How ARP works — and why it's flawed
Every device on a local network uses IP addresses to identify destinations, but the actual Ethernet frames that carry data are addressed using MAC addresses — the physical hardware identifiers burned into each network interface. ARP is the protocol that bridges this gap: when a host wants to communicate with an IP address on the same local network, it broadcasts an ARP request asking "who has IP 192.168.1.1? Tell me your MAC address." The host that owns that IP replies with its MAC, and the requesting device stores the mapping in its ARP cache for future use.
The fundamental flaw is that ARP is completely stateless and trustless. A host will accept an ARP reply even if it never sent a request. It will update its cache with the latest reply it receives, with no cryptographic verification that the reply came from a legitimate source. This design made sense in 1982 when ARP was defined for trusted local area networks — but it creates a trivially exploitable weakness in any multi-user environment.
How ARP poisoning works
An attacker on the same local network segment exploits this trustless design with gratuitous ARP — unsolicited ARP replies sent to targets to update their caches. The attack works in two steps.
First, the attacker sends a fake ARP reply to the victim's machine claiming "I am the default gateway (192.168.1.1) and my MAC address is AA:BB:CC:DD:EE:FF" (the attacker's own MAC). The victim updates its ARP cache with this false mapping. Now, all traffic the victim intends to send to the gateway instead travels to the attacker's machine.
Second, the attacker simultaneously sends a fake ARP reply to the actual gateway claiming "I am the victim's machine (192.168.1.100) and my MAC address is AA:BB:CC:DD:EE:FF." The gateway now sends return traffic to the attacker instead of the victim.
The attacker sits silently between the two parties, forwarding traffic onward so the connection continues to function normally — a completely transparent man-in-the-middle position. Neither the victim nor the gateway detects anything wrong. Alternatively, the attacker can simply drop the forwarded traffic, creating a denial of service.
What attackers do with a MitM position
The MitM position gained through ARP poisoning is valuable because it gives an attacker access to all traffic flowing between the victim and the network, before it reaches encryption endpoints. What an attacker can capture depends entirely on whether the traffic is encrypted:
- Cleartext HTTP credentials: Login forms submitted over HTTP send usernames and passwords in plaintext inside the POST request body. Completely readable.
- Session cookie theft: Even if a site uses HTTPS for login, session cookies transmitted over HTTP (missing the Secure flag) are visible and can be stolen to hijack authenticated sessions without knowing the password.
- SSL stripping: Tools like sslstrip can downgrade HTTPS connections to HTTP by intercepting the initial request before the TLS handshake begins — turning encrypted connections into plaintext ones.
- Legacy protocol credentials: FTP sends credentials in cleartext. Telnet sends entire sessions in cleartext. Basic-auth SMTP sends base64-encoded (not encrypted) credentials. These are trivially captured.
On an unsegmented office network, an attacker with a single laptop running Bettercap can silently capture every employee's HTTP passwords, FTP credentials, and unencrypted emails — without touching any other device. This is why network segmentation and encryption-in-transit are non-negotiable.
Attack tools
ARP poisoning is straightforward to execute with freely available tools included in Kali Linux. The most common are Ettercap (a long-standing network interception suite with a GUI), Bettercap (a modern, modular framework that combines ARP spoofing with credential sniffing, SSL stripping, and more), and arpspoof (a simple command-line tool from the dsniff suite for basic ARP cache poisoning).
In CEH v13, students perform ARP poisoning exercises in authorised lab environments using these tools — not to exploit real systems, but to understand the attack from the attacker's perspective so they can design effective defences. Understanding the tool is inseparable from understanding the defence.
Detection and prevention
ARP poisoning is well understood and entirely preventable on modern infrastructure. The defences range from highly effective single-configuration changes to layered architectural controls:
- Dynamic ARP Inspection (DAI): A feature available on all enterprise-grade managed switches. DAI validates ARP packets against a trusted DHCP snooping binding table — if an ARP reply claims a MAC-to-IP mapping that doesn't match the DHCP database, the switch drops the packet. One configuration change on the switch eliminates ARP poisoning on that segment entirely. This is the most effective single control.
- Static ARP entries: Manually configure permanent ARP entries for critical hosts (default gateway, domain controllers, DNS servers). Static entries cannot be overwritten by spoofed ARP replies. Practical for a small number of critical hosts but unscalable for large environments.
- VLANs and network segmentation: ARP is a Layer 2 protocol — it cannot cross VLAN boundaries. Segmenting users, servers, and management traffic into separate VLANs means an attacker can only poison ARP within their own VLAN segment, dramatically limiting blast radius.
- HTTPS everywhere: Even if an attacker achieves a MitM position, properly implemented HTTPS with valid certificates and HSTS prevents credential theft because the payload is encrypted and certificate mismatches alert the user.
- IDS rules for ARP anomalies: Tools like Arpwatch monitor the network and alert when a MAC address is seen claiming a new IP address — a classic ARP poisoning signature.