WPAD
About
Web Proxy Auto-Discovery Protocol
http://wpad/wpad.dat as PAC file
Hijack WPAD -> Proxy Server
Insert any html tags in HTTP Response
ΠΡΠ°ΠΊΠ΅ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΡΠΎΠΊΠΎΠ» WPAD ΠΏΠΎΠ΄Π²Π΅ΡΠΆΠ΅Π½Ρ Π²ΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ β Linux, Windows, MacOS
ΠΡΠ½ΠΎΠ²Π½Π°Ρ ΡΡΠ°ΡΡΡ: https://www.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector/
Impact
ΠΠ»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊ ΠΌΠΎΠΆΠ΅Ρ Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ Π°ΡΠ°ΠΊΡ Β«ΡΠ΅Π»ΠΎΠ²Π΅ΠΊ ΠΏΠΎΡΠ΅ΡΠ΅Π΄ΠΈΠ½Π΅Β» (MiTM) Π½Π° ΡΡΠ·Π²ΠΈΠΌΡΠ΅ ΡΠΈΡΡΠ΅ΠΌΡ, Π΅ΡΠ»ΠΈ ΠΎΠ½ΠΈ Π½Π°Ρ ΠΎΠ΄ΡΡΡΡ Π² ΡΠΎΠΉ ΠΆΠ΅ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ, ΡΡΠΎ ΠΈ ΡΠΈΡΡΠ΅ΠΌΠ°-ΠΆΠ΅ΡΡΠ²Π° (Π²Π½ΡΡΡΠ΅Π½Π½ΡΡ ΡΠ΅ΡΡ, ΠΊΠ°ΡΠ΅, Π°ΡΡΠΎΠΏΠΎΡΡ).
ΠΠ»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊ ΠΌΠΎΠΆΠ΅Ρ Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ Π°ΡΠ°ΠΊΡ MiTM ΡΠ΅ΡΠ΅Π· ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ, Π΅ΡΠ»ΠΈ ΠΎΠ½ ΡΠΌΠΎΠΆΠ΅Ρ Π·Π°ΡΠ΅Π³ΠΈΡΡΡΠΈΡΠΎΠ²Π°ΡΡ Π½ΠΎΠ²ΡΠΉ gTLD, ΠΊΠΎΡΠΎΡΡΠΉ ΠΊΠΎΠ½ΡΠ»ΠΈΠΊΡΡΠ΅Ρ Ρ Π²Π½ΡΡΡΠ΅Π½Π½Π΅ΠΉ ΡΡ Π΅ΠΌΠΎΠΉ ΠΈΠΌΠ΅Π½, ΠΈ ΡΠ°Π·Π²Π΅ΡΠ½ΡΡΡ ΠΏΠΎΠ΄Π΄Π΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΠΊΡΠΈ-ΡΠ΅ΡΠ²Π΅Ρ WPAD.
Description
ΠΡΡΡ ΡΠ°Π·Π½ΡΠ΅ Π²Π°ΡΠΈΠ°Π½ΡΡ Π°ΡΠ°ΠΊΠΈ, ΠΎΠ΄Π½Π°ΠΊΠΎ ΠΎΡΠ½ΠΎΠ²Π½Π°Ρ ΠΈΠ΄Π΅Ρ ΡΡ ΠΎΠΆΠ°. ΠΡΠ°ΠΊΡΡΡΠΈΠΉ ΠΎΡΠ²Π΅ΡΠ°Π΅Ρ Π½Π° Π·Π°ΠΏΡΠΎΡΡ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ by spoofing name resolution responses. [TODO]
Example
Tools: Gladius: https://www.praetorian.com/blog/gladius-automatic-responder-cracking HobORules: https://www.praetorian.com/blog/hob064-statistics-based-password-cracking-rules-hashcat-d3adhob0 Responder: https://github.com/SpiderLabs/Responder
Π‘ΡΠ°ΡΡΡΠ΅ΠΌ Gladius (ΡΡΠΎΠ±Ρ ΠΎΠ½ ΠΏΠΎΠ΄Ρ Π²Π°ΡΡΠ²Π°Π» Ρ Π΅ΡΠΈ)
ΠΠ°Π»Π΅Π΅ Π·Π°ΠΏΡΡΠΊΠ°Π΅ΠΌ Responder.
ΠΠ°Π»Π΅Π΅ Π·Π°Ρ ΠΎΠ΄ΠΈΠΌ ΡΠΆΠ΅ Ρ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠΌΠΈ ΠΊΡΠ΅Π΄Π°ΠΌΠΈ ΠΏΠΎ SMB, ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌ ΠΊΠΎΠ΄, Π΄Π°ΠΌΠΏΠΈΠΌ ntds:
Apart from getting the NTLM hash to crack, this could be useful for NTLM relay attacks, since the HTTP doesn't required sign in NTLM and therefore it can be used with any other protocol in NTLM cross-protocol relay attack.
Moreover, to serve the PAC file to the victim will allow you to execute some javascript code as the victim, which could be used to exfiltrate the visited URLs.
ΠΠ°ΡΠΈΡΠ°
Create a WPAD entry which points to the corporate proxy server or disable proxy auto-detection in Internet Explorer.
Disable NBNS and LLMNR (test in a lab before deploying to all systems).
Set valid DNS entries for all internal and external resources.
Monitor the network for broadcast poisoning attacks.
Restrict outbound 53/tcp and 445/tcp for all internal systems.
Last updated
