**Hands-on demonstration of Man-in-the-Middle attacks using ARP Poisoning and DHCP Spoofing techniques in a controlled virtual lab environment — with full packet-level verification and mitigation strategies.**
- 🧠 Overview
- 🖥️ Lab Environment
- ⚡ Attack 1 — ARP Poisoning MitM
- ⚡ Attack 2 — DHCP Spoofing
- 🛡️ Mitigation Strategies
- 🛠️ Tools and Technologies
⚠️ Disclaimer
This lab demonstrates two critical Layer 2 network attacks commonly exploited in penetration testing:
| 🎯 Attack | Protocol Abused | Impact |
|---|---|---|
| ARP Poisoning | ARP (Layer 2) | Full traffic interception between two hosts |
| DHCP Spoofing | DHCP (Layer 3) | Rogue gateway and DNS assignment to network clients |
Both attacks were executed in an isolated virtual lab using VMware and EVE-NG, with full packet-level verification via Wireshark.
┌─────────────────────────────────────────────────┐
│ 💀 Attacker Kali Linux 192.168.23.129 │
│ 🖥️ Victim 1 Windows 7 192.168.23.135 │
│ 🖥️ Victim 2 Windows 10 192.168.23.136 │
│ ⚙️ Hypervisor VMware Workstation │
│ 🐛 Tool Ettercap 0.8.4 │
└─────────────────────────────────────────────────┘
Network Topology — ARP Poisoning
┌─────────────────────────────────────────────────┐
│ 🖧 DHCP Server R1 (EVE-NG) 150.1.7.103/24 │
│ 💻 DHCP Client R2 (EVE-NG) Dynamic │
│ 🌐 VMNet GW VMNet1 150.1.7.100/24 │
│ 💀 Attacker Parrot OS ens34 │
│ ☠️ Rogue Pool 150.1.7.200-250 │
│ 🐛 Tool Ettercap 0.8.3.1 │
└─────────────────────────────────────────────────┘
Network Topology — DHCP Spoofing
NORMAL TRAFFIC FLOW:
Win7 (135) ─────────────────────────────► Win10 (136)
AFTER ARP POISONING:
Win7 (135) ──► 💀 Kali Attacker (129) ──► Win10 (136)
|
👁️ All traffic intercepted
before forwarding
The attacker sends forged ARP Reply packets to both victims:
- To Win7 — "192.168.23.136 is at [Attacker MAC]"
- To Win10 — "192.168.23.135 is at [Attacker MAC]"
Both victims update their ARP cache with the wrong MAC, routing all traffic through the attacker.
📌 Confirm all three machines are on the same subnet before launching.
🖥️ Victim 2 — Windows 10
Windows 10 — IP:
192.168.23.136| Gateway:192.168.23.2
🖥️ Victim 1 — Windows 7
Windows 7 — IP:
192.168.23.135
💀 Attacker — Kali Linux
Kali —
eth0: 192.168.23.129|eth1: 150.1.7.101
📌 All machines must ping each other successfully before the attack.
** Kali pinging both victims**
Kali reaches Win7 (
.135) and Win10 (.136) — all reachable
** Win7 → Win10**
** Win10 → Win7**
📌 Without this, victims lose connectivity and the attack is instantly detected.
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
# output must be: 1
Value confirmed as
1— forwarding active ✔️
📌 Document the correct ARP state before poisoning for comparison.
** Win7 ARP Table — Before Attack**
Legitimate MAC addresses mapped correctly
** Kali ARP Table — Before Attack**
ettercap -G📌 Launch Ettercap GUI → interface
eth0→ Unified Sniffing → Host Scan
** Ettercap launched**
Ettercap 0.8.4 started — Unified sniffing on
eth0
🔍 Host Scan Results
5 hosts discovered on the network
🎯 Targets Assigned
192.168.23.135→ Target 1 |192.168.23.136→ Target 2Then: MITM → ARP Poisoning → OK → Start Sniffing 🚀
🚨 Both victims now have the attacker's MAC instead of each other's.
** Win7 ARP Table — AFTER (Poisoned)**
Win10's IP (
192.168.23.136) now maps to Attacker's MAC00:0C:29:D6:40:F4
☠️ Win10 ARP Table — AFTER (Poisoned)
Win7's IP (
192.168.23.135) now maps to Attacker's MAC — poison confirmed 🔴
** ICMP traffic intercepted on Kali**
ICMP packets between
.135and.136fully visible on Kali — full interception confirmed 🔴
** Forged ARP Replies**
Filter
arp.opcode == 2— continuous forged ARP replies from attacker
arp.duplicate-address-detected— confirms ARP conflict caused by poisoning
| 🔍 Observation | Before Attack | 😈 After Attack |
|---|---|---|
| Win7 ARP entry for Win10 | Correct MAC | Attacker's MAC |
| Win10 ARP entry for Win7 | Correct MAC | Attacker's MAC |
| Wireshark ICMP on Kali | Not visible | Fully visible |
NORMAL DHCP FLOW:
Client (R2) ──DISCOVER──► Legitimate Server R1
Client (R2) ◄──OFFER──── R1 assigns: 150.1.7.111
DHCP SPOOFING FLOW:
Client (R2) ──DISCOVER──► R1 [too slow ❌]
└──► 💀 Ettercap [wins race ✔️]
Client (R2) ◄──fake OFFER── Attacker assigns: 150.1.7.200
Gateway: Attacker IP ☠️
DNS: Attacker IP ☠️
Ettercap responds faster than the real server. The client accepts the first OFFER — attacker wins the race.
