Simple ARP spoofing

Attack tree

1 Use an ARP spoofing tool such as Arpspoof, Cain & Abel, Arpoison, or Ettercap
    1.1 Set the IP address of the tool to match the IP subnet of the victim (scans the network 
        to find the IP address and MAC address of all the hosts on the subnetwork) (AND)
    1.2.Select a target (AND)
    1.3 Send ARP packet, replacing the MAC address of the target with own MAC address while 
        keeping IP address as is, causing packets meant for the target now being rerouted to 
        the attacker (AND)
    1.4 When packets for the victim arrive, launch further attacks
        1.4.1 Associate multiple IP addresses to a single MAC address on a network (IP aliasing)
        1.4.2 Sit in between the communication between two users (MitM)
        1.4.3 Hijack session (network)
        1.4.4 Perform a DoS


# echo 1 > /proc/sys/net/ipv4/ip_forward
# arpspoof -i <interface> -t <target IP address 1> <target IP address 2>
# arpspoof -i <interface> -t <target IP address 2> <target IP address 1>


What is in a name

The terms ARP Spoofing and ARP poisoning are generally used interchangeably. Technically, spoofing refers to an attacker impersonating another machine’s MAC address, while poisoning denotes the act of corrupting the ARP tables on one or more victim machines. In practice, these are both sub-elements of the same attack, and both terms are used to refer to the attack as a whole. Other terms used may be ARP cache poisoning or ARP table corruption.

Adressing schemes

In an ARP spoofing attack, an adversary sends spoofed ARP messages over a LAN in order to link the adversary’s MAC address with the IP address of a legitimate member of the network. Data that is intended for the host’s IP address gets sent to the adversary instead.

  • ARP spoofing can be used to steal information, modify data-in-transit or stop traffic on a LAN.

  • ARP spoofing attacks can also be used to facilitate other types of attacks, including DoS attacks, session hijacking and MitM attacks.