[Ajedi32]

Since the other examples don't appear to have convinced you, how about this one: https://samy.pl/poisontap/

Visit a single HTTP page while that's plugged in and it'll trigger an exploit that siphons all non-secure-flagged cookies off of every popular site that doesn't use HSTS (including the config pages of insecure routers on your LAN), and installs a persistent backdoor in them so the attacker can continue accessing data on those sites even after you're no longer being MITM'd. And that's not even using any zero-days; it's just exploiting the inherent vulnerabilities in non-secure HTTP.

(Note that while the site I linked talks about a USB device the same attack can be carried out by any MITM, like a WiFi router or upstream ISP; it's not exclusive to local attackers.)

[tokenizerrr]

Interesting, and point well made. Thanks!

[gmueckl]

Wait. This is a DHCP exploit on steroids. The MITM stuff is just possible because operating systems accept bonkers DHCP replies.

[Ajedi32]

Yeah, the DHCP trick is what allows this particular method of conducting MITM via USB.

All the stuff it does _after_ becoming a MITM though are things that any MITM could do, regardless of how they became a MITM in the first place. (ARP spoofing, operating or compromising a Wi-Fi access point, etc.)