Internet Explorer, Malware, Penetration Testing, Programming, Security, Software, Various Languages

A Basic Look into WPAD

WPAD stands for Web Proxy Auto-Discovery protocol. At this point in time it’s still supported by most browsers although it is an old protocol now. Most companies don’t rely on WPAD because of its inherent vulnerability to man in the middle attacks.

How WPAD Works

WPAD tells a Web browser what internet proxy to use when a user on a network requests a Web page. Specifically, WPAD shows the browser where to go to access a WPAD.dat configuration file that then provides the network details to the Web browser.

The WPAD protocol lets a domain admin point to a WPAD.dat config file using either DHCP or DNS. Admins might find this convenient since they can manage proxy settings for a company from a single point. Most admins do not use this method due to the non-secure nature of WPAD.

When a Web browser is asked to get a Web page, it first attempts to connect to a DHCP Server, and if that fails, then using a DNS query. FireFox is an exception since it only uses the DNS query. If even the DNS query fails, then the browser tries to use WINS (NetBIOS)

For DHCP any type of URL is usable. Conversely, a standard DNS query tries serveral options where it traverses the URL looking for the wpad.dat file:
So, for example, if your browser is trying to reach

http://mysite.com

Then the DNS attempt would be:

http://wpad.mysite.com/wpad.dat

If you have a URL that has several levels to it then the resolution failover takes several steps, which can result in a failed URL. So for example:

http://mysite.org.uk/

This URL would be a possible problem since the DNS attempts would be:

http://wpad.mysite.org.uk/wpad.dat
http://wpad.org.uk/wpad.dat

As you can see, the second attempt has nothing to do with our mysite.gov.ca domain, and is a possible source of problems. In fact it was the case that the domain http://wpad.org.uk was set to serve a wpad.dat file that would set the user’s traffic to an auction site.

Anatomy of WPAD

The MIME type of a wpad.dat file is: application/x-ns-proxy-autoconfig

The request sent by a browser on discovery is:

GET /wpad.dat HTTP/1.0

Inside the wpad.dat PAC (Proxy Auto-Config) file is a JavaScript function called FindProxyForUrl that tells the browser what server to use as a proxy for all subsequent Web requests.

function FindProxyForUrl(url, host){ return "PROXY proxy.mySite.com:80 DIRECT"; }

Disabling WPAD Auto-Discovery in Internet Explorer

For client browsers, make sure that IE is not set to automatically detect LAN settings:

  1. Click Tools –> Internet Options
  2. Click the ‘Connections’ tab
  3. Click the LAN Settings button
  4. Uncheck the checkbox ‘Automatically detect settings’

Helpful Links to WPAD Resources

Here is a Wikipedia entry explaining the PAC file format in detail:

http://en.wikipedia.org/wiki/Proxy_auto-config

Here are the steps for checking for WPAD on your DHCP Server:

http://technet.microsoft.com/en-us/library/bb794881.aspx

Microsoft instructions to troubleshoot WPAD problems:
http://technet.microsoft.com/en-us/library/cc302643.aspx

WPAD can be used by attackers on a network to compromise the network using man in the middle attacks. Have a look at this article for a detailed look into WPAD man in the middle attack forensics
http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s