Uncategorized

ARP Spoofing in Penetration Testing: Attack Demonstrations and Defense Strategies

By on Thursday, April 17, 2025

Debunking the Myth of HTTPS Security: The Threat of ARP Spoofing

Many people assume that using HTTPS guarantees complete protection against cyber threats, believing account breaches only occur due to compromised databases. However, this isn’t entirely true. Even encrypted connections can be bypassed via man-in-the-middle (MITM) attacks, particularly on insecure networks—such as logging into an account over a phishing-prone public Wi-Fi. While MITM attacks involve multiple techniques, let’s focus on their foundational component: ARP Spoofing.

What Is ARP Spoofing?

To explain ARP spoofing, we’d typically dive into Layer 2 (Data Link) and Layer 3 (Network) of the OSI model and the role of the Address Resolution Protocol (ARP). But let’s skip the jargon and simplify:

ARP Spoofing in 3 Steps:

  1. Host A wants to communicate with Host C and broadcasts an ARP request: “Who has C’s IP? Reply to A’s IP.”
  2. Host B (the attacker) floods Host A with fake replies: “C’s IP is at B’s MAC address!”
  3. Since ARP lacks authentication, Host A naively updates its ARP table, mapping C’s IP to B’s MAC.

Now, all traffic intended for Host C flows through Host B. If B enables IP forwarding, it can relay requests to C and return responses to A, allowing B to stealthily:

  • Intercept data (e.g., login credentials).
  • Hijack sessions.
  • Inject malicious scripts.
  • Replace downloaded files.

Types of ARP Spoofing

  • Host Spoofing: Targets individual devices (e.g., tricking a user’s PC).
  • Gateway Spoofing: Tricks the network gateway to capture all inbound/outbound traffic.

This guide focuses on Host Spoofing.

Tools for ARP Spoofing

Popular tools include:

  1. arpspoof: A classic tool, though some users report setup challenges (e.g., compatibility issues with target systems).
  2. Ettercap: A versatile MITM framework preinstalled in Kali Linux.
  3. Bettercap: A modern successor to Ettercap, offering enhanced features and usability.

Demo Setup: ARP Spoofing with Ettercap

Lab Environment:

  • Target Machine IP: 192.168.218.131
  • Gateway IP: 192.168.218.2

Steps:

  1. Launch Ettercap from Kali Linux’s applications menu.
  2. Configure interfaces and scan for hosts.
  3. Select the target (192.168.218.131) and gateway (192.168.218.2).
  4. Activate ARP poisoning to intercept traffic.

Why This Matters

While HTTPS encrypts data, ARP spoofing exposes vulnerabilities at the network layer. Attackers can still:

  • Capture session cookies.
  • Redirect to phishing sites.
  • Analyze metadata (e.g., visited domains).

Defense Tips:

  • Use static ARP entries for critical devices.
  • Enable ARP spoofing detection tools.
  • Avoid sensitive transactions on untrusted networks.

This translation balances technical precision with readability, avoiding robotic phrasing while retaining critical nuances. Let me know if you need adjustments

Ettercap interface

You can select the gateway and whether sniffing is required on this interface. Generally, there is no need to make any changes. Simply click the √ in the upper right corner to enter the work interface:

Work interface

Click on the magnifying glass in the upper left corner to start scanning the IP addresses of memory devices in the same network segment. After scanning, you can click the Hosts List button on the right side of the magnifying glass to view the scanning results:

scanning results

Add deception targets, add the target drone to Target 1, add the gateway to Target 2, add the gateway to Target 1, and finally add the target drone to Target 2. Don’t mess up the order of adding here, the final result can be seen from here:

View the entrance to the target

Select Current targets from the target menu to see the targets:

The deception target set

After confirming that there are no issues with the configuration, you can start the deception. The startup portal is here:

Open the entrance to deception

After clicking on ARP poisoning, a secondary confirmation box will appear. Simply select OK:

Secondary confirmation box

If you need to temporarily stop during ARP spoofing, there is a stop/start button in the upper left corner.

Remember to check Kali’s routing settings:

Kali’s routing settings

If your route is not enabled (ip_fforwards is 0), you can execute this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

At this point, you can open Wireshark on Kali and visit any website on the target drone:

Wireshark packet capture records in Kali

You can see that the request data for the target drone to access the website has all gone through Kali.

Demonstration of ARP deception: bettercap

Kali does not have Bettercap installed by default, so you need to install it yourself:

Kali installs better cap

Some parameters that can be used when starting BetterCap:

BetterCap startup parameters

Those interested can take a look, but this is just an introduction to using BetterCap for ARP spoofing, so it won’t go into too much detail.

Firstly, start Bettercap by directly entering Bettercap on the command line, or by specifying the network card to be used:

bettercap -iface eth0

After starting Bettercap, you can obtain internal command instructions by executing the help command:

help

The arp spoofing we are going to carry out is mainly through the arp.spoof module of Bettercap. You can take a look at the help documentation for this module separately:

help arp.spoof

Set attack target:

set arp.spoof.targets 192.168.218.131

You can also set a network segment, just pass the parameters like this:

set arp.spoof.targets 192.168.218.1-10

Specific target IPs can also be set, separated by commas in English:

set arp.spoof.targets 192.168.218.22,192.168.218.44

Of course, the currently set target IP can also be obtained through get:

get arp.spoof.targets

After configuring the target, ARP spoofing can be enabled:

You can see the packets sent from the attacked host in Wireshark:

You can also check the MAC address of the target host gateway:

Gateway MAC address of the target host

You can see that the network card address has been changed to Kali:

Kali’s network card MAC address

Of course, BetterCap also has many other functional modules that can be used for ARP spoofing. Those interested can find detailed tutorials to learn, which are very helpful for penetration.

Defense Measures Against ARP Spoofing

There is no perfect offensive tool. Since ARP spoofing exists, there are corresponding defense measures, which can be divided into two main categories:

Gateway Defense‌

Legitimate ARP Binding‌: Prevents the gateway from being spoofed by binding trusted IP-MAC pairs.
ARP Packet Rate Limiting‌: Mitigates ARP flood attacks by restricting the number of ARP packets processed.

Access Device Defense‌

Gateway IP/MAC Binding‌: Filters forged gateway packets by binding the legitimate gateway’s IP and MAC address.
Legitimate User IP/MAC Binding‌: Filters spoofed terminal packets by binding authorized user IP-MAC pairs.
ARP Rate Limiting‌: Defends against ARP flood attacks by limiting the rate of ARP requests.

Summary‌
ARP spoofing is a foundational technique for many penetration methods, so it is crucial to master at least one ARP spoofing tool. Note that the goal of ARP spoofing is rarely to disconnect a target’s network entirely—unless the attacker’s machine blocks routed traffic, ARP spoofing alone cannot directly cause a disconnection.

Finally, a reminder: ‌any unauthorized penetration activity on public networks is illegal‌. Do not conduct network disconnection attacks or use ARP spoofing to eavesdrop on others’ data traffic. Large enterprises today employ robust defense mechanisms, making simplistic ARP spoofing tactics ineffective and risky, as they may expose the attacker.

0
Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *