MITM Attacks: ARP Spoofing/Poisoning over IPv4 - Part 1 of 2

MITM Attacks: ARP Spoofing/Poisoning over IPv4 - Part 1 of 2
9 min read

What is a MITM ARP "Man in the middle" attack?

The types of attack "Man in the middle" (MITM) or also known as "Man in the middle", consist of carrying out a passive attack technique, called: ARP Spoofing , ARP Poisoning or ARP Poison Routing (APR), and are carried out in LAN ( Local Area Network ) and WLAN ( Wireless Local Area Network ) networks.


Being connected to the same network, this attack allows us to capture all traffic directed from one or more hosts on the network to the configured gateway (Gateway) and vice versa.

So that the MAC Address ( Media Access Control Address) of the victim's gateway is not the real one, but the MAC address of the attacker. Thus, when the victim makes queries to the internet that will be requests for their gateway before they pass through the attacker's host, the attacker will let them pass to the router, the router will return the response to the attacker again and this to the victim. In this way the victim will not realize what is happening.

A detail to keep in mind is that if instead of poisoning the victim's ARP table cache with the attacker's MAC, it is poisoned with another false MAC (for example: 00:11:22:33:44:55) to the victim we will provoke a denial of service DOS ( Denial Of Service ).

Differences between Promiscuous Mode and Monitor Mode

Since this attack is used in wired networks that are routed through switch devices, the traffic is not transmitted through an open medium (such as wireless transmissions), so to capture this type of traffic in one or more hosts it is necessary perform this type of techniques such as ARP Spoofing.

With the card in promiscuous mode ( Promiscuous Mode - term used for wired networks) since monitor mode ( Monitor Mode ) would be the appropriate term for wireless networks and to be able to capture all the IVs ( Initialization Vectors). These modes, both promiscuous and monitor, refer to the same thing (but each one applying it in its proper term, depending on the area in which it is being used or treated) and what they consist of is being able to capture ALL the packets that circulate through the network, even if they are not addressed to the host that requested the request.

How is the Ethernet frame modified to perform an ARP Cache Poison?

Every MAC frame is made up in its header (or header ) of a source MAC address and a destination MAC address (at the end of the header it also shows the type of Ethernet), the payload (or body ) made up of data and the trailer (or queue ) that shows a CRC ( Cyclic Redundancy Check , error checking) or cheksum ( Verification Sum ) or FCS ( Frame Check Sequence ), this verifies if the frame has arrived correctly at its destination or not.

The most common way to create an ARP Spoofing is to create a "race condition" ( Race Condition ) that consists of the distribution of unsolicited ARP responses (by the victims), which are stored in the ARP cache of the victims or clients. .

Why is this MITM-Man in the middle attack possible?

Both “ARP request” and “ARP reply” packets do not provide any identification validation in the transaction. For this reason, this attack is made transparent to the user since the frame is not verified in any of the directions with any integrity identification mark ( ID ).

A practical and simple case of carrying out the attack with Windows.

The scenario for this practice is as follows:


IP: 10.0.0. 1

MAC: xx:xx:xx:xx: 66:00



IP: 10.0.0. 4

MAC: xx:xx:xx:xx: 96:0E - GW: 10.0.0. 1

OS: Windows XP Professional SP3 (x86)



IP: 10.0.0. 3

MAC: xx:xx:xx:xx: 1F:71

GW: 10.0.0. 1

OS: Windows 7 Ultimate SP1 (x64)

This technique does not influence the type of operating system or the architecture used, since this is at the level of network communication.  

[1] - Before carrying out the attack, we will consult the state of the network equipment. First we are going to check the attacker's MAC address with the command in Windows  ipconfig /all or simply  getmac  and we will see that the attacker's MAC is: xx:xx:xx:xx:xx:1F:71, if we ping the IP address of the victim ( and then we consult the cache of the attacker's ARP table, with the  arp -a  command so we will obtain the MAC of the victim (xx:xx:xx:xx:96:0E) and the MAC of the gateway or gateway (in this case a Router device: xx:xx:xx:xx:66:00) as you can see in the following screenshot.

[2] - Now we check how things are on the victim's side, both his IP address and his MAC Address, and the ARP table cache.

We can see how the Victim's ARP table cache contains the attacker's IP address with its corresponding MAC and the same happens with the gateway data.

Once we install and run Cain on the attacker's PC (first disable the antimalware that we have running on the PC), we will see that with this tool we can carry out almost all kinds of attacks. But I will especially focus on the mentioned APR ( ARP Poison Routing ) attack.

[3] - We go to the "Sniffer" tab and within this in the "Hosts" section, we activate the icon of the network card (previously configured for "promiscuous mode" and thus be able to capture traffic that we will obtain even though the request packets and reply are not addressed to the attacker's computer) (1), we activate the icon that is shown with an image "+" (in blue) to define the range to be scanned, in this case I am going to use a fixed shot defining a class C range (Network mask with a length of 24 bits) comprised of hosts to, click on OK (3).


We see that the IP and MAC of the gateway and the attacker coincide with the previous data consulted.

[4] - Within the "Sniffer" tab, we go to the APR section (1), and select APR in the left panel (2), so that the option of being able to add the hosts to perform APR is enabled, click on the empty or "white" area of ​​the upper-right panel and click on the icon with an image "+" (in blue) (3), a window will open (4) in which we will say that all the traffic of 10.0 .0.4 (victim) (5) that is addressed to the (gateway) (6) go first to the machine on which Cain is running, which is the attacker's machine and finally press OK (7) .

[5] - To end the attack, we simply click on the button with the yellow icon image and we will see how the victim ( is being poisoned by an ARP reply traffic not coming from the gateway with the MAC of this (xx:xx:xx:xx:6600), if not with the attacker's MAC (xx:xx:xx:xx:1F:71), thus spoofing this address in the victim's ARP table cache.


[6] - If now, with the APR already running and the victim's ARP table cache already poisoned, we perform an  arp -a query, we can see on the victim's PC that the IP address of the gateway ( ) and the attacker's IP address ( is mapped or redirected to a single same MAC address, which is the attacker's (xx:xx:xx:xx:1F:71).

Once the Man in the middle attack has been carried out, we will use a network packet sniffer such as Wireshark.

[7] - With Wireshark listening for network packet transmission, and filtering only HTTP traffic with queries to POST methods in their URL. In order to capture logins and obtain in plain text ( Plain Text ) the username and password of non-encrypted HTTP pages. In this example I show a user and password of the login of the official website of " " as an example.

http.request.method == "POST". 

We can see that the user is " AdrianLois " and the password is " zonasystem123 ".


[8] - Filtering the traffic captured by the MSNMS protocol ( MSN Messenger Service ) we will be able to see the email address of the victim as well as the email address of the user who establishes the connection with the victim.

  • The victim's email address is the destination address, displayed as " xxxx...5[at]hotmail[dot]com ".
  • The email address of the user with whom the victim establishes communication is the destination address that appears as and that we see as " xxxx...a[at]hotmail[dot]com ".


[9] - Conversations established through the MSNMS protocol used for real-time conversations via instant messaging ( IM - Instant Messaging ) with MSN Messenger. These conversations can be captured in clear text, since this protocol does NOT encrypt communications.

So we can see how the victim's IP address ( sent an instant message with the writing " wave q tal ".

In the second installment of this entry, I will explain a little: inappropriate uses or for bad purposes, legitimate uses and how to prevent yourself from techniques and tools of this type of Man in the middle attacks and MAC address spoofing.

In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
Comments (0)

    No comments yet

You must be logged in to comment.

Sign In / Sign Up