Router(config)# interface e0/0
Router(config-if)# ip address 150.1.7.103 255.255.255.0
Router(config-if)# no shutdown
Router(config)# ip dhcp excluded-address 150.1.7.1 150.1.7.110
Router(config)# ip dhcp pool LAN
Router(dhcp-config)# network 150.1.7.0 255.255.255.0
Router(dhcp-config)# default-router 150.1.7.103
Router(dhcp-config)# dns-server 8.8.8.8
R1 pool:
150.1.7.0/24| Gateway:.103| DNS:8.8.8.8
Router(config)# interface e0/0
Router(config-if)# ip address dhcp
Router(config-if)# no shutdown
** R2 receives legitimate IP from R1**
show ip interface brief— R2 gets150.1.7.111from R1 ✔️
sudo ettercap -G📌 Set interface to
ens34→ Enable Unified Sniffing
Ettercap 0.8.3.1 launched on Parrot OS —
ens34
3 hosts found:
150.1.7.100(VMNet1) |150.1.7.103(R1 — DHCP Server) |150.1.7.111(R2 — Client)
📌 MITM → DHCP Spoofing → Configure rogue pool
🎯 IP Pool: 150.1.7.200-250
🌐 Netmask: 255.255.255.0
☠️ DNS Server: 150.1.7.101 ← attacker's IP
Rogue DHCP pool ready — Ettercap now listening for DISCOVER packets
Router(config)# interface e0/0
Router(config-if)# shutdown
Router(config-if)# no shutdown
Interface cycled — R2 broadcasts a fresh DHCP DISCOVER 📢
☠️ Rogue IP Assigned
show ip interface brief— R2 now has150.1.7.200via DHCP from attacker — attack successful 🔴
** Ettercap DHCP Exchange Log**
DHCP: DISCOVER from R2
DHCP spoofing: fake OFFER → offering 150.1.7.200
DHCP: REQUEST 150.1.7.200
DHCP spoofing: fake ACK → assigned 150.1.7.200 ✔️
Full DORA sequence intercepted — DISCOVER → OFFER → REQUEST → ACK ☠️
| Legitimate (Before) | After Spoofing | |
|---|---|---|
| 🌐 R2 IP Address | 150.1.7.111 from R1 |
150.1.7.200 from attacker |
| 🚪 Gateway | 150.1.7.103 |
150.1.7.101 (attacker) |
| 🔍 DNS Server | 8.8.8.8 |
150.1.7.101 (attacker) |
| Technique | 💡 How It Helps |
|---|---|
| Dynamic ARP Inspection (DAI) | Switch validates ARP packets against DHCP snooping table — drops spoofed entries |
| Static ARP entries | Manually pin MAC-to-IP for critical hosts — cannot be overwritten |
| Traffic encryption (TLS/VPN) | Even if intercepted, all data remains unreadable |
| VLAN segmentation | Limits which hosts receive each other's ARP broadcasts |
| ARP monitoring (XArp) | Detects duplicate IP-MAC mappings in real time |
| Technique | 💡 How It Helps |
|---|---|
| DHCP Snooping | Only trusted uplink ports can send DHCP replies — blocks rogue servers |
| 802.1X Port Authentication | Unauthorized devices cannot connect to the network |
| Static IP for critical devices | Routers and servers never use DHCP — immune to spoofing |
| IDS/IPS monitoring | Detects multiple DHCP OFFER packets from unknown MACs |
| VLAN isolation | Confines DHCP traffic to specific segments |
| 🔧 Tool | Version | 🎯 Purpose |
|---|---|---|
| Ettercap | 0.8.4 / 0.8.3.1 | ARP poisoning and DHCP spoofing |
| Wireshark | Latest | Packet capture and analysis |
| Kali Linux | 2024 | Primary attack platform |
| Parrot OS | Latest | Secondary attack platform |
| VMware Workstation | — | Virtual machine hypervisor |
| EVE-NG | Latest | Network simulation (routers) |
| Windows 7 / 10 | — | Victim machines |
This project is strictly for educational and research purposes in a controlled, isolated lab environment. All techniques demonstrated here are performed on systems owned and operated by the researcher. Unauthorized use of these techniques on any network or system without explicit written permission is illegal and unethical. The author takes no responsibility for misuse of this information.
Naeem Akmal · Cyber Security Researcher
🔒 Built for learning — not exploitation