April 5, 2012 at 16:19Interception of WEB traffic through the WPAD protocol using Intercepter-NG
WPAD - WebProxy Auto-Discovery. The protocol for automatically receiving proxy settings on the local network is supported by almost all web browsers and a number of other applications.
In brief, the essence of his work is as follows: if a client uses DHCP to obtain an IP address, then it also accesses its DHCP server for urls with proxy settings. If DHCP is not configured to issue a WPAD configuration or if the network does not use DHCP as such, then the client tries to resolve a network name of the form wpad.localdomain using DNS. If such a name is not found, then the last attempt is made to search for the name 'WPAD' through NetBios. If the name is not found, the client tries to connect directly, but if someone on the network says that it has the name 'WPAD', the client connects via port 80 to the IP of the responding host and then tries to download the wpad.dat file, which should contain the settings proxy.
From the very beginning of its existence, WPAD has become a security breach, because it makes it very easy to intercept the data stream, posing as a legitimate proxy server. Despite the fact that this vulnerability has existed for a long time and is quite easily exploited, this attack has not gained much popularity. There are only a few reasons.
Firstly, it allows you to intercept only the web traffic of the client, and for many it is easier to launch arp poison and intercept much more. Secondly, although it does not require any complicated manipulations, it is still necessary to start and configure a number of services:
1. It is necessary to register the name 'WPAD' on the network.
2. You need to start the web server and create the wpad.dat file.
3. You need to start the proxy server.
If on Unix this is done quickly enough, then on Windows, performing such operations requires more time and effort. Additionally, there is a problem with renaming the network. A computer with the name 'WPAD' in a networked environment will look rather suspicious, and if you want to use a tool like nbtool to secretly respond to requests of the name 'WPAD', you will have to stop netbios ns Windows service to release 137 udp ports and disconnect from the network accordingly .
Nevertheless, there are a large number of potential victims on any network, because by default Internet Explorer (and, accordingly, Chrome) try to automatically obtain proxy settings using WPAD.
In Intercepter-NG, the WPAD attack is fully automated and takes place in a few seconds.
Thanks to WinPcap, there is no need to listen to sockets or rename your own netbios name. Specifying specific victims is not required; configuration is issued to all who request it.
You can manually select a proxy server to be issued to clients or use the built-in socks. In the latter case, nothing more is required to intercept traffic except for Intercepter-NG itself.
Demonstration of work is presented on the following video clips.
In brief, the essence of his work is as follows: if a client uses DHCP to obtain an IP address, then it also accesses its DHCP server for urls with proxy settings. If DHCP is not configured to issue a WPAD configuration or if the network does not use DHCP as such, then the client tries to resolve a network name of the form wpad.localdomain using DNS. If such a name is not found, then the last attempt is made to search for the name 'WPAD' through NetBios. If the name is not found, the client tries to connect directly, but if someone on the network says that it has the name 'WPAD', the client connects via port 80 to the IP of the responding host and then tries to download the wpad.dat file, which should contain the settings proxy.
From the very beginning of its existence, WPAD has become a security breach, because it makes it very easy to intercept the data stream, posing as a legitimate proxy server. Despite the fact that this vulnerability has existed for a long time and is quite easily exploited, this attack has not gained much popularity. There are only a few reasons.
Firstly, it allows you to intercept only the web traffic of the client, and for many it is easier to launch arp poison and intercept much more. Secondly, although it does not require any complicated manipulations, it is still necessary to start and configure a number of services:
1. It is necessary to register the name 'WPAD' on the network.
2. You need to start the web server and create the wpad.dat file.
3. You need to start the proxy server.
If on Unix this is done quickly enough, then on Windows, performing such operations requires more time and effort. Additionally, there is a problem with renaming the network. A computer with the name 'WPAD' in a networked environment will look rather suspicious, and if you want to use a tool like nbtool to secretly respond to requests of the name 'WPAD', you will have to stop netbios ns Windows service to release 137 udp ports and disconnect from the network accordingly .
Nevertheless, there are a large number of potential victims on any network, because by default Internet Explorer (and, accordingly, Chrome) try to automatically obtain proxy settings using WPAD.
In Intercepter-NG, the WPAD attack is fully automated and takes place in a few seconds.
Thanks to WinPcap, there is no need to listen to sockets or rename your own netbios name. Specifying specific victims is not required; configuration is issued to all who request it.
You can manually select a proxy server to be issued to clients or use the built-in socks. In the latter case, nothing more is required to intercept traffic except for Intercepter-NG itself.
Demonstration of work is presented on the following video clips.