Interception of WEB traffic through the WPAD protocol using Intercepter-NG
WPAD - WebProxy Auto-Discovery. The protocol for automatically receiving proxy settings on a local network is supported by almost all web browsers and a number of other applications.
In brief, the essence of his work is as follows: if the client uses DHCP to obtain an IP address, then he also calls his DHCP server for URL setting with a proxy setting. If DHCP is not configured to issue a WPAD configuration or the network does not use DHCP as such, then the client tries to resolve a network name like wpad.localdomain using DNS. If such a name is not found, then the last attempt is made to search for the name 'WPAD' through NetBios. If the name is not found, the client tries to connect directly, but if someone on the network says it has the name 'WPAD', then the client connects to port 80 on the IP of the responding host and then tries to load the wpad.dat file, which should contain the settings proxy.
From the very beginning of its existence, WPAD has become a security breach because it makes it very easy to intercept the data stream, posing as a legitimate proxy server. Despite the fact that this vulnerability has existed for a long time and is quite easy to exploit, this attack did not become very popular. The reasons are just a few.
')
Firstly, it allows you to intercept only the web traffic of the client, and it is easier for many to launch arp poison and intercept much more. Secondly, for its implementation, although it does not require any complicated manipulations, it is still necessary to start and configure a number of services:
1. You must register the name 'WPAD' on the network.
2. You need to start the web server and create the wpad.dat file.
3. You need to run a proxy server.
If on Unix this is done fairly quickly, then on Windows, performing such operations requires more time and effort. Additionally, there is a problem with renaming the network. A computer with the name 'WPAD' in the network environment will look rather suspicious, and if you want to use a tool like nbtool to respond to requests for the name 'WPAD' secretly, you will have to stop the netbios ns Windows service to release the 137 udp port and disconnect from the network accordingly .
However, there are a large number of potential victims on any network, because by default Internet Explorer (and therefore Chrome) try to automatically get proxy settings using WPAD.
In Intercepter-NG, the attack on WPAD is fully automated and takes several seconds to complete.
Through the use of WinPcap, there is no need to listen on sockets or rename your netbios name. Specifying specific victims is not required, the configuration is issued to all who requested.
On the choice, you can manually specify a proxy server that will be issued to clients or use the built-in socks. In the latter case, to intercept traffic besides Intercepter-NG itself, nothing more is required.
The demonstration of the work is presented in the following video clips.
In brief, the essence of his work is as follows: if the client uses DHCP to obtain an IP address, then he also calls his DHCP server for URL setting with a proxy setting. If DHCP is not configured to issue a WPAD configuration or the network does not use DHCP as such, then the client tries to resolve a network name like wpad.localdomain using DNS. If such a name is not found, then the last attempt is made to search for the name 'WPAD' through NetBios. If the name is not found, the client tries to connect directly, but if someone on the network says it has the name 'WPAD', then the client connects to port 80 on the IP of the responding host and then tries to load the wpad.dat file, which should contain the settings proxy.
From the very beginning of its existence, WPAD has become a security breach because it makes it very easy to intercept the data stream, posing as a legitimate proxy server. Despite the fact that this vulnerability has existed for a long time and is quite easy to exploit, this attack did not become very popular. The reasons are just a few.
')
Firstly, it allows you to intercept only the web traffic of the client, and it is easier for many to launch arp poison and intercept much more. Secondly, for its implementation, although it does not require any complicated manipulations, it is still necessary to start and configure a number of services:
1. You must register the name 'WPAD' on the network.
2. You need to start the web server and create the wpad.dat file.
3. You need to run a proxy server.
If on Unix this is done fairly quickly, then on Windows, performing such operations requires more time and effort. Additionally, there is a problem with renaming the network. A computer with the name 'WPAD' in the network environment will look rather suspicious, and if you want to use a tool like nbtool to respond to requests for the name 'WPAD' secretly, you will have to stop the netbios ns Windows service to release the 137 udp port and disconnect from the network accordingly .
However, there are a large number of potential victims on any network, because by default Internet Explorer (and therefore Chrome) try to automatically get proxy settings using WPAD.
In Intercepter-NG, the attack on WPAD is fully automated and takes several seconds to complete.
Through the use of WinPcap, there is no need to listen on sockets or rename your netbios name. Specifying specific victims is not required, the configuration is issued to all who requested.
On the choice, you can manually specify a proxy server that will be issued to clients or use the built-in socks. In the latter case, to intercept traffic besides Intercepter-NG itself, nothing more is required.
The demonstration of the work is presented in the following video clips.
Source: https://habr.com/ru/post/141479/
All Articles