During a resent investigation I was taken down an interesting path, regarding a possible WPAD configuration attack.
WPAD for those that don't know is the mechanism for with browsers can auto-detect proxies. There is a number of ways for this to work, and I'll let you google the wikipedia article yourself if you want to know more information. It's ok - I'll wait till you get back...
For those of you that are moving on, here is the scenario;
In the office, the victim is using sample.local for the domain, and using their Internet router to provide DHCP. On the router, the domain is called sample.com. Thus, when AD clients get a IP address and connect to the domain, two search suffixes are created: sample.local and sample.com.
Here is where it gets interesting. One of the ways WPAD works is by using DNS - if you read the wikipedia article like I told you, you would know this. Anyway - WPAD will remove the first part of the computer domain name, replace it with wpad and attempt to connect and download a configuration file. So for example, the computer.sample.local will drop computer, and add wpad - resulting in wpad.example.local.
IE, in my tests in our above example appears to only query for wpad.sample.local, since there is no response, it figured that there is no proxy and continues on it's marry way. Firefox on the other hand, didn't use the AD domain, but strictly used the DHCP domain search. Thus resulting in wpad.example.com being used to gather proxy configuration values!
Why is this bad you might ask? Well, lets say in our example, example.com isn't hosted on the local network, but out on the Internet where the website is located. Now, lets toss in that the server hosting that website is a shared server running cpanel, and it's compromised. Now all of a sudden an attacker is able to modify the example.com DNS, and add the necessary proxy configuration files to the server. Next thing you know, the attacker is able to redirect all traffic via a proxy they control, thus able to see all the traffic.
Yes, I realise the network would have to allow the attempted proxy traffic out. But really, how many networks have a default deny? Not enough. Yes, a lot of places use AD for it's DHCP services which defaults to the AD domain for search domains. Yes, one would hope administrators would set the domain to the internal domain example.local on the DHCP server.
Something I haven't tested is if multiple search domains is added at the DHCP level.
Note - For the record - using WPAD as a way to force a proxy config as an attack isn't (too) new, Never saw it in the wild personally, but the concept is out there. Just that which domain gets used is new (to me). Other thoughts I've read about:
- WPAD will go up a directory structure - so if you have say computer.office.canada.example.local it will try wpad.office... then wpad.canada... then wpad.example. - Domains (and resolvers) that use a wild card or doesn't pass NXDOMAIN will break things - think about *.example.com and how that will work.
