ARP cache poisoning is usually a part of a man-in-the middle attack. The ARP cache
contains IP address to MAC address mappings that a device has learned through the ARP
process. One of the ways this cache can be poisoned is by pinging a device with a spoofed
IP address. In this way, an attacker can force the victim to insert an incorrect IP address
to MAC address mapping into its ARP cache. If the attacker can accomplish this with
two computers having a conversation, they can effectively be placed in the middle of the
transmission. After the ARP cache is poisoned on both machines, they will be sending data
packets to the attacker, all they while thinking they are sending them to the other member
of the conversation.

The first step in any Subterfuge attack is gaining a Man-in-the-Middle position. Currently, Subterfuge only ships with one method of establishing itself as MITM, ARP Cache Poisoning. Nevertheless, as a framework, its modular design allows it to support multiple methods.

Some used attacks

• ARP Cache Poisoning
• Dynamic Poison Retention & ARPBLock

List of some integrated modules

• Credential Harvester
• Session Hijacking
• HTTP Code Injection
• Denial of Service
• Tunnel Block
• Network View
• Evilgrade