Ethical Hacking ARP Poisoning - Ethical Hacking

What is Address Resolution Protocol (ARP)?

IP addresses are resolved to machine MAC addresses by using a protocol termed as Address Resolution Protocol (ARP). By broadcasting the ARP queries in the system, other machine’s MAC addresses are found. ARP Poisoning is also known as APR Spoofing.

How does an ARP Work?

  • ARP table is thought of when a machine needs to communicate with another machine.
  • If the MAC address is not found in the table, the ARP_request is broadcasted over the network.
  • This IP address is compared with the MAC address by all the machines on the network.
  • If the address is being identified by any one of the machines, then it will respond to the ARP_request with its IP and MAC address.
  • The address pair is stored in its ARP table by the requesting computer and communication starts.

What is ARP Spoofing?

ARP packets can be forged to send data to the attacker’s machine.

  • ARP spoofing constructs a large number of forged ARP request and reply packets to overload the switch.
  • The switch is set in forwarding mode and after the ARP table is flooded with spoofed ARP responses, the attackers can sniff all network packets.

Attackers flood a target computer ARP cache with forged entries, which is also known as poisoning. ARP poisoning uses Man-in-the-Middle access to poison the network.

What is MITM?

The Man-in-the-Middle attack (abbreviated MITM, MitM, MIM, MiM, MITMA) implies an active attack where a connection between the victims is created by impersonating the user. The communication is actually controlled by the malicious actor, misguiding the victims that they are communicating with each other.

Man-in-the-middle attack

The traffic of communication between the two parties is controlled and monitored by a third person. This type of attack is prevented by protocols like SSL.

What is Ethical Hacking ARP Poisoning exercise?

In this exercise, ARP poisoning is performed by BetterCAP by using VMware workstation in a LAN environment. The VMware workstation has Kali Linux installed Ettercap tool enabling the sniffing process among the local traffic in LAN.

The tools used for this exercise are -

  • VMware workstation
  • Kali Linux or Linux Operating system
  • Ettercap Tool
  • LAN connection

Note – In both wired and wireless networks, this attack can be possible in local LAN.

Step 1 − The VMware workstation AND the Kali Linux operating system are installed.

Step 2 − Login into the Kali Linux using username pass “root, toor”.

Step 3 – Connect to local LAN and check the IP address by the command ifconfig in the terminal.


Step 4 − Open up the terminal and type “Ettercap –G” to start the graphical version of Ettercap.


Step 5 – Click on the tab “sniff” in the menu bar and select “unified sniffing” and click OK to select the interface. Use “eth0” which means Ethernet connection.

Ettercap Input

Step 6 − Click on the “hosts” tab in the menu bar and click “scan for hosts”. It will start scanning the whole network for the alive hosts.

Step 7 − Click the “hosts” tab and select “hosts list” to see the number of hosts available in the network. The default gateway addresses are also included in the list.

Host Tab

Step 8 – Select the targets. The host machine is the target for the MITM and to forward the traffic, router address will be the route. In an MITM attack, network is intercepted and the packets are sniffed by the attacker. The victim is added as “target 1” and the router address as “target 2.”

In VMware environment, the default gateway will always end with “2” because “1” is assigned to the physical machine.

Step 9 – In this scenario, target is “” and the router is “”. So target 1 is added as victim IP and target 2 as router IP.


Step 10 − Click on “MITM” and click “ARP poisoning”. Thereafter, check the option “Sniff remote connections” and click OK.

MITM Attack

Step 11 − Click “start” and select “start sniffing”. ARP poisoning starts in the network, in the sense that the network card is enabled in “promiscuous mode” and now the local traffic can be sniffed.

Note – Only HTTP sniffing with Ettercap is allowed, hence HTTPS packets are not sniffed in this process.

Step 12 − Now If the victim is logged into some websites, the results can be seen in the toolbar of Ettercap.


By this process, it is clearly understood that ARP Poisoning has the potential to cause huge losses in company environments. Here ethical hackers are required to protect and secure the networks of the company.

Similar to ARP poisoning, other attacks like MAC flooding, MAC spoofing, DNS poisoning, ICMP poisoning, etc. also can cause major loss to a network.

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd Protection Status

Ethical Hacking Topics