ARP โ the Address Resolution Protocol โ is one of the most exploited protocols in networking. It operates at the boundary between Layer 2 and Layer 3, and it was designed in an era of trust. There is no authentication, no verification, and no built-in security. This makes it the perfect target for man-in-the-middle attacks on local networks. In this lesson, you will learn how ARP works and how attackers abuse it.
When a device needs to send an IP packet to another device on the same local network, it needs the destination's MAC address. ARP resolves IP addresses to MAC addresses through a simple request-reply mechanism.
ARP Resolution Process:
Host A (192.168.1.10) wants to send to Host B (192.168.1.20)
1. Host A checks its ARP cache โ No entry for 192.168.1.20
2. Host A broadcasts ARP Request:
"Who has 192.168.1.20? Tell 192.168.1.10"
(Sent to MAC ff:ff:ff:ff:ff:ff โ all devices on segment)
3. Host B receives the broadcast and responds:
"192.168.1.20 is at AA:BB:CC:DD:EE:FF"
(Sent directly to Host A's MAC address)
4. Host A caches the mapping and sends the frameARP spoofing (also called ARP poisoning) exploits the fact that ARP has no authentication. An attacker sends gratuitous ARP replies โ unsolicited responses that claim the attacker's MAC address corresponds to a legitimate IP address. Other devices on the network update their ARP caches with the false mapping, and traffic is redirected through the attacker's machine.
ARP Spoofing (Man-in-the-Middle):
Normal Traffic Flow:
Victim (192.168.1.10) โโโโโโโโโโโโโโ> Gateway (192.168.1.1)
After ARP Spoofing:
Victim โโ> Attacker (fake gateway) โโ> Gateway
Gateway โโ> Attacker (fake victim) โโ> Victim
Attacker sends:
To Victim: "192.168.1.1 is at [Attacker's MAC]"
To Gateway: "192.168.1.10 is at [Attacker's MAC]"
Now all traffic flows through the attacker, who can:
- Read unencrypted traffic (passwords, cookies)
- Modify traffic in transit
- Inject malicious contentThe classic tool for ARP spoofing is arpspoof from the dsniff package. Here is how it works in practice. First, you must enable IP forwarding on your attack machine so traffic flows through you instead of being dropped:
โ ๏ธ ARP spoofing will disrupt network connectivity for the victim if IP forwarding is not enabled on the attacker's machine. In a real penetration test, this could cause a denial-of-service condition. Always have explicit authorization and a rollback plan.
As a security professional, you also need to know how to detect and prevent ARP spoofing. This is critical for the defense side of your skill set.
| Technique | Type | Description |
|---|---|---|
| Dynamic ARP Inspection (DAI) | Prevention | Switch validates ARP packets against DHCP snooping database |
| Static ARP Entries | Prevention | Manually configured ARP entries that cannot be overwritten |
| ARPWatch | Detection | Monitors ARP traffic and alerts on suspicious changes |
| XArp | Detection | GUI-based ARP spoofing detection tool |
| 802.1X Authentication | Prevention | Port-based network access control prevents unauthorized devices |
Modern tools like bettercap automate ARP spoofing and include built-in packet sniffing, SSL stripping, and credential harvesting modules. It is the Swiss Army knife of Layer 2 attacks and is widely used in CTF competitions and authorized penetration tests.
Verify exercises to earn โ 150 XP and unlock next lab level.