LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between ARP poisoning at L2 and DNS spoofing at L7, and why are they often combined in an attack?

ARP poisoning gets you on the path (L2 redirect). DNS spoofing tells the victim where to go (L7 redirect). Combined, the attacker controls both routing and naming.

Recon, ip_forward, arpspoof both ways, confirm in Wireshark, ettercap dns_spoof, httrack clone, apache, capture.

* The full attack chain from recon to credential capture. *

L2 ARP poisoning is the vehicle (get on path); L7 DNS spoofing is the payload (where to send them).

* ARP at L2 is the vehicle; DNS at L7 is the payload. *

The two-layer combo:

Layer Attack What it does
L2 ARP poisoning Force traffic through attacker
L7 DNS spoofing Make bank.com resolve to attacker's IP

Why both are needed for this scenario:

ARP alone (without DNS spoofing):

  • Victim still resolves mycampus.hslu.ch to the real IP via legit DNS
  • Even though traffic flows through attacker, the attacker is just a passive sniffer
  • HTTPS prevents reading the data
  • Attacker sees encrypted traffic to the real server — useless

DNS alone (without ARP poisoning):

  • Hard to do unless attacker controls a DNS server upstream
  • A typical local network DNS isn't exposed for direct spoofing
  • The classic Kaminsky attack targets recursive resolvers, not local LAN

The combo:

  • ARP makes you in-path → can intercept DNS queries
  • You forge DNS replies for specific domains → victim connects to YOUR server
  • Your server hosts a fake page → captures plaintext credentials

The full attack chain:

1. Nmap → identify victim & gateway
2. Enable IP forwarding → become a transparent router
3. arpspoof → poison both directions
4. Wireshark → confirm traffic is flowing through
5. ettercap with dns_spoof → forge DNS replies for mycampus.hslu.ch
6. httrack → clone the real login page
7. Apache → host the fake page on the attacker's box
8. Modify form action → credentials POST to attacker
9. Victim browses to mycampus.hslu.ch → DNS lies → connects to fake site
10. Victim logs in → attacker captures credentials

The key insight:

This is defense in depth in reverse — the attacker layers attacks across OSI layers because defenders layer protections across them. To bypass HTTPS at L7, you sometimes need to manipulate DNS at L7 (instead). Each defense raises the bar; this attack works because the target uses HTTP (for clarity), no DAI, no DNSSEC, no MFA.

Why MFA breaks the chain:

Even with all of the above succeeding, MFA at the real server keeps the attacker out — they have the password but not the second factor. This is exactly why HSLU added MFA recently.

Tip: When evaluating defenses, walk through every layer: physical, link, network, transport, application. Each layer's mitigation only protects that layer's threats. Defense in depth = mitigations at every layer.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026