Hacking Explained: ARP Spoofing
October 2018 | Michael Wetherald

The Address Resolution Protocol (ARP) is generally used to map unique MAC addresses to their corresponding IP addresses on a network. For example, let’s consider the following network configuration:

example network configuration with two clients 'alice' and 'bob' connected to an access point which acts as a gateway to the internet

Each of these devices has a unique hardware MAC address (typically assigned by the manufacturer, but modifiable with software) which is used at one layer of the network, and an ideally unique IP address which is used at another layer. When Alice wants to send a packet to Bob, she needs to include Bob’s MAC address. If Alice does not have Bob’s MAC address she broadcasts a request to the entire network asking “who has“ (Bob’s IP address). If Bob receives this request he responds “I am” which includes his MAC address (CC:CC:CC:CC:CC:CC). Alice then stores this mapping of Bob’s MAC address (CC:CC:CC:CC:CC:CC) and his IP address ( locally in an ARP Table.

Devices will also automatically update their ARP table whenever an ARP reply (“I am xx.xx.xx.xx”) is received regardless of whether or not the client initiated the ARP request. ARP does not define any way of validating or authenticating these requests/responses and this allows an attacker to manipulate client ARP tables at will.

In our example above, Alice and Bob have their clients configured to use the Access Point’s IP address ( as their default gateway to the Internet. Using our knowledge of ARP, Alice can modify Bob’s ARP table to use Alice’s MAC address for the IP address of the default gateway by simply sending an ARP reply to Bob which says “I am”. Bob’s device will then update it’s ARP table and use this new mapping for subsequent requests as represented by the following image:

modified version of the network configuration shown previously, except this time bobs traffic is flowing through alice

Alice could then configure her client to forward all of the traffic from Bob to the Access Point, allowing Bob to still have access to the Internet, while she acts as a man in the middle. Keep in mind however, if Bob is encrypting his traffic with the other devices he’s communicating with Alice will only see the encrypted traffic. This is why using websites with HTTPS is incredibly important.

I began developing CopyCat as a proof of concept tool for attackers like Alice to circumvent the security provided by HTTPS and see/modify the traffic, and allow victims like Bob to continue to use the services provided by HTTPS web servers. Check out my articles on using DNS Spoofing and my URL Spoofing Trick for Chrome to see some examples of things you can do with ARP Spoofing!

Michael Wetherald
Security Engineer and Co-Founder

Michael is the inventor of a patent pending web proxy technology and brings to Viam his expertise in web and Linux security. Outside of work he enjoys carpentry, having built a dog mansion for his spoiled dog.

When criminals compromise your organization will you know? Viam Technologies provides a range of cyber security services.
Contact us today to be prepared.

© 2023 Viam Technologies