Editing Sniffing & Spoofing (section)

== Spoofing ==

Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.

=== Common Techniques ===

* MAC spoofing to bypass wireless MAC filtering or port-based NAC
* ARP cache poisoning to position a MITM node inside switched LANs
* DNS spoofing to deliver malicious IPs for trusted domains
* IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection
* DHCP spoofing for rogue gateway injection and traffic capture
* Email header spoofing to improve phishing credibility
* LLDP/CDP spoofing to influence network device topology views

=== Tools ===

* [[arpspoof]] (classic ARP poisoning utility in dsniff suite)
* [[Bettercap]] (real-time ARP, DNS, and DHCP spoofing with interactive console)
* [[Ettercap]] (MITM framework supporting ARP, DNS, and SSL stripping)
* [[macchanger]] (quick MAC address changer for Linux)
* [[Responder]] (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs)
* [[Scapy]] (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios)
* [[hping3]] (raw-packet generator for IP-level spoofing, testing, and DoS research)
* [[ip link set / `ifconfig]] (manual MAC spoofing by taking interface down, changing MAC, and bringing it up)