There has been a buzz at BlackHat US 2007 around H.D.Moore+Valsmith attack against Internet Explorer autoconfiguration feature.
To sum up, if anything is named after "WPAD" on the network, it will be considered as the enterprise Web proxy by Internet Explorer.
The original attack is based on the "Dynamic DNS Update" feature of Windows DNS servers. DNS updates can be:
- DNS-based, unauthenticated. Game over.
- DNS-based, authenticated. Nice try, but since any domain user can create up to 10 computer accounts in Active Directory, it is quite easy to name a computer "WPAD", join a domain and authenticate.
- DHCP-based. Game over, too: the DNS server will blindly trust your host name.
Fortunately, everybody who has sniffed a Windows network for more than 5 minutes knows that most Windows clients "in the wild" use misconfigured name resolution: they rely on NBNS (NetBIOS Name Service) as a fallback.
So how could you take advantage of a broadcasted NBNS request for "WPAD" (or anything else) to redirect target's traffic?
One solution would be to use FakeNetBIOS tools, but they rely on raw sockets, which are broken on Windows XP SP2. Another would be to use Scapy as a NBNS responder, but Windows port is not mature yet :)
As usual, the best solution is to rely on Windows built-in mechanisms to solve the puzzle.
Under HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters, there is a value of type REG_MULTI_SZ called OptionalNames.
Any name put in there will be claimed by the local computer during NBNS name resolution. Then:
net stop lanmanserver
net start lanmanserver
Job done!