Select text to annotate, Click play in YouTube to begin
Yeah, my name is Thomas and my daily work is incident response and forensics. I have done some red team. So in red team engagements, I often use responder where there's a function to set up a row proxy server with the WPAD function.
So monitoring the network to see the traffic, seeing that clients is asking for the WPAD domain in the company. But it is also sometimes asking for WPAD.tLD. So who is having this domain? Is it in use? Is it free? Can I buy it? What are they using it for?
So at the time I looked at this, I looked up at and discovered it was a German guy that had this Danish domain. I don't know what he was using it for. Two years later, I looked again, discovered there's a summon in Israel having the Danish domain. And in 2020, the Danish register for Decade domains added a function where I can sign up
for a waiting list. So I signed up for a waiting list and paid small fee every year. So how it's working, the basic is that a client goes to requesting a WPAD. It's going to the DNS server, finding the IP address, then go to the web server and getting the content back.
Very basic. If we are adding a proxy server into the mix, then the proxy server will do all the heavy lifting. So the client is asking the proxy server, the proxy server is doing the name resolving and getting the web page and returning the content to the client. So back in 1996, Netscape decided that there must be an easier function when you're adding
a machine to a network to automatically config the machine. So they come up with this WPAD function to automatically ask for the machine where the configuration file is stored. And they sit down a consortium to try to make a FC stand out for it, but it never eclipsed to the expired in 1999.
So it's 25 years anniversary now. According to Wikipedia, the way it works is that the name where the client is part of the domain, it will add V part in the front and slowly test until it finds a name where it matches and get a response and can download the configuration file.
But in some implementations, it will go down to vpad.tld and then download the configuration file from there. And as you can see on the Wikipedia page here, it's the incorrect solution and it shouldn't be used that way. So that's a security issue. So the way where vpad is that we have a client, it's called client.a.company.com, then it
will search for vpad when the browser is opened. It will then remove the client name and then try to add vpad.a.company.com and try to resolve that. If that's not working, it removes one name. So it's vpad.company.com. And in this example, it's resolving the IP address and then it goes to a web server trying to download a file called vpad.tatt.
And that's the configuration file for the client. It can also be configured with other solutions like DHCP, VINs and so on. So the debt file, it downloads is actually a small JavaScript that the client execute on the client machine with called find proxy for URL. It's input what URL it's trying to go to and the name.
And then you can modify this script to say that the client should go direct if it's company name addresses or it should go to a proxy server if it's all anything else on the internet. Like this proxy.company.cld.80. So here we have an example of where trying to go to defcon.org and it's not matching
in of the if statements and then go to the proxy as the last return statement. There's a website dedicated for all the functions that can be used in this limited, very limited JavaScript language. You cannot use all functions. Here you can see the top part of the functions. This DNS domain is resolved, is it in net and so on.
But there's also some other functions that work. Like I have found here the stable functions. I call them with I can get user agent, host name, time zone and so on. In the past I could also from some clients get screen solution and call it depth and so on from each client. But that's very unstable and many of the clients that crashes the JavaScript when trying
to ask for that. So I removed that. So when a VPAD is implemented, it is not implemented in a company and someone gets the top level domain. Then what happens is that the client is asking for the VPAD in the company. It doesn't get any results. It tries again by removing one name and tries again by removing one name and ending on VPAD
decay. So it goes to an external VPAD in a web server downloading a configuration file for the client. How it should use proxy settings and trust that server even as it's not inside the company. In 1999 when it expired and Microsoft was part of this consortium, the same month Microsoft
was informed that there's a security issue. If someone buys this top level domain with any CLD, you can basically own a complete country. So there has been talks about this before in 2007 on Kivikon. There was some guy having an eight year anniversary for this issue looking at the things and had a
very good talk. Unfortunately, it's not public anymore. And then a smooth come same year. Another guy had the look into this. And then Microsoft got busy again trying to make a new pad, trying to fix whatever that was found in 2007. So now it's fixed right. It should be.
So for me, the waiting time is over. In 2023 in March, I got a mail from the Danish registrate, the hostmaster saying that the VPAD decay domain was now mine. And I could registrate and assign it to a server. So I found a cheap web portal and added to a web server there just because I want to see if there's any traffic at all, just money to the locks and so on.
