ARP resolves IP addresses to MAC addresses on a local subnet. Because ARP lacks authentication, any device can broadcast a forged reply, tricking the network into sending traffic to the attacker's machine.
By continuously sending forged ARP replies to the victim and the default gateway, the attacker inserts themselves into the communication path. All traffic now flows through the attacker before reaching its destination.
💡 Pro-tip: Enable IP forwarding on the attack machine (e.g., echo 1 > /proc/sys/net/ipv4/ip_forward). If disabled, you create a DoS instead of a transparent MITM.
This kernel parameter allows the Linux machine to act as a router, passing intercepted packets to their actual destination to avoid detection.
Switches can intercept ARP packets and validate them against the DHCP snooping binding table. If an ARP reply doesn't match the authorized IP-MAC binding, the switch drops it at the port level.
⚠️ ARP poisoning only works on broadcast domains (same VLAN/subnet). It cannot be used to intercept traffic across routed boundaries unless the attacker compromises the router itself.
| Tool | Function | OS |
|---|---|---|
| arpspoof | Continuous poisoning | Linux |
| Ettercap | GUI/MITM Suite | Multi |
| BetterCAP | Modern Framework | Multi |
Verify exercises to earn ★ 140 XP and unlock next lab level.