we got two virtual machines on virtualbox (bridge network).
the first one called debian12 has two NICs
08:00:27:07:e6:6b -- 192.168.1.14 08:00:27:97:ca:a5 -- no IP defined
the second one called debian12-clone has one NIC
08:00:27:b9:1f:5e -- 192.168.1.15
we first test the normal behaviour from the host system (linux).
ping -c1 192.168.1.14 ping -c1 192.168.1.15 arp -a
we are going to spoof the clone mac on the former
ifconfig enp0s8 hw ether 08:00:27:b9:1f:5e ifconfig enp0s8 192.168.1.15/24 up
we then sniff the traffic on both sides
tcpdump -i enp0s8 not port ssh
tcpdump -i enp0s3 not port ssh
and we start pinging from the host system
==> result is not concluant on VBOX, we only see ICMP on the victim - the attacker remains blind