Abel.

Step 3: ARP Poison

The goal of this man-in-the-middle attack is to capture the target’s Web traffic. In order to do this, I will also want to target the gateway too. A gateway is the router that sits between the internal network and the Internet; it connects to dissimilar networks together. Like most default gateways, the gateway on my network has the IP address

While remaining on the Sniffer tab, navigate to the “APR” tab at the bottom. Click anywhere in the top pane and then click the “+” or “Add to list” sign at the top again. This will open the “New ARP Poison Routing” window. I’m going to highlight my two targets and and click OK. It means I’m going to intercept the traffic from the target to the gateway.

ARP poison.png

Step 4: ARP Poison the Targets

“Address Resolution Protocol (ARP)” is a protocol for mapping an IPv4 address to a physical machine address that is recognized on the local network.

Now that ARP poisoning is set and ready-to-go, I can click the “Start/Stop APR” button on the tool bar (It’s the radioactive symbol). This will change the status from “idle” to “poisoning,” as you can see below.


So, what exactly did I just do? I modified the ARP tables in the and devices. If I can explain this as simple as possible, it means that our target at thinks it’s communicating to the gateway, but it’s been fooled to communicate with me instead. In addition, the gateway at thinks it’s communicating with the target, but it’s also been fooled to communicate with me. Make sense? I’m basically sitting right in between both devices. I did this by changing the ARP entries in the ARP tables. Here’s an example of a legitimate ARP table I pulled up with the arp -a command on my own system:

arp table 1.png

Still confused? Cain & Abel allows you to screw with the ARP entries. Let’s keep it simple here though. Let’s say has the MAC address AAAA and has the MAC address BBBB. Each device has an ARP table that caches the correct IP-MAC address pairs on the network. This table is an easy-access matrix for communicating to devices on the network. But, if I ARP poison these devices, I can change the entries to my own MAC address, which we’ll say is CCCC. For example, I can change the addresses, and in effect, reroute communication to my computer. So, if this is the ARP table for below, it knows that if it wants to communicate with, it will send information to the device with the MAC address BBBB.

arp example

But, I can modify the ARP table entry and switch it with my own MAC address. Now, when wants to communicate with the gateway at, it will send the traffic to CCCC instead, which is me.

arp example 2

This is what ARP poisoning does. So, let’s take a step back and picture what this man-in-the-middle attack looks like:


Step 5: Monitor

With the man-in-the-middle attack initiated, I will be able to fully re-route the traffic going back and forth from and So, when the target requests a Web site, that request will travel to my computer. I will then forward the traffic to the gateway, and the gateway will then forward the traffic out onto the Internet to the Web server hosting that Web site. The Web server will send back the information in a response that was to the gateway. The gateway will then forward the response to me, and then I will pass it on to the target. The target and the gateway have no idea that I’m intercepting and forwarding their traffic.

Of course, with this attack, I will be able to see everywhere the target is going on the Internet. If passwords are entered, they will show up in the passwords tab (if it’s HTTP traffic) If there is a lot of https traffic, we can decrypt it with the sslstrip tool (if applicable because some Web browsers won’t allow it).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: