This is a late upload demonstration video i did way back in 2009 about performing ARP spoofing (or ARP poisoning) to sniff unencrypted network traffic between a server and a client device like establishing a telnet session.
ARP spoofing (or ARP poisoning) allows an attacker to intercept traffic on a local area network (LAN) by tricking devices into sending data to the attacker's machine instead of the legitimate gateway.
Here is why and how it works:
- Plaintext Vulnerability: Telnet is a legacy protocol that transmits all data—including usernames, passwords, and commands—in clear text.
- Man-in-the-Middle (MitM): By poisoning the ARP cache of both the client and the server, an attacker positions themselves in the middle of the connection.
- Session Sniffing: Once the traffic passes through the attacker's machine, they can use packet sniffers (like Wireshark or dsniff) to read the plaintext Telnet credentials and session data.
- Session Hijacking: Beyond just reading, an attacker can also inject commands or hijack the session entirely.
How to Protect Your Devices or Your Organization.
- Use SSH: Replace Telnet with SSH, which encrypts the entire session, making captured data useless to an attacker.
- Static ARP Tables: On critical systems, manually map IP addresses to MAC addresses to prevent them from being updated by spoofed packets.
- Network Security: Use tools like Arpwatch or Dynamic ARP Inspection (DAI) on managed switches to detect and block suspicious ARP activity.
