Post Connection Attacks: Man in the Middle & ARP poisoning

In our last chapter there was a problem if you are using a switched network where your router is a switch, router does not reflect traffic between two ports, so you can’t see traffic between your devices unless it is broadcast packets or your own.

If we want to see the client’s packets anyway we need to trick it to send the packets directly to us instead of the router. We can do this with ARP Poisoning. ARP poisoning tricks the client’s ARP table to think that the attacker’s MAC address is the MAC address for the access point.

Our client is a Windows 10 machine, we can check it’s ARP table by opening CMD and typing in:

arp -a

pc arp -a old






As we can see the default gateway for the router is and it has MAC address of D4-6E-0E-FC-AB-E4.

Now head back to your kali machine and start up Ettercap. Ettercap is a free open source tool for man-in-the-middle attacks on LAN. You should start and check Ettercap’s help page with command:

ettercap --help

From Ettercap’s help page we can see that -T argument enables us to use Ettercap with terminal, since that is our preferred way we type in:

ettercap -T

Let Ettercap run and it should say “Text only Interface activated… Hit ‘h’ for inline help” . The terminal is interactive so you can just press h. It will show us some different options, by pressing “L” we will get lists of the hosts on the network.


Now run ettercap with command below, where we choose parameters -Tq since we want to use text only GUI which do not display packet contents, -M which is the man-in-the-middle attack and we choose arp:remote which spoofs both the target PC and the target gateway, -i is for interface as always then we type in the default gateway IP and the target PC IP address.

ettercap -Tq -M arp:remote -i wlan1 / /


Now while Ettercap is running, we head over to the Windows 10 client PC open up CMD again and type:

arp -a

pc arp -a new

The MAC address for default gateway is now changed to our kali’s MAC address.

Now it is time to find an website running HTTP without TLS or SSL protection. In our case we chose

pc dictionary login 2.png

After you have tried logging in with any combination of username and password, check Ettercap terminal window and you will find them there in plain text.


Now we are able to intercept packages even in a switched network using ARP poisoning. On the next chapter we will cover how to sniff login credentials from TLS/SSL protected websites.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s