How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you?
In this article, and the accompanying screencast, we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled.
This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit.
- Web server with a "wpad.dat" file in the web root. (If you're looking for a sample, check here)
- Ability to poison an upstream DNS server for WPAD requests.. This ingredient is hard to find. I strongly recommend you use the alternative DNS Spoofer...
- DNS Spoofer - By far the easiest way to accomplish this attack. If you're on a shared medium (wireless network) or upstream from the network in a place where you can see DNS queries from either clients or upstream servers, this is piece of cake.
- Jack in
- Configure DNS Spoof to use the address of the proxy as the block_web_addr
- Configure DNS Spoof to watch for "wpad" in blocked_strings
- Start it up!
- A proxy to intercept whichever protocols you're interested in.
So what do we do to defend? The answers are really the same as what we came up with in the Windows WPAD entry. For systems that travel, seriously consider adding an entry for WPAD into your hosts file, as shown in the video. This is by far the simplest defense. As an auditor in an environment that uses WPAD internally, I would strongly recommend this entry exists on all laptops.
Of course, if the organization is not using proxy auto-discovery then nothing should be configured to send WPAD requests. How can I see if the organization is compliant with this? While this is more difficult, our DNS Spoofer turns out to be very handy here too. Remember that in addition to spoofing responses, it creates a log entry for every single DNS lookup that it witnesses. Why not configure the spoofer to block absolutely nothing, which essentially turns it into a DNS logger. With this done, you can let it run side by side with the actual DNS server for a few days and then check to verify that there have been no WPAD lookups. If there have been then you also know which systems are misconfigured!
The source code for the DNS Spoofer can be obtained here. It requires that you register for a free SANS portal account.
David Hoelzer teaches several full week courses ranging from basic security through to advanced exploitation and penetration testing. For a thorough treatment of this specific issue and a discussion of controls to mitigate this and similar issues, consider attending thefull week course on Advanced System & Network Auditing. More information can be found here:AUD 507 course. AUD 507 gives both auditors and security professionals powerful tools to automate and manage security over time.