ARP Spoofing does not update ARP Table

Question

I'm currently trying to do ARP-Spoofing / ARP-Poisoning with Kali Linux in Virtualbox in order to check the security of the Network of my company. I'm currently doing a little pentest, therefore I am allowed to do this. I'm trying to gain a man-in-the-middle position between a Laptop and my router. Therefore, let's say I'm using the following:

Kali Linux in Virtualbox with external USB Wifi Adapter IP: 192.0.0.3 | MAC: CC:CC:CC:CC:CC:CC
Target-Laptop using Windows 10 IP: 192.0.0.2 | MAC: BB:BB:BB:BB:BB:BB
Default Gateway IP: 192.0.0.1 | MAC: AA:AA:AA:AA:AA:AA

Therefore I tried a few options for ARP spoofing, for example the MitM-Framework, ettercap and arpspoof. When I capture the network traffic on Wireshark, I can see the ARP-Packets, saying: 192.0.0.2 is at CC:CC:CC:CC:CC:CC and also: 192.0.0.1 (router) is at CC:CC:CC:CC:CC:CC

But when I'm looking up the ARP-Table on my target with arp -a , there is still the right MAC-Address for the default gateway.

For example I tried:

sysctl -w net.ipv4.ip_forward=1
arpspoof -i wlan0 -t 192.0.0.2 192.0.0.1
arpspoof -i wlan0 -t 192.0.0.1 192.0.0.2

Are there any suggestions what else I can try to fix my problem?

Welcome to Security.SE! Is the USB WiFi card passed through to the Kali VM, or are you using bridged networking? Where are you running Wireshark from? — multithr3at3d, Apr 27 '20 at 15:08
The USB WiFi card is passed through to the Kali VM and I'm running Wireshark on the Kali VM. — black_hawk, Apr 28 '20 at 08:49
it would be interesting to see whether Wireshark on the target shows the same packets arriving — multithr3at3d, Apr 28 '20 at 13:49

score 0 · Accepted Answer · answered Apr 28 '20 at 19:04

0

Your process seems OK to me. Inspecting ARP traffic is the right thing to do, as well as making sure your NIC is setup in promisc mode and there's no firewall rules in the way of the attack. From memory ettercap will change iptables for you. Once everything is in place, you would definitely see your ARP table change according to the attack.

Another point of observation is a simulated victim on the network, whereby you have wireshark running and observe the effects of the attack.

As a proof of concept, however, I would instead make sure I understand the process and make sure it works in a simpler ethernet based network. WiFi technology enables other means by which to control layer 2 access and detect or sometimes deter ARP spoofing attacks.

answered Apr 28 '20 at 19:04

Pedro

3,911
11
25

I will try wireshark on a victim to see what happens there, thank you for the hint. I already did it in my private network, where everything worked fine. Still, I thought there should be a way to make it work. I will respond with the result of the wireshark on the victim tomorrow. – black_hawk Apr 28 '20 at 20:39
also take notice that ettercap is a very old tool and bettercap has been implemented as a fresh implementation, so give that one a try as well. – Pedro Apr 28 '20 at 21:17
So, i used wireshark on the victim now as well, but as it seems, there were no ARP packages seen. Thank you for your tips! – black_hawk May 07 '20 at 13:41

ARP Spoofing does not update ARP Table

1 Answers1