At the same time, I looked at who has owed this domain in the past. And I could see that from the talks in 2007, there was someone in Denmark deciding it was a good idea to have this domain for some years. But then he sold it and one guy in Belgium got the domain and one in Germany and then one in Israel. And then I got it here last year.
So this is the locks from the first day I assigned the VPAD to a web portal. I was a bit surprised to get more than 80,000 requests of this VPAD.that file on the first day, basically. The spike in the graph, I think that's the roll over time from I started. It has to go to 24 hours. That's why it's not linear. So basically 80,000 requests on the first day without doing anything other than buying
a web portal and adding the domain. So that's not fun because I don't have access to all the log files. So the way was that I set up a VPS server, installed DNS server on it, become my own name server on the internet, registered on DNS and all the things, and added a web server on top of that. That way I could add the domains I got into this server and capture all the traffic, all
the locks in the way I like to have them. And every good website should have a web page, right? So I took my best skills and opened a note pad and crafted a web page where I added some crap about shouldn't use this page. And this is for research and so on. So when the client is downloading this VPAD that file, the JavaScript and executing it
on the internal client machine, it cannot see the public IP that is coming out when it's going on to the internet. So the way I fixed that was that I added on my web server at a dynamic web page that builds the JavaScript for the client dynamically. So I add the client's public IP into the script before each client gets the script.
So they're getting a dedicated script for each client. So I have the public IP, even the client doesn't know it by themselves on the internal network. So when a client, one, two, three, one, two, go to the net, this is a simplified version of my scripts. But what is basically doing, I'm building a string in the DNS name with the information
I take from the client like the time zone, internal IP, external IP and so on. So I can leak data to my DNS server about the internal client. So in this example, you can see the client is told to go to defcon.org and the D is the time zone, I and the internal IP, W is the world IP, public IP, and then it goes to p.vpad.dk
as my server. And of course, I use port 80 because I want all the traffic to be unencrypted. So just come as normal as to be unencrypted. So then the client for every request they make on the machine, all URLs, they will pass it through this web-park to scripts. And then it will go to this address that built automatically or dynamically for each request
they're doing. So I get in my log files listing of what traffic they are trying to resolve and then I tell them to all the request go to this web server, that is my web server on the same host. And then the client is asking my server for some bit page and I'm so kind so I return
errors for everything because I don't want to run a proxy server on the internet that is opened and be man in the middle. So I just return errors for everything. And yes, I get to see the inside with his ggb clear text but they think I'm asking on the outside at cgb s. So for every request, every client is making, I'm returning this error page.
And to be nice to the users, I have included input form. So if they don't like what they're seeing, they can tell me what the hell is wrong and what does should do better. And there's also a checkbox for white listing the client so they can input their host name and add the white list checkbox. But I hadn't implemented that function so this is first step on the form, right?
I just did this claimer. I'm not intercepting any traffic. I'm just looking at log files and so on from requesters coming in. I haven't told any clients anywhere to contact my server. I've only just bought one domain name, set up a web server and all the clients is coming to my server. So this is an example of information I'm getting from one client and you can see the client's
public IP, what name server used, what internal IP address it has the time zone. And then from, of course, from the web server log, I can see what they're asking for and thereby also which user agents think they have. What application are they using, an operating system and so on. So this was fun. I come get a lot of traffic into the server more than I expected.
So why not look for buying some motor means. Sadly, the three domains here, they are rich, they have protected so you cannot register them. There's a limit on that. They have already set that up. What I got ID and site and built just for fun. At why not looking at the list there was press and pawn so we can try see which one for
them is the most popular one. And because we are here, dot Vegas. And then I found that the vpad dot EU was apparently registered but there was someone trying to sell the domain but I'm not buying it at that price. So I could see that also rented the domain. So I asked them can I rent this domain for one year and is there any limits or rules
for what I can use the domain for and they say no you can, there's no rules, you can rent it for one year and I paid three and a half euro per month for renting the domain and then I politely returned it when I was done with it. So this is my list of domains for this research and for one year from April to April I get
1.1 billion DNS requests resolving in 200 gigabyte 6 log files. This is for the DNS server alone. And if you look down on the, I don't know how big it is but there's a client asking for CNN.com and you can then see the intern live here and public IP and so on of the clients.
