HTTPS & ARP Poisoning: Why It Fails & How to Test

TL;DR

ARP poisoning typically doesn’t work with modern HTTPS websites because the encryption protects against man-in-the-middle attacks. However, it can still intercept unencrypted traffic or be used in conjunction with other techniques to compromise security. This guide explains why and how you can test for vulnerabilities.

Why ARP Poisoning Fails with HTTPS

ARP (Address Resolution Protocol) poisoning works by associating the attacker’s MAC address with the IP address of a legitimate network device, like your router. This redirects traffic through the attacker’s machine. With HTTPS, the data is encrypted before it leaves your computer and decrypted only at the destination server. Even if an attacker intercepts the traffic, they see scrambled information.

Testing ARP Poisoning Vulnerability (and what you’ll likely see)

1. Understand the Setup: You’ll need a machine to act as the attacker and a target machine on the same network. Tools like Kali Linux are commonly used for this purpose, but you can adapt these techniques to other systems.
2. Identify Target IP & MAC: First, find the IP address of your target and its corresponding MAC address. Use the following command on a Linux machine:

   arp -a

   This will list all devices on your local network with their IPs and MAC addresses.

3. Perform ARP Poisoning: Tools like arpspoof (part of the dsniff package) are used to send malicious ARP replies. Run this command, replacing TARGET_IP with your target’s IP and GATEWAY_IP with your router’s IP:

   arpspoof -i  -t TARGET_IP GATEWAY_IP

   Replace `` with the name of your network interface (e.g., eth0, wlan0). You may need root privileges.

4. Monitor Traffic: Use a packet sniffer like Wireshark to capture traffic on the attacker’s machine. Start Wireshark and select the correct network interface.

   wireshark

5. Observe Results with HTTPS: When you browse an HTTPS website, you’ll see a lot of encrypted data in Wireshark. You won’t be able to read the content because it’s protected by TLS/SSL.
   • You will likely see traffic related to the SSL handshake (Client Hello, Server Hello, etc.).
   • The actual website content will appear as encrypted blobs.
6. Observe Results with HTTP: If you browse an HTTP website (without HTTPS), you’ll be able to see the unencrypted traffic in Wireshark. This demonstrates how ARP poisoning can intercept data on unsecured connections.
7. Stop ARP Poisoning: To stop the attack, press Ctrl+C in the terminal where arpspoof is running. You may also need to flush your ARP cache:

   arp -d TARGET_IP

Bypassing HTTPS (Advanced – Use with Caution)

While directly reading HTTPS traffic isn’t possible, attackers can use techniques like SSL stripping to downgrade the connection to HTTP. This is a more complex attack and requires additional tools and configuration.

Mitigation Strategies

• Always Use HTTPS: Ensure websites you visit use HTTPS (look for the padlock icon in your browser).
• HSTS (HTTP Strict Transport Security): HSTS forces browsers to always connect to a website using HTTPS.
• ARP Spoofing Detection Tools: Some cybersecurity tools can detect ARP spoofing attacks on your network.
• Static ARP Entries: Configure static ARP entries for critical devices (e.g., router) to prevent attackers from modifying the ARP cache.