arpspoof

Poison all hosts to intercept packets on [i]nterface for the host

$ sudo arpspoof -i [wlan0] [host_ip]

$ sudo arpspoof -i [wlan0] -t [target_ip] [host_ip]

$ sudo arpspoof -i [wlan0] -r -t [target_ip] [host_ip]

arpspoof [-i interface] [-t target] host

-i interface
    Specify the network interface to use for ARP spoofing (e.g., eth0, wlan0).

-t target
    Specify a specific target host to poison. If this option is omitted, arpspoof will attempt to poison all hosts on the local network by broadcasting.

host
    The IP address of the host whose MAC address will be advertised to the target(s). This is typically the IP address of the default gateway or another specific host on the network that the target communicates with.

arpspoof is a tool from the dsniff suite designed for ARP spoofing, also known as ARP cache poisoning. It manipulates the Address Resolution Protocol (ARP) by sending forged ARP replies to targets on a local area network. The primary purpose of this attack is typically to redirect network traffic. By continuously broadcasting fake ARP responses, arpspoof convinces a target host that the attacker's machine has the MAC address associated with another legitimate IP address on the network (e.g., the default gateway or another host). Conversely, it can also convince the other legitimate host that the attacker is the first target. This effectively places the attacker in a "man-in-the-middle" (MITM) position, allowing them to intercept, log, or modify network traffic between the two targeted hosts before forwarding it. For a successful MITM attack, the attacker's machine usually needs to have IP forwarding enabled.

Requires root privileges to run.
Operates at Layer 2 (Data Link Layer) and is effective only on local area networks (LANs) or subnets.
Can be detected by network intrusion detection systems (NIDS) or ARP monitoring tools.
If used for man-in-the-middle attacks, IP forwarding must be enabled on the attacker's machine to prevent network disruption. Failure to do so will block traffic flow.
Use of this tool without explicit permission is illegal and unethical and can lead to severe consequences.

For arpspoof to successfully perform a man-in-the-middle attack (where intercepted traffic is forwarded to its legitimate destination), IP forwarding must be enabled on the attacker's machine. This can typically be done temporarily using:
echo 1 > /proc/sys/net/ipv4/ip_forward
Or permanently by editing /etc/sysctl.conf and setting net.ipv4.ip_forward = 1.

To spoof the gateway (e.g., 192.168.1.1) for a specific target (e.g., 192.168.1.100) using interface eth0, you would typically run two commands in separate terminals:
1. To tell the target that you are the gateway:
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
2. To tell the gateway that you are the target:
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100
This sets up the two-way spoof necessary for a successful MITM. Remember to enable IP forwarding first.

arpspoof is a fundamental component of the dsniff suite of network auditing and penetration testing tools, created by Dug Song. The dsniff tools were first released in the late 1990s and quickly gained notoriety for their powerful and straightforward capabilities in passive sniffing, active spoofing, and man-in-the-middle attacks. arpspoof specifically addresses the ARP cache poisoning aspect, making it a foundational tool for intercepting local network traffic due to its simplicity and effectiveness.

dsniff(8), ettercap(8), driftnet(8), urlsnarf(8), tcpdump(1), ip(8)