So here I have seen on which vpads domain where are the clients coming from in the world and for the DNS domain.dk there's obviously a lot of traffic from Denmark but to my surprise why is there so much traffic from Russia and Ukraine to the DNS domain and then there's a big jump down to Germany.
So it's a bit odd there's so much traffic for that on the tk domain and the.vegas domain on the right. Yeah, of course the United States would be there but all the other domains it's a mixed order of why they have the dot vegas. So when Windows machines today is connected to a network it will in the lower right corner
and the system has a nice icon indicating it has internet access and it is working but in because I'm a proxy server that doesn't return anything and doesn't work by design the clients of course will show that they don't have internet access. So I found that for this list of six Microsoft domains if I return the string okay for
every request the client will indicate this has good internet access. So I just added a rule to the proxy web server function saying if you see this domain respond with okay and all the clients then suddenly indicated they have good internet access again. So what's about traffic do I see here's the types of requests I see and again of course I'll
see a lot of get requests but I also see a lot of post requests so that's client sending data up to the servers and then I got all the connects requests that's the proxy traffic. There's 1.1 billion requests for asking the proxy server to collect something so that's actually clients that has downloaded the ever proxy part scripts and executed on the machine
and then coming and asking for web page but also we see on the list there's VIPDA, there's Apple, is Microsoft is the same client there's Microsoft VPN and there's many more I have not included in this. So there's a lot of different traffic in this and that is based on the Apache log files you can see in the lower corner about 477 gigabytes Apache log files with 1.5 billion requests in them.
So it takes some time to grab through them and find the data. So because I am a proxy server that client trusts and I have given them a configuration scripts I've told them to send every day that to my server including local traffic. So if you look here you can see an internal client that's 1.5 it should actually talk to the same
computer on the same network mixed through it 1.1 but because I've given the scripts saying no you should ask the proxy server it's sending the traffic up to me and asking me as a proxy server even that they are on the same network. And post requests this is client sending data they're just posting data against a web server 37 million requests as I don't have the data I only have the logs I don't know what it is
but everything clients sends to servers so they can be confidential data whatever documents files content whatever. And again because I'm controlling everything with my proxy scripts so every dot local traffic I have in the domain Ella from the clients it should never go to the internet because it's not resolvable on the internet that's designed to be handled to be used for internal network.
So here we see some funny domains like ctrex and file print and vCenter and yeah where the client is coming up to my proxy server and asking for me to get that traffic because it's local I can of course not get the traffic but I can see what they are asking for. And then some years back they started to be a new smart function in the browsers because they want to protect the DNS traffic saying we want now to send the DNS traffic over htgbs because then
rogue guys man in the middle couldn't happen and they better come control it but because I'm now a man in the middle proxy server I'm also controlling the DNS over htgbs and it's basically just as you can see here a client asking for bydo.com and then it returns a JSON blob so my proxy could return whatever I want a JSON blob directing the client to go to another location or whatever.
