ARP Poisoning Definition ARP poisoning is a local-network attack where a host sends false ARP mappings so victims associate an IP address, often the gateway, with the attacker's MAC address. Why it matters Wireless compromise often becomes local-network compromise. Once an attacker joins the same LAN, ARP poisoning can redirect traffic even though the original weakness was Wi-Fi access or rogue AP connection. This note lives in wireless security because it is a common post-association lab, but the mechanism is Ethernet/IP neighbor resolution. How it works ARP poisoning has 5 steps: Share a broadcast domain. Attacker and victim must be on the same local segment. Identify victim and gateway. The attacker learns IP/MAC relationships. Send false ARP replies. Victims update their ARP cache. Traffic flows through attacker. The attacker forwards, drops, or observes packets. Application controls decide impact. TLS and secure protocols limit what can be read or modified. The bug is not Wi-Fi encryption itself. It is trusting unauthenticated local ARP updates on a shared LAN. A worked example, ARP poisoning to segmentation decision: Lab setup: two owned laptops on guest SSID Baseline: both can ping gateway and each other ARP observation: gateway MAC changes on victim during controlled spoof Application impact: HTTPS sites remain protected, HTTP printer page exposes credentials Decision: enable client isolation and remove plaintext admin pages from guest-reachable network ARP poisoning value is measuring what same-LAN access can actually affect. Techniques / patterns Testing looks at: whether client isolation blocks peer-to-peer traffic whether gateway ARP entries change unexpectedly whether HTTPS, HSTS, and certificate validation hold under MITM whether local services leak plaintext credentials whether switches/APs enforce ARP inspection or isolation Variants and bypasses ARP poisoning has 4 practical variants. 1. Gateway impersonation The attacker claims to be the gateway for the victim. 2. Victim impersonation The attacker claims to be the victim for the gateway. 3. Bidirectional MITM The attacker poisons both directions and forwards traffic. 4. Denial of service The attacker poisons but does not forward, breaking connectivity. Impact Ordered roughly by severity: Traffic interception. Plaintext protocols can be read. Traffic manipulation. DNS, HTTP, and update flows can be altered if not protected. Credential exposure. Legacy protocols and bad TLS behavior leak secrets. Availability loss. Bad forwarding or deliberate drops break network access. Reconnaissance. Observed flows reveal services and users. Detection and defense Ordered by effectiveness: Enable client isolation on guest or untrusted Wi-Fi. If clients cannot talk directly, ARP poisoning between guests becomes much harder. Segment trusted and untrusted wireless networks. Keeping guests, IoT, and admin devices apart reduces shared-broadcast-domain risk. Use secure application protocols. TLS with valid certificate checking prevents most credential and content exposure even under local MITM. Monitor ARP changes and duplicate MAC/IP mappings. ARP instability is a useful signal for local MITM. What does not work as a primary defense WPA2 alone. Once joined, clients may still share a vulnerable LAN. VPN alone for every risk. VPN helps routed traffic but may not protect local discovery, captive portals, or all apps. Static trust in local networks. "Same Wi-Fi" should not imply safe peers. Ignoring plaintext internal protocols. Local attackers benefit from legacy traffic. Practical labs Use an isolated lab network with your own victim VM/device. Observe normal ARP state ip neigh arp -a Record gateway IP and MAC before any test. Detect ARP changes in Wireshark Filter: arp Expected gateway MAC: Observed changes: Duplicate claims: Focus first on recognition and evidence. Run a controlled spoof check sudo bettercap -iface wlan0 Use bettercap only inside an owned lab and document whether client isolation blocks peer traffic. Compare client isolation states SSID: client isolation on/off: peer ping: ARP visibility: local service reach: decision: Client isolation should change peer attack feasibility. Record protected versus exposed traffic service | protocol | certificate valid? | credentials visible? | fix Local MITM risk depends heavily on application-layer protection. Restore ARP state after lab test sudo ip neigh flush all ip neigh Rollback matters; verify the victim sees the real gateway again. Practical examples A guest Wi-Fi network lets two laptops ARP-spoof each other. An IoT VLAN shares a segment with admin laptops. A plaintext printer admin page leaks credentials under local MITM. HSTS and certificate validation prevent a captured browser session from being read. Client isolation blocks peer ARP traffic on a guest SSID. Related notes mitm-on-local-networks bettercap-workflows wireless-security NAT and Private Networks Firewalls and Network Boundaries Suggested future atomic notes dhcp-spoofing dns-spoofing-on-local-networks client-isolation dynamic-arp-inspection References Official Tool Docs: bettercap ARP spoofing module — https://www.bettercap.org/modules/ethernet/spoofers/arpspoof/ Official Tool Docs: Wireshark User's Guide — https://www.wireshark.org/docs/wsug_html/ Foundational: RFC 826 (Address Resolution Protocol) — https://datatracker.ietf.org/doc/html/rfc826 Next →Bettercap Workflows Explore nearby notes Wireless SecurityBettercap WorkflowsBettercap workflows are controlled lab procedures that use bettercap modules for network discovery, Wi-Fi observation, ARP spoofing, and local-network MITM... Wireless SecurityEvil Twin Access PointsAn evil twin access point is a rogue wireless network that imitates a legitimate SSID to lure clients into connecting to an attacker-controlled network. Wireless SecurityMITM on Local NetworksMan-in-the-middle (MITM) on local networks is interception or manipulation of traffic by a host that positions itself between a victim and the service or gateway... Wireless SecurityWEP SecurityWEP security is the legacy Wi-Fi encryption scheme that attempted to protect wireless traffic with RC4 and initialization vectors but is now considered broken. Wireless SecurityWi-Fi DeauthenticationWi-Fi deauthentication is the use or abuse of 802.11 management frames to disconnect clients from an access point. Wireless SecurityWi-Fi Monitor ModeWi-Fi monitor mode is an adapter mode that captures raw 802.11 frames from the air instead of only traffic addressed to the local client after association.