Info Sharing Blog

Wednesday, April 11, 2018

What is a Gratuitous ARP? How is it used in Network attacks?

April 11, 2018 Posted by jaacostan , ,
Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works.

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address.
We can see the ARP entries on our computers by entering the command arp -a.
So, back to the topic on what is a Gratuitous reply, here is a better explanation.
Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packet where the source and destination IP are both set to the IP of the machine issuing the ARP packet and the destination MAC is set to the broadcast address ff:ff:ff:ff:ff:ff.
Some devices will send gratuitous arp when they boot up, which announces their presence to the rest of the network. Also Many devices will send a gratuitous arp if there is a change on its IP address.

Summarize,A gratuitous ARP reply is a reply to which no request has been made.

And how this Gratuitous ARP is used in network attacks?
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. Hence poisoning the ARP table of the devices int he network. After this, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host, Which we call as a "man-in-the-middle attack".An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

Eg: Assume there are three devices connected to a switch. One router and two PCs. PC2 is an attacker.
PC2 will send Gratuitous ARP  to the router with the IP address of PC1(Spoofed) and its own MAC address as source. Once this is learned by the router, router will think that PC2 is actually PC1 and all the packets destined to PC1 will be forwarded to PC2.
Similarly the PC2 will send another Gratuitous ARP to PC1 with its own MAC address and the IP address of Router as source. So the PC1 will learn that the router is PC2 and will send all packets to PC2. PC2 may forward those packets to the router and there by executing a Man-in -the-Middle attack.

Network administrators can use Dynamic ARP inspection (DAI) to prevent the ARP poisoning/spoofing attacks. DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network by determining the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the trusted DHCP snooping binding database.

How to configure DAI on switches depends on the vendor. A google search can provide the configuration guide on that.

This is for answering Nikhil's query :

Question: If the machine already learned the real MAC and have the ARP entry, then a G-ARP packet will be accepted or not.
Answer : When the Spoofing attack is On, the ARP table will be updated with the spoofed MAC entry.
Gratuitous ARP

I have captured couple of Wireshark captures for demonstrating the ARP poisoning attack. Note the target machine is 192.168.209.131. The machines learned the actual MAC address. After that, I performed the ARP spoofing using a gratitious ARP and let it run in the background on my Kali Linux. We can see the ARP entry for 192.168.209.131 has been changed due to the spoofing attack. Then I tried to ping the target 192.168.209.131 and it used the spoofed MAC as the destination.

However, it did throw a message on the IP conflict but it won't matter when the spoofing attack is on. When i stop the attack, the spoofed MAC entry gets cleared as well.