So passing through the log files and looking for all the file extensions that is downloaded. This is some of them it's the highlighted one it's a bit scary to see all the credentials and certificates and there's the executables there's database files there's scripts so I could replace a script and if the client is executing the script on the machine it's not a good thing for
the client. Here's an example of executable files the client tries to download so there's some Windows update Microsoft installer there's anti-virus updates Microsoft SCCM client and real player and didn't know real player still was a thing but okay so there's a lot of different requests here and I get a lot of them this is just a small sample list but the list of file names
I found with the extensions is not fully true because I also found that there was some bad guys trapped in my setup trying to scan other servers so they were trying to enumerate for different files like pfx files and other files so you can see here there's a long list where it tries to access a web server asking for different files and hoping that they find something
so credentials in the URL there's a lot of them get 200,000 URL requests with where the user name and password is part of the URL and I don't know if you can see the size of the screenshot there but it's apparently an engine guy that has a lot of friends he's using web service to send SMS messages to all his friends he apparently have a lot of friends there was many many local lines
here so they all start with dear something yeah I don't know what he is trying to do so credentials here's some of the clear checks non encrypted credentials just get to the server and I have some of them is so ridiculous like admin admin I cannot censor that away it you should
see it and that's changed me it changed me I think that's a good idea to change that one and security party yeah we have difficulty security is a party so yeah that's very crappy credentials and ntlm version 1 shouldn't be used for the last 20 years as Microsoft has tried to tell us changed to ntlm version 2 so administrator root security accounts and so on with ntlm version 1
and then there's ntlm version 2 I also got many many clients sending the credentials and there's some good user names here admin administrator doctor hotel manager and then a laser that sounds fun to play with an AC that's normally a system administrator account on SQL servers and likes so many good
credentials if you're malicious so what is the client talking to this server when I started this project my my thinking was this is just Microsoft crap and they should pass the things but if you look at the list you can see it's basically everything every application it's VPN clients it's anti-virus applications it's yeah the list is very long this is just some of them there's
cobalt strike and you can see in the lower right lift corner there's even some guy having trouble with his internet access so he's using wireshark to debug his network is not working because he's apparently using a proxy that doesn't return anything so he's debugging that and I then get his update check from wireshark yeah so the list is long there's portune VPN and many clients
in fact I got 27,000 different user agent strings with Linux Mac iPhone Android whatever all platforms so now I cannot say which client it is the has the issue and which application that has the issue because it seems to be everything oh yeah so when you're running an approach server that doesn't
return anything and you have clients behind it there was some of the clients was not able to download some updated background screen that the crowd striped provided to windows machines so I have actually protected 226 machines from crowd flag and what about detection the only place I have
seen any detection is when clients is behind a palo Alto setup the palo Alto setup will monitor the URLs the clients is asking for and then try to categorize them and check them for malicious things and so on like many other proxy servers is also doing it's the only one I have seen in the traffic does interacting with the traffic and the way it's doing it is replaying the same
with Chris that the user tried to do but it's adding this user agent string this long string you see here that's the complete string so it's a pretty long user agent string where it says it's palo Alto monitoring device and so on and it's suggesting I can send a mail to them to get right listed but again I'm a proxy server and I'm not that there's the nation so it's will pretty many
mails I have to send to them to get a right listed for everything so I haven't tried that and then cschool apparently has some kind of endpoint client you can install on computers and I it's my understanding it is designed to protect the client from rogue DNS servers and rogue proxy servers it's not working so well because what happened is because I'm returning arrow pages to
everything and rejecting all traffic the client and the client machine the application seems to get angry and just making brute force against my machine trying to loop and getting the request again again again again again again and trying so the only way was I had to make a black hole for the domain so I just discarded everything with open DNS that come into to a devil null and didn't
reply on it and then the cisco client stopped detoursing my server yeah so I have also found what I think is malicious this is for the domains engineer exchange expose software and so on does a v patch script and it seems to be running a proxy for htgp and ftp traffic with the fail option so if
it doesn't work it will go direct but it's also collecting data and sending it over an extra channel with some communication so this looks like someone is monitoring traffic for this for domains here and this this one is a bit weird one um it's a I think it's other it's a guide of really really like ads or it's it's just a some testing going on because on vp.trade there's a proxy script there's
looking with a lot of if statements if there's including some kind of ad word in the request it will send the request through a proxy server if there's not a word then it will go direct so it seems that someone is trying to collect all the ads the reason for this I think can maybe be that he is replacing the ad IDs in the traffic to his own and by this earning money on capturing the traffic
and then getting paid because he's directing all the clients to his ad maybe or it's a test for something or he's just like ads I don't know so here's another one also a bit weird and the name the CLDs that doesn't MR cooking storage serve there's no no continuous line in them
