DNS (the UDP responses are easy to forge) is a great way to do it. You just have to be faster than the real DNS server, which might be tricky if it's local and caching.
For ARP-based attacks you'd presumably announce yourself as the owner of the default gateway's IP address, routing all data through your system.
Hijacking DHCP springs to mind; respond with an address on a completely different subnet, and your system as default gateway. Again, jackpot.
You could also install a rogue wireless access point with the same SSID, which would let you route all traffic through your system. You just need people's devices to pick yours over the real one, which would presumably require yours to have a stronger signal.
All of the above let you install a transparent proxy which gives you complete control over the target's browser's security context.
Interestingly, the rogue access point would even work with WPA(2)-PSK encrypted wifi, if you knew the key.
For ARP-based attacks you'd presumably announce yourself as the owner of the default gateway's IP address, routing all data through your system.
Hijacking DHCP springs to mind; respond with an address on a completely different subnet, and your system as default gateway. Again, jackpot.
You could also install a rogue wireless access point with the same SSID, which would let you route all traffic through your system. You just need people's devices to pick yours over the real one, which would presumably require yours to have a stronger signal.
All of the above let you install a transparent proxy which gives you complete control over the target's browser's security context.
Interestingly, the rogue access point would even work with WPA(2)-PSK encrypted wifi, if you knew the key.