Cybersecurity · ARP Spoofing Lab

ARP Spoofing Lab

ARP poisoning (on-path) with arpspoof in Kali on a segmented LAN, with pre-attack Nmap recon and post-attack Wireshark analysis.

View this project on GitHub

Overview

This lab walks through an end-to-end attack path on a local network:

  1. Active reconnaissance with Nmap to identify the target and infer OS details.
  2. ARP spoofing with arpspoof to position the attacker as on-path (man-in-the-middle).
  3. Traffic analysis in Wireshark to enumerate services and metadata (DNS, NetBIOS, SSDP, etc.).

Environment: Performed in a segmented lab LAN to avoid impacting production systems.

Active Reconnaissance with Nmap

Nmap OS detection result 1
Nmap OS fingerprinting and host discovery.
Nmap OS detection result 2
Open services and protocol hints.
Nmap OS detection result 3
Confidence levels and CPE matches.

Initiating the ARP Spoofing Attack (arpspoof)

With the target defined, the attacker poisons the ARP cache of the victim and/or gateway to redirect traffic through the attacker’s host.

Launching arpspoof with target and gateway
Launching arpspoof to begin the on-path position.
arpspoof attack in action: traffic flowing through attacker
Attack in progress; packets traverse the attacker’s host.
arpspoof attack in action screenshot 2
Sustained poisoning while monitoring traffic.

Analyzing Captured Traffic with Wireshark

Identifying DNS Server IP Address

Wireshark: extracting DNS server IP
Extracting resolver IP from captured packets.
Wireshark: DNS server enumeration example 1
DNS enumeration details (queries/responses).
Wireshark: DNS server enumeration example 2
Additional resolver metadata.

NetBIOS and Other Host Information

Wireshark enumeration 0
Wireshark enumeration 1
Wireshark enumeration panel 1
Wireshark enumeration panel 2
Wireshark enumeration panel 3
Wireshark enumeration panel 4

SSDP Enumeration

Wireshark SSDP enumeration 1
UPnP/SSDP announcements observed on-path.
Wireshark SSDP enumeration 2
Device/service hints gleaned from SSDP.

Other Host Information

Additional host information from captured traffic
Miscellaneous metadata useful for follow-up enumeration.

Back to Home