Couldn't arp for host, Kali Linux
Andrew Henderson 
I am currently learning the basics of cybersecurity and I am trying to follow the following tutorial on ARP spoofing. I am using kali linux on a VirtualBox VM on my Windows pc to redirect my windows computer's gateway to my kali VM and I keep getting the "Couldn't arp for host" error. I have also tried redirecting my iPhone's gateway to kali in case redirecting my computer would not make sense from a VM but I run into the same problem.
My full process is using ipconfig on windows to get something like (it's in French):
Carte réseau sans fil Wi-Fi : Suffixe DNS propre à la connexion. . . : epfl.ch Adresse IPv6 de liaison locale. . . . .: fe80::9c0c:82bd:c93d:a9ad%11 Adresse IPv4. . . . . . . . . . . . . .: 128.179.179.227 Masque de sous-réseau. . . . . . . . . : 255.255.248.0 Passerelle par défaut. . . . . . . . . : 128.179.176.1 from which I deduce the commands I have to run on kali are:
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 128.179.179.227 128.179.176.1My phone's IP is 128.179.199.89.
When I run ip a on kali, I get that my IP address is 10.0.2.15 and gateway is 10.0.2.2, I don't know if this difference is the reason I cannot make my command work.
If anyone has any clue what I might be missing or what I should be calling instead, I'll be glad to hear your thoughts. Thank you!
1 Answer
There are several problems:
When I run ip a on kali, I get that my IP address is 10.0.2.15 and gateway is 10.0.2.2
Your VirtualBox VM is in "NAT" mode, meaning that it lives in a completely separate "physical" network from your actual LAN. There is a router (VirtualBox itself) that allows network-layer (L3) communications, but ARP is a link-layer (L2) mechanism; it only functions within the same subnet – ARP packets do not travel across routers.
For this to work, the VM needs to be in "bridged" networking mode, that way it is placed directly on the same network as the host computer.
Bridging is also not guaranteed to work over Wi-Fi – VirtualBox has to implement a few tricks to make it happen. (Specifically, the problem is that it can't make your VMs' real MAC addresses visible over Wi-Fi; they will appear as if having the host's MAC, and VirtualBox has to magically rewrite ARP responses to match.) I would recommend using an Ethernet connection all the way through.
(Emphasis on all the way – using Ethernet switches is fine, but "range extenders" that connect to Wi-Fi and give you an Ethernet port will have exactly the same problems as VirtualBox itself.)
Your computer and your phone are in different subnets, too. Combining the computer's address (128.179.179.227) with the netmask (255.255.248.0) you get the network address 128.179.176.0/21 – as a range, it would end at 128.179.183.255. Notice that your phone's IP address is not within this range.
This means that at the very least, your phone will be making ARP queries for a completely different gateway address than yours, and most likely the two networks are separated at link-layer as well, meaning that ARP queries from one wouldn't be visible in anotherr.
Your computer's Wi-Fi connection seems to be giving you access to a shared subnet (I'm guessing it's a campus-wide Wi-Fi) – if you implemented ARP spoofing there, it would affect all users connected to it, which might a) route a few hundred devices' worth of traffic to your laptop, b) make the devices' owners unhappy, c) make the EPFL network admins very unhappy, d) all of the above.
That is assuming it works. More likely is that the network admins have enabled client isolation on the Wi-Fi access points, so that your computer never sees other devices' ARP queries even on the same subnet (the access point answers on behalf of the queried device), and similarly, other devices will never see your "spoofed" ARP responses.
(Client isolation is used precisely to prevent someone from doing what you're trying to do.)
