- Reply / Poison Cache
Here you can send forged ARP Replies.
This way you can fool a remote host with the following assertion : MAC SRC belongs to IP SRC.
The remote host will therefore modify his ARP cache accordingly.
One possible attack
Network looks like this:
Router is 192.168.1.1, MAC AAAAAA-AAAAAA
You are 192.168.1.2, MAC BBBBBB-BBBBBB
Victim is 192.168.1.3, MAC CCCCCC-CCCCCC
Send the following spoof ARP Reply : MAC SRC= BBBBBB-BBBBBB, IP SRC=192.168.1.1, MAC DEST= CCCCCC-CCCCCC, IP DEST=192.168.1.3
The remote host (192.168.1.3) will then think you (192.168.1.2) are the router since your MAC Addresses is resolved for the IP’s router in the remote host ARP table.
Here you can send forged / spoofed ARP requests.
Same possible attack as above.
Note, to use these functionalities, you must be set to WINPcap mode or NDIS mode for you need to be able to alter layer 2.