This chapter covers ARP spoofing and man-in-the-middle (MITM) attacks, a core topic in CompTIA PenTest+ PT0-002 Domain 3 (Attacks and Exploits), specifically under Objective 3.1: Given a scenario, perform a penetration test in a network environment. ARP spoofing is one of the most common and effective techniques for intercepting traffic on a local network. Expect 3–5% of exam questions to touch on ARP poisoning, MITM attacks, and related tools like Ettercap, Cain & Abel, and arpspoof.
Jump to a section
Imagine a large office building where every employee has a mailbox, and the building's directory (the ARP cache) lists which mailbox belongs to which employee. When someone sends internal mail to 'Bob in Accounting,' the mailroom clerk looks up Bob's name in the directory and places the letter in Bob's mailbox. Now, suppose a malicious employee, Mallory, secretly swaps the nameplates on Bob's mailbox and her own. After the swap, the directory still says Bob's mailbox is #42, but #42 now belongs to Mallory. When mail arrives for Bob, the clerk delivers it to #42, and Mallory reads it. She can then either throw it away (denial of service), modify it and slip it into Bob's actual mailbox (man-in-the-middle), or just keep reading (passive sniffing). The building's directory is never updated—it still points to the correct mailbox number, but the physical box has been reassigned. This is exactly how ARP spoofing works: the attacker sends forged ARP replies to poison the target's ARP cache, associating the attacker's MAC address with the IP address of another host (like the default gateway). Traffic meant for that IP is then delivered to the attacker instead.
What is ARP Spoofing?
ARP (Address Resolution Protocol) is defined in RFC 826. Its sole purpose is to map a 32-bit IPv4 address to a 48-bit MAC (Media Access Control) address on a local network segment. When a host wants to send a packet to another host on the same LAN, it first checks its ARP cache for the target IP's MAC address. If no entry exists, it broadcasts an ARP request: "Who has 192.168.1.1? Tell 192.168.1.100." The host with that IP responds with an ARP reply containing its MAC address. The requesting host caches this mapping for a period (typically 60–300 seconds on Windows, up to 20 minutes on Linux).
ARP spoofing (also called ARP poisoning) exploits the fact that ARP is stateless—hosts accept ARP replies even without a corresponding request. An attacker sends forged ARP replies to associate their own MAC address with the IP address of a target (e.g., the default gateway). Once the victim's ARP cache is poisoned, all traffic destined for that IP is sent to the attacker instead.
How ARP Spoofing Works Internally
Let's walk through a classic MITM scenario where the attacker (192.168.1.10, MAC A) wants to intercept traffic between the victim (192.168.1.20, MAC V) and the default gateway (192.168.1.1, MAC G).
Initial State: Victim's ARP cache has an entry: 192.168.1.1 -> MAC G. Gateway's ARP cache has: 192.168.1.20 -> MAC V.
Attack Initiation: Attacker sends a forged ARP reply to the victim, claiming that 192.168.1.1 is at MAC A. Simultaneously, the attacker sends a forged ARP reply to the gateway, claiming that 192.168.1.20 is at MAC A.
Cache Poisoning: The victim updates its ARP cache: 192.168.1.1 -> MAC A. The gateway updates its ARP cache: 192.168.1.20 -> MAC A. Both now think the attacker is the other party.
Traffic Interception: When the victim sends a packet to 192.168.1.1, it is actually sent to the attacker's MAC. The attacker receives the frame, can inspect or modify it, and then forwards it to the real gateway (using the correct MAC G). The gateway sees the source IP as 192.168.1.20 but the source MAC as A—since the gateway's ARP cache says 192.168.1.20 is at MAC A, it accepts it. Similarly, return traffic from the gateway to the victim goes to the attacker first.
Forwarding: For the attack to be transparent, the attacker must enable IP forwarding (e.g., sysctl net.ipv4.ip_forward=1 on Linux) so that intercepted packets are relayed to the real destination. Without forwarding, the attack becomes a denial of service.