it claims to be some sort of security projects I haven't been able to found in a find any place where they're talking about this project and anything so it's only a claim inside this configuration file it's a bit weird in it's only sending the traffic to a proxy server for what is not resolved of domains so all the things are failed it sends to the proxy server anything else
it goes to direct so it's maybe something that tries to look for all the odd things that's hidden on the net I don't know what the function is yeah so we have a winner apparently press is more interesting than porn I wouldn't have guessed otherwise but this is the score for the VPAT
at that file how many times it downloaded and they have been running at the same server same time for the same so from the client from the forms I get with the users I got 40 users that click they want the white listing from this error even I haven't implemented any function so white list anything and just returning errors to them and they insert some computer names it doesn't
look like DNS names but it's computer names so yeah maybe a day I will add a white list function and here we have some feedback from the users apparently they're not all happy some users say it's got this error message when trying to get through my net bank or I click this link in the mail and got this error or t-shirt or whatever so not all users are happy
so when I saw that I was giving feedback from the users thinking why not set up a survey asking the user how much they like my none working proxy server that only returned errors to all the clients so I added this three normal steps that could ask and to my surprise I have a higher
leaning on they really like my service and would recommend it to their friends so this is for non-working proxy but there was only four responses so yeah and there was no one submitting email address so the hundred dollars are going to Danish cancer front I added on the webpage I added a
feedback form maybe getting some good suggestions and so on to what I can improve on my non-working but I only got more than three thousand spam messages saying that they will is the a.o optimize my website so mobile find it I don't know if I should sign up for that I have many clients already and zero feedback from anyone so for the period of this one year I'm
monitored via Google if anyone anywhere was writing about this domain I had on my list to see if they was talking about it in some forum talking about disabling v-pad and so on I haven't found anyone for one year talking about anything about the domains so it has been to my knowledge completely silent for one year without any detaching anywhere so my question is why can
it do like me even buy this domain why should this crap does 25 years old not be just disabled why do we have this it's not it's not modern security model we just download a part a part script with a javascript run it on the client and then the client just sends all the traffic to a proxy server it's not very secure so I don't know if I can stand here in 25 years or in a wheelchair talking about
the same thing once again saying that nothing have changed I don't know but this is 25 year in a university yeah I can see I have still some time so first of all a big shout out to my friend Kilnorman for a lot of help with the research and information and I have some bonus slides because I
have some extra time so I posted this a like this talk was on the schedule pace on defcon and shortly after that time I was contacted by a guy that's called Cheaton saying that he was for the last half here basically doing the same research into some other domain names and we could look and share
some data that could be fun if we had the time but also he's had paid up for some domains in the .80 and from whatever heard there should be a coming a really really good talk I look forward to hear how many active directories that's coming in the same way okay 10 minutes so after running this
for basically two months I got contacted in Denmark Denmark is not a very big place so about five six million people so this security community is not that big I got contacted from someone saying some is this is you're running some kind of research project for the VPAT yeah okay this big company
apparently got a lot of machine trapped in the VPAT that that file and all the traffic was going to my server so they just wanted to know and the way they found it was because one of the domains I had on my list it was not fully anonymized so they could see the name Thomas and then they say ah Thomas from Denmark then we try to call him that's good research yeah so if you're looking back on
27,000 different user agent strings on basically all platforms I would like to present one slide saying this is Microsoft crap here's the three settings you want to sit on a Microsoft machine and you're protected but this seems to be all platforms all applications that has the issue otherwise I
wouldn't have got so much traffic as I've seen in my data so my best advice is to add into the host file on the machine the VPAT domains and saying that it's it loop back to itself so it will never send any traffic to the internet and then you have to look up each OS see which way you can
disable the function on there and also add the VPAT to your company domain so if a client is asking on that domain it will not resolve other than 127 I think also to note here that I skipped over is that when a client download my VPAT configuration config file it caches the file so when people
are working from home they may be on a network where they can download the file in a in a decay domain they download the file start using the proxy get into the workplace keep doing using the proxy because they're caching the file I'm told them to use this file for 14 days or something so they will keep using it yeah and it's best to disable this VPAT function at system level otherwise it
you will if you only disable it in that browser all the services you have on the machine they're running at system they are also talking like anti-virus application they are talking to the internet that will not inherit the configuration from the client settings so it's best to set it on machine level so it's everything on the machine and disable its function and as you can see there's a windows service called HTTP windows proxy automatic discovery service it's on all machines no one
know what it is but now you know know what it is it can be difficult to disable because it has dependency to other things yeah so basically read the fucking manual to find out how to disable it on all applications and always is because it's not easy to for me to make one slide that fixes it all yeah so this is the slides again thank you to kill
you
End of transcript