Gary Jones
Gary Jones
ResponderWPAD Cache PoisoningtcpdumpWiresharkCybersecurity

Using Responder to Capture Network Credentials via WPAD Cache Poisoning

Using Responder to Capture Network Credentials via WPAD Cache Poisoning
0 views
3 min read
#Responder#WPAD Cache Poisoning#tcpdump#Wireshark#Cybersecurity
Table Of Content

Using Responder to Capture Network Credentials via WPAD Cache Poisoning

Situation:

This project aimed to use the Responder tool on devbox.artstailor.com to perform WPAD cache poisoning and capture network credentials. Access was gained to devbox.artstailor.com through previously compromised credentials (t.turing), and root access was achieved using a known exploit.

Obstacles:

  1. Conflicting Services:
    • The Apache2 and SMB services interfered with Responder's functionality by occupying key ports.
  2. Data Extraction:
    • Capturing and identifying relevant network credentials required precise filtering of TCP packets.
  3. Responder Setup:
    • Dependencies and environment setup for running Responder on devbox.artstailor.com.

Actions Taken:

  1. Establishing Access:
    • Logged into costumes.artstailor.com with administrative credentials (pr0b3admin) and disabled antivirus software.
    • Used Proxychains and Chisel to tunnel traffic and SSH into devbox.artstailor.com using t.turing credentials.
    • Gained root privileges on devbox.artstailor.com using the sudo -u#-1 exploit.
  2. Setting Up Responder:
    • Copied Responder from /usr/share/responder on the Kali machine to devbox.artstailor.com.
    • Stopped conflicting services (Apache2 and SMB) using service and kill commands.
  3. TCP Traffic Analysis:
    • Ran tcpdump to capture HTTP traffic and stored the results in a .pcap file for analysis.
    • Transferred the .pcap file to Kali for inspection in Wireshark, confirming the presence of WPAD-related traffic.
  4. Running Responder:
    • Executed Responder with the command: 
      python Responder.py -I ens32 -wFb
    • Poisoned the WPAD cache to redirect traffic to a rogue proxy, capturing network credentials.
  5. Credential Extraction:
    • Decoded captured Base64 authorization strings to obtain the following credentials:
      • Username: not.nomen
      • Password: KEY015-SensitiveData==

Results:

  1. Credentials Captured:
    • Successfully captured WPAD traffic and extracted the credentials for the user not.nomen.
    • Identified the vulnerability in the WPAD service allowing credential interception.
  2. Critical Security Flaw:
    • WPAD cache poisoning exposed sensitive credentials to attackers, demonstrating a severe risk.
  3. DREAD Risk Score:
    • Score: 7.2 (Critical).
    • Highlights damage potential, exploitability, and reproducibility of the attack.

Tool Purpose Overview:

Responder:

  • Poisoned the WPAD cache, redirecting network traffic to capture sensitive credentials.

tcpdump:

  • Captured network packets for analysis, enabling identification of HTTP traffic and WPAD communications.

Wireshark:

  • Analyzed .pcap files and confirmed the presence of captured credentials in WPAD traffic.

Chisel and Proxychains:

  • Facilitated tunneling and SSH access to the internal network.

Recommendations:

  1. Disable WPAD:
    • Disable the WPAD service or enforce secure DNS entries to prevent cache poisoning.
  2. Enforce HTTPS:
    • Migrate all internal and external services to HTTPS, eliminating reliance on unencrypted HTTP traffic.
  3. Restrict Privilege Escalation:
    • Patch the Sudo vulnerability to prevent unauthorized privilege escalation.
  4. Monitor Network Traffic:
    • Implement intrusion detection systems to monitor and log unusual traffic patterns.

View PDF Document