using the popular bettercap tool and observing responses I had two doubts that also concerns some theoretical questions:
Bettercap allows you to arp spoof entire ranges of ip-s (e.g. an entire /24 subnetwork you're in), but as far as I know do an arp spoofing attack consists in "telling" the router (the gateway) that the ip
xxx.xxx.xxx.xxx
correspond to your physical address (MAC) and not to the one of the target: it is possible to do so for RANGES of ip-s? Can an ARP table contain a range of ip-s instead of a single one as an entry?Bettercap also allows you to launch a proxy you can use to "interact" with traffic when you're spoofing it; in the case of https proxy (SSL strip DISABLED by default) bettercap outputs some information about the https request header (for example
user-agent ecc...
), but what I know is that https is no more than http over SSL (TLS), so I was not expecting the tool to read https headers... What am I missing?