WPAD Persistence
Mostly just writing this so I can keep notes.
Today I came up with the idea to forcibly put the WPAD entry into a Windows Domain’s DNS. For those who don’t know what this would do there is an entire Wikipedia article on the subject: https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
I did this via PowerShell pretty easily on one of the domain controllers like so:
|
|
Where 107.170.50.74 is the Digital Ocean box I stood up external to my test domain. I installed a basic web server and went to test my brilliant idea, but I wasn’t getting any requests for wpad.dat
As they say “there are no more original ideas” it looks like the awesome people at Microsoft not only had this idea but fixed it way back in 2008.
but.. they also made a way to disable it - Removing WPAD from DNS block list
Running the DNS entry update will propagate throughout the domain so you only have to set that once, however the block list is per domain controller (or DNS server if they are separated, which is rare these days as it’s a required service in later Windows server versions).
I went in search of a registry key to make the modification because it’s much easier to hit the RemoteRegistry
service on all the DCs than it is to run that command. I quickly found this blog post - EnableGlobalQueryBlockLisst registry key.
A quick batch script to loop through each DomainController in the domain and I started getting a bunch of requests.
|
|
Now, you may be asking, “How is setting their proxy server any kind of real persistence?”, I implore you to go check out projects like mitmproxy, mitmf and BDFProxy
Pentesters have been recommending for years to put a WPAD entry into DNS to protect against LAN based attackers with Responder. Who knew it actually didn’t do anything because Microsoft was blocking those lookups anyways. So, if you have better solutions for WPAD on an Enterprise domain please leave a comment below. (Turning off the setting is a per-user per-system setting and doesn’t disable it for the SYSTEM or other local accounts, so it’s harder than just “flip on this registry setting via GPO”)
Oh and I’ll just leave this here: Proxy servers and WinRM