← LibraryTechnique entry
N-ARP-SPOOFCredential Access
ARP Spoofing / Cache Poisoning
bettercap / ettercap to interpose between two hosts on the same broadcast — captures cleartext + downgrades TLS where possible.
§ Where this technique fits
N-ARP-SPOOF is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2 on average.
§ Dossiers chaining this technique
- step 2 / 5
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
- step 2 / 5
MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
§ What commonly comes next
- 01Network Sniffingseen 1×T1040 · Credential Access
- 02RTP Stream Captureseen 1×VOIP-RTP-CAPTURE · Collection