ARPspoof is used to send fake ARP messages to a victim’s machine, tricking it into sending its traffic to the attacker’s machine or another gateway on the network. The following is the syntax used in the arpspoof tool:
# arpspoof –i [interface] -c [host ip] -t [target ip] [host ip] -r
- -i: Allows you to specify an interface.
- -c: Specify a hardware address.
- -t: Specify the target, such as the default gateway.
- host: Specify the host to intercept packets.
- -r: Allows you to capture a bidirectional flow of traffic.
To work with Arpspoof, you need to make sure it is installed. Arpspoof is a part of the dnsiff family, so if you install dnsiff, you will get arpspoof as well. You might get below error if dnsiff is not installed onto your system.
arpspoof: command not found
you may install the dnsiff package as shown below as per your choice of distribution.
| Distribution | Command |
|---|---|
| Debian | apt-get install dsniff |
| Ubuntu | apt-get install dsniff |
| Arch Linux | pacman -S dsniff |
| Kali Linux | apt-get install dsniff |
| Fedora | dnf install dsniff |
| Raspbian | apt-get install dsniff |
However, before everything works, you need to make sure IP forwarding is enabled on the box you plan to use inline. This is because, by default, the system will not forward that packet back on the wire. To accomplish this, I just make a change via sysctl:
# sysctl -w net.ipv4.ip_forward=1
Conclusion
Using arpsoof, the Pentester is able to spoof the media access control (MAC) address of the router to trick a victim, making the other user on the network believe the pentester’s machine is now the router or default gateway.