Key Components and Defaults
ARP Cache Timeout:
Windows: Default 60–300 seconds (depends on dynamic vs. static entry).
Linux: Default 60 seconds for incomplete entries, 20 minutes for complete entries (controlled by /proc/sys/net/ipv4/neigh/default/gc_stale_time).
Cisco IOS: Default 4 hours for dynamic entries.
ARP Packet Structure: An ARP packet has:
- Hardware type (1 for Ethernet) - Protocol type (0x0800 for IPv4) - Hardware size (6 for MAC) - Protocol size (4 for IPv4) - Operation (1=request, 2=reply) - Sender MAC, Sender IP, Target MAC, Target IP
Stateless Nature: ARP replies are processed even without a corresponding request. This is the fundamental vulnerability.
Gratuitous ARP: An ARP reply sent without a request, typically used to update other hosts' ARP caches when a host's MAC changes. Attackers often use gratuitous ARP to poison caches repeatedly.
Tools and Commands
- arpspoof (from dsniff suite):
arpspoof -i eth0 -t 192.168.1.20 192.168.1.1This sends forged ARP replies to the victim (192.168.1.20) claiming the gateway (192.168.1.1) is at the attacker's MAC.
- Ettercap: A comprehensive MITM tool with a GUI and CLI.
ettercap -T -M arp:remote /192.168.1.20// /192.168.1.1// The -M arp:remote enables ARP poisoning for MITM.
Cain & Abel: Windows tool with ARP poisoning capabilities.
- Bettercap: Modern framework with ARP spoofing module.
bettercap -eval "set arp.spoof.targets 192.168.1.20; arp.spoof on"Detection and Prevention
Static ARP Entries: Manually configure ARP entries for critical hosts (e.g., gateway). On Linux: arp -s 192.168.1.1 00:11:22:33:44:55. On Windows: netsh interface ipv4 set neighbors "Local Area Connection" "192.168.1.1" "00-11-22-33-44-55". This prevents poisoning but is not scalable.
- ARP Spoofing Detection Tools:
- arpwatch: Monitors ARP activity and logs changes.
- Snort with ARP spoof preprocessor.
- Wireshark: Filter arp.duplicate-address-detected or look for multiple IPs with the same MAC.
Dynamic ARP Inspection (DAI): On Cisco switches, DAI validates ARP packets against the DHCP snooping binding table. Invalid ARP replies are dropped.
Port Security: Limits the number of MAC addresses per switch port, preventing an attacker from using multiple MACs.
802.1X: Port-based authentication prevents unauthorized devices from connecting.
Interaction with Related Technologies
DHCP Snooping: Builds a database of valid IP-MAC bindings from DHCP traffic. DAI uses this to validate ARP packets.
VLANs: ARP spoofing is limited to the same VLAN (broadcast domain). Inter-VLAN traffic must be routed, so ARP spoofing alone cannot intercept routed traffic unless the attacker is on the same VLAN as both targets.
IPv6: ARP is replaced by Neighbor Discovery Protocol (NDP), which is susceptible to similar attacks (Neighbor Advertisement spoofing).
Step-by-Step Attack Execution
1. Enable IP forwarding on the attacker machine:
echo 1 > /proc/sys/net/ipv4/ip_forward2. Send forged ARP replies to the victim claiming the gateway's IP:
arpspoof -i eth0 -t 192.168.1.20 192.168.1.1 &3. Send forged ARP replies to the gateway claiming the victim's IP:
arpspoof -i eth0 -t 192.168.1.1 192.168.1.20 &Capture traffic using a tool like Wireshark or tcpdump.
Optionally modify traffic (e.g., using mitmproxy or Ettercap filters).
Stop attack by killing the arpspoof processes and restoring ARP caches (or letting them time out).
Reconnaissance and Target Selection
The attacker identifies the victim's IP address and the default gateway's IP address on the same subnet. This is typically done by passive sniffing (e.g., using Wireshark to capture ARP traffic) or by using Nmap to scan the local network. The attacker must be on the same broadcast domain as both targets. The attacker also determines their own MAC address and IP address. This step is critical because ARP spoofing only works within a single VLAN—traffic between VLANs must be routed, and ARP is not used across routers.
