! (Graphic unrelated) 0×0 0 Preface A while ago included a Potato to mention the right tools, find the tools provide the right posture with the conventional tool are not the same, but with WPAD proxy related, so expand the test and analysis, primarily through the analysis of its network traffic to study the mention of the right tools for the unique posture. The analysis learned quite a few things, hoping to put some thinking through of things to share with you. Also please large cattle criticism is! The whole project code and program on GitHub. https://github.com/foxglovesec/Potato Looks like Is foxglovesec and breenmachine two large cattle in the Github build of the code base, the need for VS2012 and above version to open! 0×0 1 preliminary test The first is to test the program scope and effectiveness: Potato instructions in writing to be in Windows 7, 8, 1 0, Server 2 0 0 8, Server 2 0 1 2 on completion of the elevation of privileges. Looks bluffing, give it a try, the following only lists the tested system. - Windows 7 x86 and x64 on the system can be stabilized immediately provide the right to the rear in the analysis of its mechanism will be explained immediately this word - Server 2 0 0 8 R2 on x64 systems can provide the right, but take the time to wait about 3 0 minutes or so, with Windows Updata time for - Server 2 0 1 2 on x64 systems can provide the right, but take the time to wait longer, with Windows Update the certificate list the time on - Windows 8 and 1 0, etc. the opportunity to test. An important prerequisite, the Potato program is written in C#, 需要系统装有.Net Framework 3.5 and above version support. 0×0 2 principles of analysis To Potato on your windows 7 System. right, for example, the detailed analysis begins: Potato-master\source\Potato\Potato\bin\Release is the Potato project build upon the program directory. Open cmd As a normal user identity executing the following command: Potato.exe -ip 10.0.0. X-cmd "net user test /add" -disable_exhaust true PS: the test system is Windows 7 SP1 x64 IP: 10.0.0. X In Potato used for the entire process to open the capture tool, since Wireshark can't crawl 1 2 7. 0. 0. 1 Loopback of the data packet, which choose to use RawCap. exe to grab, the tool requires administrator permissions, it is easy to use, files can be directly saved as a pcap for. While the 1 0. 0. 0. X and 1 2 7. 0. 0. 1 capture. In a virtual machine with RawCap. exe for 1 2 7. 0. 0. 1 Loopback capture is invalid, is in the physical machine on the test and grab the network data. Step 1: let yourself think WPAD is it your own 1 2 7. 0. 0. 1 Added: WPAD-Web Proxy Auto-Discovery Protocol Web Proxy auto-discovery Protocol When the system is turned on proxy auto-discovery function, the user uses the Internet browser, the browser will be the current LAN to automatically find the proxy server, if you find a proxy server from the proxy server to download the one named the PAC（Proxy Auto-Config configuration file. This file defines the user access a URL when it should be using the proxy server. The browser will download and parse the file, and sends the appropriate proxy server settings to the user's browser. Windows system, after parsing the WPAD name, will first from the machine to the hosts file to start, then go to DNS, if the front didn't clear the WPAD is who, you will use an NBNS Protocol for broadcast. Potato in the realization of its first stage when the main use of an NBNS Protocol, but when the machine is using an NBNS Protocol asked WPAD is who, the Potato was a General Authority, it is impossible to use sniffing technology to grasp to send the WPAD response packet timing. Without an NBNS Protocol is based on UDP above, but also is a connectionless Protocol, the Potato used here referred to as Local an NBNS Spoofer technology. When the host use an NBNS to inquire for a host name, it will send the Name query packet. Is asking persons if alive, will return the Name query response packet. In this case there is a problem, how to know Inquire with the response is the corresponding relationship? Actually an NBNS Protocol in the Transaction ID field is to solve this. ! A question and answer Transaction ID must be the same. Potato here to the machine 1 3 7 port continues to send Name query respose response packet, and the Transaction ID field range is 0-6 5 5 3 5, try 6 5 5 3 6 May, when the present machine at a time to send a query WPAD Name query packet, there is always a Transation ID can be corresponding. The lower figure is the actual intercepted Potato sent many an NBNS three of the data packet, look at TransationID it. ! Finally to double the match on the Fig. Potato to achieve a let yourself think of yourself 1 2 7. 0. 0. 1 is a WPAD purposes. This time the ping WPAD will find is 1 2 7. 0. 0. 1 ! The above is based on the questioner with an NBNS Protocol asks the WPAD who is the host in the use of an NBNS before will first ask the DNS, if the DNS has a WPAD, the Inquirer will no longer use an NBNS, the first stage the purpose is not bathing? And the parameter of the-disable_exhaust is to solve this problem, referred to as UDP port exhaustion technique, and purpose of the DNS failure. The following figure is to illustrate the DNS is a UDP Protocol. ! Potato will bind each one can bind the UDP port, the lead is not available for UDP request to the source port, the DNS fails after the questioner will have to use an NBNS Protocol. Potato again to reach the first phase target. PS: in theory, as long as The have a fast enough connection, it should be of any use UDP port 1 3 7 communicate with the Windows host is an NBNS spoofing. Step 2: on this machine the prosthesis expand the WPAD proxy service The first phase is complete of the machine of deception, to make it think that your own 1 2 7. 0. 0. 1 is WPAD, then the machine will be from the WPAD obtain the PAC file. In windows, Internet Explorer by default will automatically try to through access”http://wpad/wpad.dat”to detect the network's proxy settings. Surprisingly this also applies to some of the windows services like Windows Update, but the specific case with the Windows version of related. Potato will bind 1 2 7. 0. 0. 1 8 0 port, run the http server, when it receives the”http://wpad/wpad.dat”the request, with the following content in the response.