Disable WPAD

Overview:

What is WPAD?

  • Web Proxy Auto-Discovery (WPAD) is an internet protocol that allows web browsers and other user agents to automatically locate the proxy configuration for a network. WPAD simplifies the configuration process by eliminating the need to manually configure proxy settings on each device. It uses technologies like DNS and DHCP to determine the location of a configuration file (wpad.dat) that defines the network’s proxy settings.

  • Risks of WPAD being left enabled:

    • WPAD is convenient for administrators but introduces significant security risks if not properly secured. Attackers can exploit the WPAD protocol to hijack proxy settings by intercepting WPAD requests and responding with a malicious IP address. This could allow an attacker to intercept web traffic, steal credentials, or deliver malware.

      WPAD uses DHCP, DNS, LLMNR, or NBNS to locate the proxy configuration. When a browser is set to auto-detect proxy settings (often the default), it queries for a domain like wpad.<yourdomain>.<tld>. If it receives a response, it downloads the wpad.dat file from the specified server, which can direct traffic as instructed in the file. If malicious, this could be devastating for security.

Potential implementation impacts to watch out for:

    • Proxy Auto-Configuration: If your network relies on WPAD for proxy auto-configuration, disabling it will break this functionality. Devices will no longer automatically discover proxy settings.
    • Manual Configuration Required: Organizations will need to rely on manually configuring Proxy Auto-Config (PAC) files or using DHCP options (Option 252) for devices to locate the correct proxy settings.

Technical Deployment:

Remediation for WPAD

  1. Create a WPAD DNS A Record:
    If you do not have a proxy server, create a WPAD DNS A record and point it to 127.0.0.1. If you do have a proxy, point the WPAD DNS A record to the correct proxy IP. This ensures that WPAD requests within your network are directed to a safe destination and cannot be intercepted by attackers.
  2. Update Hosts Files:
    Add a WPAD entry to the hosts file on all endpoints, pointing WPAD requests to 127.0.0.1 or the local proxy server. This ensures that devices remain protected from WPAD attacks even when they are off the network and prevents them from querying external DNS for WPAD.
  3. Disable WPAD Auto-Discovery in Browsers:
    To disable WPAD auto-discovery in Internet Explorer or browsers that use Windows’ internet settings, modify the Windows registry. Add a new DWORD value WpadOverride under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WPAD, and set it to 1. For other browsers, ensure similar configurations are applied through their settings or via group policies. This prevents browsers from attempting to auto-discover proxy configurations, further reducing the attack surface.
  4. Configure DHCP Option 252:
    If you still require auto-configuration of proxies, use DHCP Option 252. This allows you to specify a URL to the wpad.dat file directly, ensuring that all machines on your network are properly configured with the correct proxy without relying on WPAD discovery mechanisms.

Advanced Detection Using WPAD as a Canary:

A creative approach to enhancing network security is to leverage WPAD for detection purposes. By disabling WPAD on client devices and adding hosts file entries that point WPAD queries to localhost, you can detect suspicious behavior. If any device or external actor queries DNS for WPAD or connects to a WPAD server, it may indicate malicious activity. Hosting a fake wpad.dat file can act as a honeypot, alerting your security team to attempts at exploiting WPAD.

Setting Up a WPAD Honeypot with Open-Source Tools:

To create a honeypot for WPAD requests:

  1. Choose an Open-Source Honeypot Platform:
    Use platforms like Honeyd, Dionaea, or Cowrie, which are open-source tools that can be configured to intercept WPAD requests.
  2. Set Up a Virtual Machine for Isolation:
    Install the honeypot platform on a virtual machine, isolated from the production network to prevent attackers from pivoting to other systems.
  3. Configure Honeyd for WPAD:
    Install and configure Honeyd to intercept and log WPAD requests. Use the following lines in your Honeyd configuration to simulate a WPAD server:

    bash
    create wpad
    set wpad personality "Microsoft Internet Explorer 6.0"
    set wpad default tcp action reset
    bind wpad 0.0.0.0
  4. Host a Fake WPAD File:
    Create a fake wpad.dat file and serve it from the honeypot’s web server:

    bash
    echo "function FindProxyForURL(url, host) { return 'PROXY 10.0.0.1:8080'; }" > /var/www/html/wpad.dat
  5. Monitor Activity:
    Monitor the honeypot for suspicious activity, including attempts to access the fake WPAD server. Analyzing these logs can help you detect attackers probing your network.
  6. Regularly Update the Honeypot:
    Keep your honeypot system updated with the latest threat intelligence and security patches to maintain its effectiveness.

Conclusion:

While WPAD offers a convenient way to manage proxy configurations, it can introduce significant security risks if left enabled and unsecured. By disabling WPAD, configuring DNS and hosts file entries, and using DHCP options or manual configurations, you can mitigate these risks. Additionally, setting up a WPAD honeypot provides an extra layer of detection against attackers. Proactively managing WPAD can significantly improve the security posture of your network.

Implementation Tip

  1. For WPAD, don’t just disable it. add DC as WPAD server in DNS.

  2. Block port TCP/UDP 5353 because apps can do their own mDNS