Enable IP Forwarding on Attacker
The attacker enables IP forwarding on their machine so that intercepted packets are forwarded to the real destination. Without this, the victim's traffic would be dropped, causing a denial of service. On Linux, this is done by writing '1' to /proc/sys/net/ipv4/ip_forward. On Windows, the IPEnableRouter registry key must be set. On macOS, sysctl net.inet.ip.forwarding=1 is used. The attacker may also use iptables to perform NAT (transparent proxy) if they want to modify traffic.
Send Forged ARP Replies to Victim
The attacker sends a forged ARP reply to the victim, claiming that the gateway's IP address maps to the attacker's MAC address. This is typically done using a tool like arpspoof: `arpspoof -i eth0 -t 192.168.1.20 192.168.1.1`. The tool sends multiple ARP replies (often as gratuitous ARP) to ensure the victim's cache is poisoned and to maintain the poisoning (since ARP entries can time out). The victim will update its ARP cache with the attacker's MAC for the gateway's IP.
Send Forged ARP Replies to Gateway
Simultaneously, the attacker sends forged ARP replies to the gateway, claiming that the victim's IP address maps to the attacker's MAC address. This ensures that traffic from the gateway to the victim also goes through the attacker. The command is similar: `arpspoof -i eth0 -t 192.168.1.1 192.168.1.20`. Now both the victim and the gateway believe the attacker is the other party. All traffic between them will be sent to the attacker first.
Intercept and Forward Traffic
With ARP caches poisoned, the attacker's machine receives frames intended for both the victim and the gateway. The attacker's IP forwarding ensures these packets are routed to their actual destinations. The attacker can capture traffic using tools like tcpdump or Wireshark, or use MITM frameworks like Ettercap or Bettercap to modify packets in real-time (e.g., replacing HTTP content, injecting JavaScript, or downgrading HTTPS to HTTP). The attack remains transparent as long as forwarding works correctly.
Cleanup and Restore ARP Caches
After the attack, the attacker should stop the ARP spoofing tools and optionally send correct ARP replies to restore the victims' ARP caches. If not restored, the poisoning will persist until the ARP cache timeout expires (which could be minutes to hours). On Linux, the `arp` command can be used to set static entries. Alternatively, the attacker can simply stop the attack and let the caches time out naturally. Forensic analysts may detect the attack by examining ARP cache inconsistencies.
Enterprise Scenario 1: Wireless Network MITM
In a corporate environment with a guest Wi-Fi network, an attacker connects to the open SSID and performs ARP spoofing against other wireless clients. The attacker targets the default gateway (usually a wireless controller or router) and a specific victim (e.g., an employee using the guest network). The attacker uses Ettercap with the -M arp:remote filter to intercept HTTP traffic. Since many guests disable HTTPS or use applications with weak encryption, the attacker can capture credentials or session tokens. The enterprise can mitigate this by using Dynamic ARP Inspection (DAI) on the switch that connects the wireless access points, but DAI requires DHCP snooping, which may not be enabled on guest VLANs. Additionally, using 802.1X with per-user encryption (WPA2-Enterprise) prevents unauthorized clients from joining the network.
Enterprise Scenario 2: Data Center VLAN Hopping
In a multi-tenant data center, a malicious tenant on a shared VLAN performs ARP spoofing to intercept traffic between other tenants and their default gateway. The attacker uses arpspoof to poison the ARP cache of the gateway (a top-of-rack switch) and a victim server. The attacker then runs a packet capture to extract sensitive data like database credentials or API keys. The data center operator can prevent this by implementing Private VLANs (PVLANs) to isolate ports within the same VLAN, or by using port security to limit the number of MAC addresses per port. Dynamic ARP Inspection (DAI) on the switch would drop the forged ARP replies because the attacker's MAC-to-IP binding would not match the DHCP snooping database (assuming the attacker's IP is not from DHCP).
