arp.spoof
This module spoofs selected hosts on the network using crafted ARP packets. It enables MITM attacks by redirecting traffic through your machine.
Commands
Section titled “Commands”arp.spoof on
Section titled “arp.spoof on”Start the ARP spoofer.
arp.ban on
Section titled “arp.ban on”Start ARP spoofer in ban mode. Target connectivity will not work.
arp.spoof off / arp.ban off
Section titled “arp.spoof off / arp.ban off”Stop the ARP spoofer.
Parameters
Section titled “Parameters”| Parameter | Default | Description |
|---|---|---|
arp.spoof.fullduplex | false | If true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail). |
arp.spoof.forwarding | true | If true, IP forwarding will be enabled while spoofing is active. Set to false to disable forwarding (e.g. for traffic analysis without relaying). In ban mode, forwarding is always disabled regardless of this setting. |
arp.spoof.internal | false | If true, local connections among computers of the network will be spoofed as well, otherwise only connections going to and coming from the external network. |
arp.spoof.interval | 1000 | Milliseconds between each ARP spoofing broadcast. |
arp.spoof.skip_restore | false | If set to true, targets arp cache won’t be restored when spoofing is stopped. |
arp.spoof.spoofed | <gateway IP> | A comma separated list of IP addresses or IP ranges (nmap style) to impersonate. Defaults to the gateway address. |
arp.spoof.targets | <entire subnet> | A comma separated list of MAC addresses, IP addresses, IP ranges or aliases to spoof (a list of supported range formats). |
arp.spoof.whitelist | A comma separated list of MAC addresses, IP addresses, IP ranges or aliases to skip while spoofing. |
Examples
Section titled “Examples”Ban the address 192.168.1.6 from the network:
set arp.spoof.targets 192.168.1.6; arp.ban onSpoof 192.168.1.2, 192.168.1.3 and 192.168.1.4:
set arp.spoof.targets 192.168.1.2-4; arp.spoof on