Cybersecurity · ARP Spoofing Lab

ARP Spoofing Lab

ARP poisoning (on-path) with arpspoof in Kali on a segmented LAN, with pre-attack Nmap recon and post-attack Wireshark analysis.

View this project on GitHub

Overview

This lab walks through an end-to-end attack path on a local network:

  1. Active reconnaissance with Nmap to identify the target and infer OS details.
  2. ARP spoofing with arpspoof to position the attacker as on-path (man-in-the-middle).
  3. Traffic analysis in Wireshark to enumerate services and metadata (DNS, NetBIOS, SSDP, etc.).

Environment: Performed in a segmented lab LAN to avoid impacting production systems.

Active Reconnaissance with Nmap

Nmap OS detection result 1
Nmap OS fingerprinting and host discovery.
Nmap OS detection result 2
Open services and protocol hints.
Nmap OS detection result 3
Confidence levels and CPE matches.

Initiating the ARP Spoofing Attack (arpspoof)

With the target defined, the attacker poisons the ARP cache of the victim and/or gateway to redirect traffic through the attacker's host.

Launching arpspoof with target and gateway
Launching arpspoof to begin the on-path position.
arpspoof attack in action: traffic flowing through attacker
Attack in progress; packets traverse the attacker's host.
arpspoof attack in action screenshot 2
Sustained poisoning while monitoring traffic.

Analyzing Captured Traffic with Wireshark

Identifying DNS Server IP Address

Wireshark: extracting DNS server IP
Extracting resolver IP from captured packets.
Wireshark: DNS server enumeration example 1
DNS enumeration details (queries/responses).
Wireshark: DNS server enumeration example 2
Additional resolver metadata.

NetBIOS and Other Host Information

Wireshark enumeration 0
Wireshark enumeration 1
Wireshark enumeration panel 1
Wireshark enumeration panel 2
Wireshark enumeration panel 3
Wireshark enumeration panel 4

SSDP Enumeration

Wireshark SSDP enumeration 1
UPnP/SSDP announcements observed on-path.
Wireshark SSDP enumeration 2
Device/service hints gleaned from SSDP.

Other Host Information

Additional host information from captured traffic
Miscellaneous metadata useful for follow-up enumeration.

Ways to Mitigate Against ARP Spoofing

There are a handful of network-security approaches when it comes to mitigating against an ARP Spoofing or Man-in-the-Middle attack, also called an On-Path attack.

Dynamic ARP Inspection (DAI)

One of the most effective countermeasures is Dynamic ARP Inspection (DAI), a feature available on managed switches. DAI validates ARP packets against a DHCP snooping binding table. Any ARP reply that doesn't match the known IP-to-MAC mapping is dropped before it can poison a host's cache. The tool arpspoof works by flooding gratuitous ARP replies — DAI terminates this directly at the source.

DHCP Snooping

DAI is foundationally dependent on DHCP Snooping, another feature on managed switches. DHCP snooping tracks which IP addresses were legitimately assigned to which MAC/port combinations, providing DAI with the authoritative IP-to-MAC mapping it uses to validate ARP traffic.

Static ARP Entries

Depending on the criticality of what you're trying to secure, implementing static ARP entries is another consideration. Manually configured static ARP entries cause incoming ARP replies to be ignored entirely, they cannot be overwritten. This is very tedious and operationally painful at scale, but highly effective for small, fixed infrastructure.

Encryption — Limiting What Interception Reveals

The packets captured in Wireshark during this lab show exactly why encryption matters. A successful on-path position was achieved, but encrypted traffic in the flow limits what's immediately useful. That said, it doesn't mean bits and pieces of metadata can't be collected and pieced together over time, encryption is a layer of defense, not a complete fix on its own.

Protocol-Level Mitigations

  • Disable LLMNR and NetBIOS over TCP/IP via Group Policy: The Wireshark enumeration section demonstrates these protocols broadcasting host information freely across the network.
  • Restrict SSDP/UPnP on network segments where it isn't needed, SSDP enumeration above shows how much device and service information leaks through these protocols.
  • Network Segmentation with VLANs: Limits the broadcast domain that ARP operates within, containing the blast radius of any poisoning attempt.

Detection

  • ARP Monitoring Tools (XArp, arpwatch): Alert on unexpected ARP reply floods or IP-to-MAC mapping changes in real time.
  • IDS/IPS Rules (Snort, Suricata): Can flag anomalous ARP traffic patterns consistent with poisoning attempts.
  • Switch Port Security: Can limit the number of MACs per port, disrupting some attack variations before they gain an on-path position.
Core Takeaway: ARP was designed with zero authentication built in. DAI + DHCP Snooping is the only robust fix at the protocol level, along with encryption serving as the essential fallback defense for scenarios where the network layer has already been compromised.
← Back to Home