Scenario 3: Internal Penetration Test
A penetration tester is hired to assess the internal network security. The tester connects a laptop to a wall jack in a conference room and discovers they are on the same VLAN as the corporate file server. The tester uses Bettercap to perform ARP spoofing against the file server and the default gateway. The goal is to capture SMB traffic and attempt to crack NetNTLM hashes. The tester must ensure IP forwarding is enabled to avoid disrupting production traffic. After the test, the tester restores ARP caches using a script that sends correct ARP replies. The enterprise learns that they need to implement DAI and 802.1X to prevent such attacks. A common misconfiguration is that DAI is enabled but the DHCP snooping database is incomplete (e.g., static IPs not added), causing false positives or preventing legitimate traffic.
What PT0-002 Tests on ARP Spoofing
Objective 3.1 includes performing MITM attacks using ARP poisoning. The exam expects you to know:
The ARP protocol basics (RFC 826, stateless nature)
How to execute ARP spoofing using tools like arpspoof, Ettercap, Cain & Abel, and Bettercap
The need for IP forwarding to maintain connectivity
Detection and mitigation techniques (DAI, port security, static ARP, 802.1X)
The difference between ARP spoofing and ARP cache poisoning (often used interchangeably but technically ARP spoofing is the act, poisoning is the result)
Common Wrong Answers
"ARP spoofing works across routers" – Wrong. ARP is a Layer 2 protocol and only works within the same broadcast domain (VLAN). The exam may present a scenario where the attacker is on a different subnet, and candidates mistakenly think ARP spoofing can still work.
"IP forwarding is optional" – Wrong. Without IP forwarding, the attack becomes a denial of service. The exam may ask what happens if IP forwarding is not enabled; the correct answer is that the victim loses connectivity to the gateway.
"Static ARP entries prevent all ARP spoofing" – Partially correct but not a complete solution. Static entries prevent poisoning on the host where they are configured, but they do not prevent the attacker from poisoning other hosts. The exam may ask for the best mitigation, and DAI is often the better answer.
"ARP spoofing can decrypt HTTPS traffic" – Wrong. ARP spoofing only intercepts traffic; it does not break encryption. However, it can enable downgrade attacks (e.g., SSL stripping) if the victim uses HTTP first.
Specific Numbers and Terms
ARP cache timeout: Windows 60–300 seconds, Linux 20 minutes.
Tool commands: arpspoof -i eth0 -t [target] [host], ettercap -T -M arp:remote.
Mitigation: Dynamic ARP Inspection (DAI), DHCP snooping, port security.
IPv6 equivalent: Neighbor Discovery Protocol (NDP) spoofing.
Edge Cases
Spoofing the gateway only: If the attacker only poisons the victim's ARP cache (claiming gateway's IP), the victim's outgoing traffic goes to the attacker, but return traffic from the gateway goes directly to the victim. This is a one-way MITM, useful for capturing outbound traffic only.
Using ARP spoofing to bypass NAC: If network access control (NAC) uses MAC authentication, the attacker can spoof the MAC of an authorized device.
How to Eliminate Wrong Answers
If a question mentions "intercepting traffic between two hosts on different subnets," ARP spoofing is not the answer—consider DNS spoofing or a proxy.
If a question asks what is needed to make a MITM attack transparent, the answer is IP forwarding.
If a question asks for detection, look for "Dynamic ARP Inspection" or "ARPwatch."
ARP spoofing exploits the stateless nature of ARP by sending forged ARP replies to associate the attacker's MAC with a target IP.
The attack requires IP forwarding to be enabled on the attacker machine to avoid a denial of service.
ARP spoofing only works within the same broadcast domain (VLAN); it cannot cross routers.
Dynamic ARP Inspection (DAI) is the most effective mitigation, using DHCP snooping bindings to validate ARP packets.
Common tools: arpspoof (dsniff), Ettercap, Cain & Abel, Bettercap.
