ARP spoofing and MITM — poisoning the ARP table
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on the local network. The problem: ARP has no authentication. Any machine can announce fake mappings — and the network believes them.
How ARP works normally
Host A wants to talk to 192.168.1.1:
→ Broadcast: "Who has 192.168.1.1?"
← Gateway replies: "That's me, MAC aa:bb:cc:dd:ee:ff"
Host A stores: 192.168.1.1 → aa:bb:cc:dd:ee:ffThis table (ARP cache) is not verified — any ARP reply is accepted.
ARP Spoofing: the attack
In an authorized test environment (e.g., lab 192.168.1.0/24):
Attacker sends gratuitous ARP to victim:
"192.168.1.1 (gateway) is at attacker's MAC"
Attacker sends gratuitous ARP to gateway:
"192.168.1.50 (victim) is at attacker's MAC"
Result:
Victim → [thinks it's talking to gateway] → Attacker → Gateway
Attacker sees ALL traffic: Man-in-the-Middle (MITM)Inspect the ARP table
# Linux/macOS
arp -n
# Suspicious output: two IPs sharing the same MAC
192.168.1.1 aa:bb:cc:dd:ee:ff eth0
192.168.1.50 aa:bb:cc:dd:ee:ff eth0 ← same MAC = ARP poisoningConsequences of MITM
- Reading HTTP traffic (credentials, cookies)
- Injecting content into non-HTTPS pages
- Capturing NTLMv2 hashes for offline cracking
- Downgrading HTTPS to HTTP (SSLstrip)
- Redirecting to fake pages
Defenses against ARP Spoofing
Dynamic ARP Inspection (DAI) — managed switches verify ARP replies against the DHCP snooping table:
Switch drops ARP reply if:
Announced IP ≠ IP assigned by DHCP for that MAC/portStatic ARP entries — for critical hosts (gateway, DNS):
# Linux — add a static ARP entry
sudo arp -s 192.168.1.1 aa:bb:cc:dd:ee:ffMonitoring with arpwatch:
sudo apt install arpwatch
sudo arpwatch -i eth0
# Sends email alert when an IP/MAC pair changesMandatory HTTPS — even under MITM, TLS prevents content reading if the certificate is properly validated.
Why HTTPS alone is not enough
HSTS (HTTP Strict Transport Security) prevents downgrade to HTTP. But if users ignore invalid certificate warnings, the protection collapses.
Attacker → fake certificate → victim sees "connection not secure" warning
User clicks "Proceed anyway" → MITM established even with TLSTrain users to never bypass certificate warnings.