LabEx
Log InJoin For Free

Spoof ARP in Ettercap

Beginner
Practice Now

Introduction

In this lab, you will learn how to conduct ARP spoofing attacks using Ettercap, a comprehensive suite for man-in-the-middle attacks. You'll explore network device discovery with arp-scan and nmap, then practice intercepting traffic between targets through ARP poisoning.

The exercise provides practical experience in executing and monitoring ARP spoofing attacks in a controlled environment. You'll learn essential commands for each attack phase while understanding real-world security implications and mitigation techniques.

Skills Graph

Install Ettercap

In this step, you will install Ettercap, a powerful network security tool used for man-in-the-middle attacks on local area networks (LAN). Before we begin, let's understand what Ettercap does: it allows you to intercept, analyze, and modify network traffic between devices on the same network. This includes features like ARP poisoning (which we'll use in this lab), live connection sniffing, and various network analysis capabilities.

First, we need to update the package list on your Linux system. This ensures you'll install the most recent version of Ettercap available:

sudo apt update

The sudo command gives you administrator privileges, while apt update refreshes your system's list of available software packages.

Next, we'll install Ettercap with this command:

sudo apt install -y ettercap-text

Here's what's happening in this command:

  • sudo apt install is the standard way to install software on Debian/Ubuntu systems
  • The -y flag automatically says "yes" to any prompts during installation
  • We're specifically installing ettercap-text (the text-only version) because:
    1. It's more stable for our command-line environment
    2. It uses fewer system resources than the graphical version
    3. It's better suited for remote connections and automated tasks

After installation completes, let's verify everything worked correctly by checking the installed version:

ettercap --version

You should see output showing the version number and build information, similar to:

Ettercap 0.8.3.1 (built on ...)

This confirms Ettercap is properly installed and ready for use. Throughout this lab, we'll be using the text interface of Ettercap because:

  • It's more reliable in our LabEx virtual machine environment
  • It provides all the functionality we need for ARP spoofing
  • It helps you become comfortable with command-line network tools

Identify Target Devices

Before launching an ARP spoofing attack, we first need to identify potential targets on our local network. ARP spoofing works by tricking devices into thinking we're someone else on the network, so we need to know which devices are actually present. We'll use two essential network scanning tools: arp-scan for quick device discovery and nmap for more detailed information.

First, let's make sure we have the necessary tools installed. Run this command to install both utilities:

sudo apt install -y arp-scan nmap

Next, we need to determine which network interface connects us to the local network. In most cases, especially in the LabEx VM, this will be eth0. To check your available interfaces and find the correct one:

ip a

Look for the interface that has an actual IP address assigned (it won't be the loopback address 127.0.0.1). This is the interface we'll use for scanning. Now we can scan our local network to discover all connected devices:

sudo arp-scan --interface=eth0 --localnet

This command sends ARP requests to all possible IP addresses on your subnet and listens for responses. You'll see output listing all active devices, their IP addresses, MAC addresses, and sometimes manufacturer information:

192.168.1.1   00:11:22:33:44:55   Router Manufacturer
192.168.1.2   aa:bb:cc:dd:ee:ff   Target Device

For a more detailed examination of a specific target, we can use nmap. This is particularly useful to understand what services are running on the target device:

sudo nmap -sV 192.168.1.2

The -sV flag tells nmap to probe open ports and determine service/version information. Choose one device from your scan results as your target for the ARP spoofing attack (it's best practice to avoid targeting network infrastructure like routers or gateways during learning exercises).

Launch ARP Spoofing

In this step, you will use Ettercap to perform ARP spoofing between the target device and the router. ARP spoofing is a technique where an attacker sends fake ARP messages to associate their MAC address with the IP address of another device. This attack will allow you to intercept network traffic between the target and router by making them communicate through your machine.