Detection methods include ARPwatch, Wireshark, and switch logs showing MAC-to-IP inconsistencies.
Static ARP entries on critical hosts prevent poisoning on those hosts but do not stop the attacker from poisoning others.
These come up on the exam all the time. Here's how to tell them apart.
ARP Spoofing
Operates at Layer 2 (MAC/IP mapping)
Requires attacker to be on the same subnet as targets
Intercepts all traffic between two IPs
Mitigated by Dynamic ARP Inspection (DAI)
Common tools: arpspoof, Ettercap, Bettercap
DNS Spoofing
Operates at Layer 7 (domain name resolution)
Attacker can be anywhere on the network (even remote if DNS server is compromised)
Intercepts traffic based on domain name queries
Mitigated by DNSSEC and using trusted DNS servers
Common tools: dnsspoof, ettercap (dns_spoof plugin)
Mistake
ARP spoofing only works if the attacker sends a request first.
Correct
ARP is stateless; hosts accept unsolicited ARP replies (gratuitous ARP). The attacker does not need to send a request. Sending a forged reply is sufficient to poison the cache.
Mistake
ARP spoofing can intercept traffic across a router.
Correct
ARP operates only within a single broadcast domain (VLAN). It cannot cross a router unless the attacker is on the same VLAN as both targets. For traffic between subnets, other techniques like DNS spoofing or ICMP redirects are needed.
Mistake
Enabling IP forwarding is optional for a successful MITM attack.
Correct
Without IP forwarding, the attacker's machine will drop the intercepted packets, causing a denial of service. The victim will lose connectivity to the target. For a transparent MITM, IP forwarding must be enabled.
Mistake
Static ARP entries completely prevent ARP spoofing on the network.
Correct
Static ARP entries on a single host prevent that host from being poisoned, but the attacker can still poison other hosts. To prevent ARP spoofing network-wide, Dynamic ARP Inspection (DAI) or port security must be implemented on switches.
Mistake
ARP spoofing can decrypt encrypted traffic like HTTPS.
Correct
ARP spoofing only intercepts traffic at Layer 2. It does not break encryption. However, it can facilitate SSL stripping (downgrading HTTPS to HTTP) if the victim initially connects via HTTP or if the attacker performs a certificate replacement attack.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
ARP spoofing is the act of sending forged ARP packets, while ARP cache poisoning is the result (the victim's ARP cache contains incorrect entries). The terms are often used interchangeably, but technically spoofing is the attack method and poisoning is the effect.
Yes. ARP spoofing works on switched networks because it targets the ARP cache of individual hosts, not the switch itself. The switch forwards frames based on MAC addresses, so after poisoning, the switch will deliver frames to the attacker's MAC address as if it were the legitimate host.
IP forwarding allows the attacker's machine to forward intercepted packets to their real destination. Without it, the attacker would drop the packets, causing a denial of service. The victim would lose connectivity to the target, alerting them that something is wrong.
Use tools like ARPwatch (monitors ARP activity and logs changes), Wireshark (filter for duplicate IP addresses or multiple IPs with the same MAC), or Snort with the ARP spoof preprocessor. Also, check for static ARP entries that differ from expected DHCP bindings.
DAI is a Cisco switch feature that validates ARP packets against the DHCP snooping binding table. It drops ARP replies that have an invalid IP-to-MAC binding (e.g., an attacker claiming a different MAC for the gateway's IP). DAI must be enabled on VLANs where DHCP snooping is active.
No, IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP. However, NDP is susceptible to similar attacks, such as Neighbor Advertisement spoofing (the IPv6 equivalent of ARP spoofing). Tools like parasite6 (from the THC-IPV6 toolkit) can perform these attacks.
The default ARP cache timeout on Windows is between 60 and 300 seconds for dynamic entries. The exact value depends on the version and configuration. After this timeout, the entry is removed and must be re-resolved. Attackers often send repeated gratuitous ARP replies to maintain poisoning.
You've just covered ARP Spoofing and MITM Attacks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?