Is there any point of arp spoofing on a wifi network?

Question

I know that arp spoofing is required on a LAN network due to the fact that data is sent directly to a destination, but what about for a WLAN network? All packets can be seen if you are in promiscuous mode, so is there any point of arp spoofing?

Answer 1

It's true that you can examine data that way, but arp spoofing is used for many other attacks too, as you can do a lot when being the receiver of the data. You could then decide if you would like to send the packets somewhere else, to answer back with fake info (for example, a phishing site), and many others.

Answer 2

First of all, promiscuous mode won't help with already-connected if the access point is using WPA, because the keys in WPA are unique for each client (the password/certificate/credentials are only used to establish the connection, after which a unique key is exchanged). ARP spoofing works fine, though (assuming you can log into the network at all); other hosts will transmit their traffic (through their unique key) to the access point, which will then forward it on to you using your key.

Additionally, promiscuous mode will only give you a passive position on the network; you'll be able to monitor traffic, but not to block or modify it. You might be able to spoof responses (e.g. to DNS requests) but you'll be in a race to do so. If you ARP spoof then you'll get a true MitM position, able to intercept all traffic in both directions, decide when or if to send it on its way, modify it if you want to, etc. For example, if you want to run a SSL Stripping attack, you need to be able to hold connections open, blocking server responses from reaching the client until you can modify them (generally making an additional request, modifying that response, and forwarding it as the "response" to the original request). Since practically everything of sensitive nature is via TLS (or SSH) these days, you need the ability to intercept and tamper with traffic if you want to get anywhere.

Also, a note about DNS poisoning in particular: in addition to obviously being ineffective against anything that doesn't use DNS (because the request is by raw IP), it also won't work for clients that have cached the DNS response before you get there. Cache times are generally short, but you may well miss the opportunity to steal the data you're looking for.

Answer 3

Firstly, on a wired LAN network, while it is usually the case that unicast layer 2 MAC addresses are used for source/destination, there may be scenarios/protocols where frames may be sent to multicast or broadcast MAC addresses. Nevertheless, even in the case of unicast layer 2 addresses for the destination, it depends on your layer 2 LAN technology. With typical switch Ethernet switches these days, what you observed is correct. However, with something like the more original Ethernet model (broadcast medium, e.g., with hubs rather than switches), other devices would also receive data, but the NIC or driver would normally filter out frames with MAC destination addresses that are not matching. But that can be hacked/modified so an attacker could capture other traffic too.

Secondly, for WLANs, there's both promiscuous mode and monitor mode. Monitor mode would normally be the more "powerful" way to see all frames in the WLAN. Promiscuous mode has the limitation that you have to be associated with an AP before you can see all traffic in that WLAN, whereas monitor mode doesn't require that (just need to be physically able to monitor .. in terms of frequency, etc.). See What is the difference between Promiscuous and Monitor Mode in Wireless Networks? for example.

Thirdly, even with monitor mode or promiscuous mode, before able to see all traffic is not the same as using ARP spoofing. You're only passively viewing frames, whereas ARP spoofing is an active technique. ARP spoofing involves traffic being injected into the network to do the spoofing, which monitor/promiscuous mode by itself doesn't do for you.