Performing ARP Spoofing Attack Simulation

When to Use

• Testing whether network switches and infrastructure properly implement Dynamic ARP Inspection (DAI)
• Demonstrating man-in-the-middle attack risks to stakeholders during authorized security assessments
• Validating that network monitoring tools (IDS/IPS, SIEM) detect ARP cache poisoning attempts
• Assessing the effectiveness of port security, 802.1X, and VLAN segmentation controls
• Training SOC analysts to recognize ARP spoofing indicators in network traffic

Do not use on production networks without explicit written authorization and a rollback plan, against networks carrying critical or life-safety traffic, or as a denial-of-service attack vector.

Prerequisites

• Written authorization specifying in-scope network segments for ARP spoofing simulation
• Kali Linux or similar penetration testing distribution with arpspoof, Ettercap, and Scapy installed
• Direct Layer 2 access to the target network segment (same VLAN as target hosts)
• IP forwarding knowledge and ability to enable/disable packet forwarding on the attacker machine
• Wireshark or tcpdump for capturing traffic to verify interception
• Isolated lab environment or approved production test window