Monday, May 8, 2017

Monday tech: WPAD Man in the middle across LANs *and* the WAN

Hi everyone
WPAD or Web Proxy Autodiscovery Protocol, is a protocol that is used in Windows by Internet Explorer and other web browsers that follow Window's internet configuration, that enable auto discovering of proxy server setings in order to connect to the outside, usually the Internet.



WPAD is almost 20 years old and it's an old and unsecured protocol. When WPAD is enabled, the client asks for a DNS record with the hostname of WPAD and a file that is called a PAC file (Proxy auto-config) that contains sandboxed JavaScript code, that tells the browse the location of the proxy server or multiple proxies. If the DNS query failes, another similar protocol that operates in the LAN and called WINS (Windows Internet Naming Service) is used to search for the WPAD host, and then if this also failes, another similar protocol called LLMNR (Link-Local Multicast Name Resolution) is used. This protocol is used for peer-to-peer resolusion, and uses an entire network broadcast to ask for the resolution - not the safest and most reliable method.

If an attacker resides in the network of the victim, he can easily respond to the LLMNR broadcast, return a PAC file and redirect the victim's trafic to his station, performing a full MITM attack.
Moreover, if the attacker adds basic authentication to his malicious server, the victim will be prompt to enter credentials and once he does, he just gave the username and password to the attacker.

This can be automatically executed using the famous Responder tool created by Spider Lab and now part of Kali.
A full example can be seen here:
https://www.trustedsec.com/july-2013/wpad-man-in-the-middle-clear-text-passwords/

But wait, the fun doesn't stop there. WPAD first issues a DNS request for WPAD hostname, and in many cases it appends the domain name to the WPAD hostname.
So effectivly if an organization that is called Contoso has a domain with the same name, and of the domain stations enable WPAD, the DNS server will get both a WPAD hostname request and a WPAD.Contoso request.
If WPAD.Contoso is a legal DNS hostname in the internet, this attack becomes FAR more dangerous as it nows leaks from the LAN to the WAN.
During the last BlackHat Las Vegas conference a researcher actually registered multiple top level domains with the WPAD hostname and different suffixes such as wpad.news, wpad.university and wpad.tokyo, hoping to get requests from different organizations. Suprisingly (or not) - he did. A LOT.
The most succesfull suffix was Tokyo, maybe because the upcoming olympics that will take place in the city in 2020.
An article about this hack can be found here:
http://www.eweek.com/security/researcher-tells-how-web-proxy-autodiscovery-protocol-could-be-abused
The presentation from BlackHat can be found here:
https://www.blackhat.com/docs/us-16/materials/us-16-Goncharov-BadWpad.pdf

Have a great week!