During a red team assessment at Alpine Manufacturing Corp.

The described behavior aligns precisely with ARP spoofing, also known as ARP poisoning, a common man-in-the-middle attack technique covered extensively in CEH materials. ARP operates at Layer 2 of the OSI model and is responsible for mapping IP addresses to MAC addresses within a local network. Because ARP lacks authentication mechanisms, any host can send forged ARP replies to other devices on the LAN.

In this scenario, Marcus injects crafted messages that alter how two hosts identify each other. This strongly indicates forged ARP replies were sent to both the payroll workstation and the authentication server. By telling each system that his machine’s MAC address corresponds to the other party’s IP address, Marcus positions himself logically between the two endpoints. As a result, traffic is transparently routed through his system without requiring changes to switch configurations, proxies, or VPN tunnels.

This technique enables interception and potential modification of credentials in transit. DNS spoofing affects domain name resolution rather than direct Layer 2 host identification. MAC flooding overflows the switch CAM table to force broadcast behavior but does not specifically manipulate IP-to-MAC mappings between two targeted hosts. Switch port stealing targets MAC table entries but does not rely on altering host identity mappings in the same way ARP poisoning does.

Therefore, ARP spoofing is the most accurate technique described in this scenario.