Arp Spoofing with arpspoof

10 Mar

Consider someone has hijacked your DNS server. That person modifies the record for “” to point to their IP address. At no additional charge, after capturing all the packets, they will kindly forward them on the the real prod_database. That would be a layer 7 to layer 3 link switcheroo.

Arp spoofing is a similar concept but instead of names to IPs, we modify the IP(layer 3) to MAC(layer 2) relationship. To demonstrate a successful spoof, I have to tell another client on my LAN that I am the gateway, and tell the gateway that I am that client.

In order to see the damage of arp spoofing you can look at your arp table while being spoofed. Type “arp -a” at a windows command prompt in order to view the contents of your arp cache. Arp spoofing is also called arp poisoning because of the false records that the tool is able to get added to a victim’s arp cache.

Using Kali Linux as the attacker, a fresh trial of Windows 2012 R2 as the victim, VMware Player, and the command line tool arpspoof I was able to successfully capture the victim’s traffic. For the traffic to flow through Kali, the first step is to turn on port forwarding. Then in step 2 and 3 we tell the subnet some lies.


The poising has started. If you want to see this traffic you can use the “arp” filter in Wireshark.


Finally, to offer some proof, I browse to Wikipedia on the victim’s machine and view the traffic on the attacker’s machine.


The defenses to this attack include SSL/TLS, OS hardening and duplicate MAC detection among other things. Unfortunately this is how some proxy like tools work and you might not be able to use all of those methods to stop the attack.


Leave a comment

Posted by on March 10, 2014 in Network Admin, Security


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: