^.^;

ARP Spoofing

Poison the network. Become the man in the middle. Intercept everything by manipulating Address Resolution Protocol tables.

BeginnerPhase 1: Network AttacksInteractive Dual Perspective

What is ARP Spoofing?

ARP Spoofing (also called ARP poisoning) is a network attack where an attacker sends fake ARP messages to link their MAC address with the IP address of a legitimate device (like the gateway). This allows the attacker to intercept, modify, or block network traffic.

How ARP Works (Normal):

1
Device needs to send data

Computer A wants to talk to Computer B (knows IP, needs MAC address)

2
Broadcast ARP request

"Who has 192.168.1.5? Tell 192.168.1.10"

3
Target replies

"192.168.1.5 is at MAC: AA:BB:CC:DD:EE:FF"

4
Cache and communicate

Device stores IP-MAC mapping in ARP cache, sends data directly

ARP Spoofing Attack

Attacker sends gratuitous ARP replies claiming to be the gateway or another host, poisoning victim's ARP cache.

Attack Flow:

1
Attacker sends fake ARP reply:

"192.168.1.1 (gateway) is at MAC: ATTACKER-MAC" → Victim

2
Victim updates ARP cache

Now thinks attacker's MAC = gateway IP

3
Traffic redirected

All victim's internet traffic goes through attacker first (Man-in-the-Middle)

4
Attacker intercepts/modifies

Can sniff passwords, inject malware, or deny service

ARP Spoofing Tools

Attack Tools:

  • arpspoof: Simple CLI ARP poisoning (Kali Linux)
  • Ettercap: Comprehensive MITM suite with GUI
  • Bettercap: Modern, powerful network attack framework

Detection Tools:

  • arpwatch: Monitor ARP cache changes
  • XArp: Advanced ARP spoofing detection
  • Wireshark: Detect duplicate IP/MAC announcements

Defense Strategies

Static ARP Entries: Manually configure gateway MAC (prevents poisoning but hard to maintain)
Dynamic ARP Inspection (DAI): Switch feature that validates ARP packets against DHCP bindings
Port Security: Limit MAC addresses per switch port
Encryption: Use HTTPS, VPN to protect traffic even if ARP spoofed
Network Segmentation: VLANs reduce attack surface

Example Commands

arpspoof (poison victim and gateway):
arpspoof -i eth0 -t 192.168.1.100 -r 192.168.1.1
Enable IP forwarding (to relay traffic):
echo 1 > /proc/sys/net/ipv4/ip_forward
View ARP cache (victim machine):
arp -a

ARP Spoofing Attack Simulator

Man-in-the-Middle via ARP Cache Poisoning

Attack Progress0%
Gateway Router
IP: 192.168.1.1
MAC: 00:1A:2B:3C:4D:5E
Attacker Machine
IP: 192.168.1.100
MAC: DE:AD:BE:EF:CA:FE
Target PC
IP: 192.168.1.50
MAC: AA:BB:CC:DD:EE:FF

Attack Phases

Ready
Network Scanning
ARP Cache Poisoning
Traffic Interception
Attack Complete

Intercepted Traffic

Waiting for traffic...

🔴 RED TEAM: Attack Techniques

  • ARP Poisoning: Send gratuitous ARP replies to poison caches
  • Traffic Interception: Capture credentials, session tokens, sensitive data
  • Packet Injection: Modify requests in real-time before forwarding
  • SSL Stripping: Downgrade HTTPS to HTTP to read encrypted traffic

🔵 BLUE TEAM: Detection & Defense

  • Static ARP Entries: Manually bind critical MAC addresses
  • ARP Inspection: Enable Dynamic ARP Inspection (DAI) on switches
  • IDS Signatures: Alert on duplicate MACs or gratuitous ARP floods
  • Network Segmentation: VLAN isolation reduces attack surface
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.