Proxy Spoofing Remediation

Proxy Spoofing Remediation

Technical details:

By responding to broadcast messages, an attacker can spoof proxy setting to become a man-in-the-middle

MITRE Technique Alignment (1)

Link: T1557

WPAD Proxy Spoofing

The Web Proxy Auto-Discovery (WPAD) protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL. Before fetching its first page, a web browser implementing this method sends a DHCPINFORM query to the local DHCP server and uses the URL from the WPAD option in the server’s reply. If the DHCP server does not provide the desired information, DNS is used. Additionally on Windows, if the DNS query is unsuccessful then Link-Local Multicast Name Resolution (LLMNR) and/or NetBIOS will be used. Attackers can use either DNS, LLMNR, or NBNS spoofing techniques to respond to insecure WPAD requests to extract credentials and in some cases even cause remote code execution.

1- Disable WPAD on clients:

How to Disable WPAD?

Disable The WinHttpAutoProxySvc Service Using Group Policy — The Preferred Solution

1. Create a GPO and set a registry change at HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc\\Start to 4 (REG_DWORD). Now the service will be disabled.
2. Reboot the machine twice! After the first reboot, the service will be disabled but still running. Only after the second reboot, it will be completely stopped.

Disable WPAD Manually On Windows 10

1. Enter the Windows settings page.
2. Select Network & Internet.
3. Select the Proxy tab.
4. Turn off Automatically detect settings.

Notes

In some cases, adding the following records to /etc/hosts

255.255.255.255 wpad
255.255.255.255 wpad.<your_domain>

Is also needed, as Microsoft Windows WPAD behavior is relatively buggy.

Disable WPAD Manually On Windows 8, 8.1

1. Press Win + C.
2. Select Change PC Settings.
3. Select Network and pick the Proxy tab.
4. Turn off Automatically Detect Settings.

Disable WPAD Manually On Windows 7

1. Go to the control panel.
2. Select Internet Options.
3. Go to the Connections tab and select LAN Settings.
4. Uncheck the Automatically detect settings checkbox.

References:

• Completely remove WPAD (Use of Windows Proxy Auto Discovery)
• Web-Proxy Auto Discovery (WPAD) Considered Harmful

2- Disable LLMNR

What is the LLMNR protocol?

LLMNR (Link-Local Multicast Name Resolution) is a protocol that was introduced with Windows Vista and is based upon the Domain Name System (DNS). LLMNR is often used by network-connected systems to identify hosts on a local subnet when DNS fails, where DNS is not available, where peer-to-peer name-resolution services are required, or to complement DNS infrastructure.

Disable LLMNR with Active Directory GPO

The Link-Local Multicast Name Resolution (LLMNR) protocol is enabled by default. Active Directory has a GPO you can configure to prevent workstations in the same domain from using LLMNR.

Create a new Group Policy or update an existing one and edit accordingly:

• Computer Configuration -> Administrative Templates -> Network -> DNS ClientEnable Turn Off Multicast Name Resolution policy by changing its value to Enabled. Essentially this operation is the same as using the Local Security Policy editor, with exception of making the modification on a Group Policy.

Disable LLMNR with Local Group Policy (Windows 7,8,10 Pro)

• Use Local Group Policy editor by running gpedit.msc and modifying the policy.
• Computer Configuration -> Administrative Templates -> Network -> DNS Client.
• Enable Turn Off Multicast Name Resolution policy by changing its value to Enabled.

Disable LLMNR with Command Line (Single Workstation, Windows 7,8,10 Home)

Execute the following commands from the command line with administrator privileges:

REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

Disable LLMNR on systemd-based Linux distribution (Ubuntu, CentOS)

Edit the line containing ‘LLMNR=yes’ to ‘LLMNR=no’ in /etc/systemd/resolved.conf using nano, vim, vi or other text editor.

References:

• How To Disable LLMNR & Why You Want To
• [Local Network Vulnerabilities — LLMNR and NBT-NS Poisoning] (https://www.surecloud.com/services/news/local-network-vulnerabilities-llmnr-nbt-ns-poisoning)

3- Disable NBNS service

What is the NBT-NS protocol?

NBT-NS (NetBIOS Name Service) is a precursor protocol to LLMNR and operates similarly to ARP (Address Resolution Protocol) broadcasts. LLMNR is enabled by default on Windows Vista and later releases (which includes Server 2008 and later), with NBT-NS being available on all Windows releases.

How do I disable NBT-NS?

To disable NBT-NS, support for NetBIOS will also need to be disabled. Unfortunately disabling NetBIOS cannot be performed via Group Policy natively; however, it can be disabled using a registry key or via the command line.

The registry setting would require NBT-NS to be disabled for each of the interfaces in use. The registry entry can be found at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\

The DWORD value for ‘NetbiosOptions’ will need to be changed to ‘2’ Value ‘0’ keeps the default setting, which is to use the NetBIOS settings from the DHCP server, whilst setting this value to ‘1’ enables NetBIOS over TCP/IP

References:

• [Local Network Vulnerabilities — LLMNR and NBT-NS Poisoning] (https://www.surecloud.com/services/news/local-network-vulnerabilities-llmnr-nbt-ns-poisoning)

FIXED IT