Before starting, you need to identify three key pieces of information:

  1. Your network interface name (usually eth0 in LabEx VM)
  2. The router/gateway IP address (e.g., 192.168.1.1)
  3. The target device IP address (e.g., 192.168.1.2)

To launch the attack, open your terminal and run Ettercap in text mode with this command:

sudo ettercap -T -i eth0 -M arp:remote /192.168.1.1// /192.168.1.2//

Let's break down what each part of this command does:

  • sudo: Runs the command with root privileges (required for network operations)
  • -T: Enables text mode interface (instead of graphical)
  • -i eth0: Specifies which network interface to use
  • -M arp:remote: Activates the ARP poisoning module
  • The last two arguments specify the router and target IP addresses in format /IP// (replace these with your actual IPs)

When the attack starts successfully, Ettercap will display output showing the poisoned devices and their MAC addresses:

ARP poisoning victims:
 GROUP 1 : 192.168.1.1 00:11:22:33:44:55
 GROUP 2 : 192.168.1.2 AA:BB:CC:DD:EE:FF

To confirm the attack is working, you can check your machine's ARP table with:

arp -a

If successful, you'll see both the router and target device now show your machine's MAC address instead of their actual MAC addresses. This means all traffic between them is being routed through your system.

Capture Spoofed Traffic

In this step, you will capture and analyze the network traffic flowing between the target device and router using Wireshark and tcpdump. This will demonstrate the effectiveness of your ARP spoofing attack. When ARP spoofing is successful, all traffic between the target and router will pass through your machine, allowing you to inspect it.

First, let's install Wireshark in command-line mode. Wireshark is a powerful network protocol analyzer, and tshark is its command-line counterpart:

sudo apt install -y wireshark-common tshark

Before capturing traffic, it's good practice to create a dedicated directory for your capture files. This keeps your project organized and makes it easier to find the files later:

mkdir -p ~/project/captures

Now we'll use tcpdump to capture the actual network traffic. Open a new terminal window for this command, as it will run continuously until stopped. The -i eth0 flag specifies the network interface, and -w saves the output to a file:

sudo tcpdump -i eth0 -w ~/project/captures/spoofed_traffic.pcap

Let this run for a few minutes to capture meaningful traffic. During this time, normal network activity between the target and router will be recorded. When ready, press Ctrl+C to stop the capture.

To analyze the captured traffic, we'll use tshark. This command reads the capture file and displays a summary of all captured packets:

tshark -r ~/project/captures/spoofed_traffic.pcap

For more focused analysis, we can filter specifically for HTTP traffic. This is useful for examining web requests and responses:

tshark -r ~/project/captures/spoofed_traffic.pcap -Y "http"

Particularly important is examining POST requests, as these often contain sensitive data like login credentials. This command filters for just those requests:

tshark -r ~/project/captures/spoofed_traffic.pcap -Y "http.request.method == POST"

End the Attack

In this step, you will properly terminate the ARP spoofing attack and restore normal network operations. This is a critical step to ensure network integrity after your security testing. ARP spoofing leaves the network in an altered state, so we need to carefully undo these changes.

First, stop the Ettercap process. If you're still in the Ettercap terminal window, press q to quit gracefully. This sends a proper termination signal to Ettercap. If you closed the terminal, we need to manually find and kill the process:

sudo pkill -f ettercap

Next, we need to clear the ARP cache on your machine to remove any poisoned entries. The ARP cache stores IP-to-MAC address mappings, and during the attack, these were modified. The following command thoroughly cleans all neighbor/ARP entries:

sudo ip -s -s neigh flush all

Let's verify the ARP cache has been properly cleared. This shows us the current ARP table entries:

arp -a

The output should now show the correct MAC addresses for devices on your network, matching their actual hardware addresses. To ensure complete cleanup, we'll restart the network interface. This resets all network configurations:

sudo ifconfig eth0 down && sudo ifconfig eth0 up

Finally, verify network connectivity is fully restored by pinging your gateway. This confirms that normal network operations have resumed:

ping -c 4 192.168.1.1

You should see normal ping responses without packet loss, indicating the network is functioning properly again. If you encounter issues, you may need to restart networking services or reboot affected devices.

Summary

In this lab, you have learned how to execute ARP spoofing attacks using Ettercap's command-line interface. The exercise guided you through installing Ettercap-text, identifying network targets with arp-scan and nmap, and launching MITM attacks by poisoning ARP caches.

You practiced intercepting network traffic between spoofed devices and properly terminating attacks to restore normal operations. This lab demonstrated essential ARP poisoning techniques while highlighting the significance of network reconnaissance in cybersecurity assessments.