Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 53: Analyzing ARP Spoofing with Wireshark

by | Jun 15, 2025 | 0 comments

Objective

Understand and analyze ARP spoofing (ARP poisoning) attacks and their impact on a network. Learn how to detect these attacks using Wireshark and explore effective countermeasures to prevent them.

Scenario

In an ARP spoofing attack, a malicious actor sends forged ARP (Address Resolution Protocol) messages to associate their MAC address with the IP address of another device (e.g., the network gateway). This allows the attacker to intercept, modify, or block network traffic. In this exercise, you’ll simulate an ARP spoofing attack using arpspoof or Ettercap, capture the traffic using Wireshark, and analyze the malicious activity.

⚠️ Important: This exercise must be performed in a legal and controlled environment. Unauthorized network attacks are illegal and unethical.

Lab Instructions

Step 1: Set Up the Network Environment

a. Configure Two Test Machines (Machine A & Machine B)

  • Machine A (Target): IP: 192.168.1.10
  • Machine B (Attacker): IP: 192.168.1.20
  • Router/Gateway: IP: 192.168.1.1

b. Assign Static IP Addresses

On both machines, configure static IP addresses to avoid changes during the attack.

Step 2: Launch the ARP Spoofing Attack

a. Install arpspoof (Attacker Machine)

sudo apt update
sudo apt install dsniff -y

b. Enable IP Forwarding (to allow traffic routing)

sudo sysctl -w net.ipv4.ip_forward=1

c. Launch the ARP Spoofing Attack

  • Redirect traffic between the target and the gateway:
sudo arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.10
  • Explanation:
    • The attacker sends forged ARP replies to both the target and the gateway, poisoning their ARP tables.

Step 3: Capture and Analyze Traffic with Wireshark

a. Start Wireshark on the Target Machine

  • Apply the filter to capture ARP packets:
arp

b. Observe Malicious ARP Packets

  • Expected Result: ARP replies from the attacker’s MAC address mapping to the gateway’s IP address.

c. Analyze the Traffic Flow

  • Look for suspicious ARP traffic with repeated updates.
  • Identify if packets are being redirected through the attacker.

Step 4: Discuss Countermeasures

  1. Static ARP Entries:
    • Manually configure ARP entries to prevent spoofing.
    • Example (Linux):
    sudo arp -s 192.168.1.1 00:11:22:33:44:55
  2. Dynamic ARP Inspection (DAI):
    • Enable DAI on managed switches to validate ARP packets against DHCP bindings.
    • Example (Cisco Switch):
    ip dhcp snooping ip arp inspection vlan 1 interface GigabitEthernet0/1 ip arp inspection trust
  3. Encryption (HTTPS, SSH):
    • Use encrypted communication protocols to prevent attackers from reading sensitive data.
  4. Network Segmentation:
    • Segment networks to minimize attack surfaces.
  5. Intrusion Detection Systems (IDS):
    • Deploy IDS/IPS solutions to detect ARP spoofing activity.

Solution & Explanation

How ARP Spoofing Works

  • ARP (Address Resolution Protocol): Maps IP addresses to MAC addresses on a local network.
  • Attack Mechanism: An attacker sends forged ARP replies to associate their MAC address with the IP of another device (e.g., the gateway).
  • Result: The attacker intercepts or manipulates network traffic between devices.

Impact of ARP Spoofing

  1. Man-in-the-Middle (MITM): Intercept sensitive data.
  2. Session Hijacking: Take over authenticated sessions.
  3. Denial of Service (DoS): Disrupt network communication.

Effective Countermeasures

  • Static ARP Entries: Prevent unauthorized ARP changes.
  • DAI: Validates ARP packets on the network.
  • Encryption: Secures data even if intercepted.

Testing & Verification

  1. Before Mitigation:
    • Observe spoofed ARP entries in Wireshark.
    • Confirm traffic is routed through the attacker.
  2. After Mitigation:
    • Apply static ARP entries or enable DAI.
    • Re-run the attack and confirm ARP spoofing is blocked.

Verify ARP Table (Linux)

arp -a

Monitor ARP Packets in Wireshark

  • Apply filter:
arp

Security Best Practices

  1. Enable Dynamic ARP Inspection (DAI): Enforce ARP validation.
  2. Use Static ARP Entries: For critical devices.
  3. Deploy IDS/IPS: Detect ARP spoofing attempts.
  4. Encrypt Sensitive Traffic: Protect data from MITM attacks.
  5. Regular Network Audits: Identify unusual ARP behavior.

Additional Script (Optional)

Automate Static ARP Entry Configuration:

#!/bin/bash
# Add static ARP entry for gateway
sudo arp -s 192.168.1.1 00:11:22:33:44:55

echo "Static ARP entry configured."

Run the script:

chmod +x static_arp.sh
sudo ./static_arp.sh

Conclusion

In this exercise, you simulated an ARP spoofing attack using arpspoof, captured and analyzed malicious traffic with Wireshark, and explored effective mitigation strategies like static ARP entries, Dynamic ARP Inspection (DAI), and encryption. Understanding and defending against ARP spoofing is essential for securing network environments.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *