[Control8894]

I disagree. So does Wikipedia ("where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties ... for example, an attacker within range of an Wi-Fi access point hosting a network without encryption could insert themselves as a man in the middle") and so I believe do most people.

"Active MITM" would be how you describe someone who does modify traffic.

And an attacker in each of the scenarios GP mentioned can modify traffic. (For ISP/attacker-controlled networks it's trivial; for other networks you just need to ARP spoof)

[dTP90pN]

There's no "relaying" when the the attacker just captures unencrypted WiFi packets from the air, or more traditionally, splits some light out of the fiber line.

[Brian_K_White]

I hate to agree but they are right. Endpoint-spoofing and relaying between two spoofed endpoinbts is just one of the possible forms of mitm attack that just happens to be required if you happen need to open and re-pack encryption in order to evesdrop, or if you need to modify the data.

Spoofing the two endpoints to decrypt and re-encrypt, just so that you can evesdrop without modifying the data (other than the encryption) is certainly still "mitm". Yet all the man in the middle did was evesdrop. Becoming two endpoints in the middle was only an implimentetion detail required because of the encryption.

If you are admin of one of the mail servers along the way between sender and recipient and and can read all the plain smtp messages that pass through your hands like postcards without having to decrypt or spoof endpoints, that is still mitm.

So listening to wifi is no less. There is nothing substantive that makes it any different.

For endpoint-spoofing to be required for mitm, you would have to say that mitm only applies to modifying the data, which I don't think is so. Several purely evesdropping applications are still called mitm.

[Control8894]

> for example, an attacker within range of an Wi-Fi access point hosting a network without encryption

The monkey in the middle doesn't get to "relay" anything either, but he can sure see it going over his head.

[chaorace]

It's just semantics... but I'll throw my hat into the ring nevertheless:

The "eavesdropping" attack happens when you capture unecrypted packets. From there, you could either try to hijack the session by inserting yourself into the local conversation (effectively launching a "MITM" attack) or completely independently of the local conversation attempt to impersonate the login session (effectively launching an "impersonation" attack).

[cricketlover]

How fan we capture unencrypted packets from the network? I thought you had to run tcpdump or something like that to be able to do that. But you won't be able to run tcpdump if you don't have access to the interface (source or destination), no?

[chaorace]

I'm speaking in the context of the parent conversation ("unencrypted WiFi packets"). On wireless networks, all devices share the same "wire", so to speak. Normally that traffic is useless when captured due to encryption, but that's not the case on unencrypted (i.e. public) WiFi.

[Control8894]

It doesn't matter if the wifi is encrypted or not. All that matters is that you share the network with an attacker. You can ARP poison just fine, encrypted or open, wifi or wired.

[chaorace]

Well, actually... you can only successfully launch an ARP poisoning attack if you're on the same network segment as the impersonated host.

(Yes, I am indeed being pedantic on purpose to prove a point. I offer this parenthetical to you in place of an apology)