Web Proxy Auto-Discovery (WPAD) Security Bundle

bundle

#1

###Bundle details and download
https://downloads.extrahop.com/bundles/richmans/web-proxy-auto-discovery-wpad-security-bundle/

###Description
This dashboard addresses “aPAColypse now”, a novel attack approach which chains multiple Windows vulnerabilities together as well as takes advantage of default Web Proxy Auto-discovery (WPAD) behavior.


#2

It’s throwing exceptions. Anyone else seeing this? ExtraHop support said it’s not an ExtraHop Supported Bundle, so they can’t help me figure out what to do about these exceptions.

Thu Dec 28 14:36:04
Line 265: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 14:36:01
Line 258: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 14:35:53
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Thu Dec 28 14:35:44
Line 278: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 13:41:36
Line 265: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 13:41:34
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Thu Dec 28 13:41:24
Line 258: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 13:41:02
Line 278: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 12:50:34
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Thu Dec 28 12:50:33
Line 258: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 12:50:32
Line 265: Uncaught Error: Not enough buffered data to unpack.

Thu Dec 28 12:49:54
Line 278: Uncaught Error: Not enough buffered data to unpack.


#4

Sorry for the errors! Here is a newer version of the bundle which should hopefully correct most if not all of what you are seeing. If you have any issues with it, please let me know.

Thanks!

aPAColypseNowWPADAttackDetection_final_v5.json (242.9 KB)


#5

Thanks for looking at this. I tried the updated version and still getting these:

Tue Jan 16 12:58:11
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:58:04
Line 260: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:58:04
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:57:58
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:57:33
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:57:25
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:57:07
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:56:56
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:56:54
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:56:28
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:56:21
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:55:54
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:55:53
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:55:27
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:55:14
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:54:53
Line 286: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 12:54:46
Line 72: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 12:54:27
Line 72: Uncaught Error: key2: Key cannot be an empty string.


#7

Ah, looks like my new trigger didn’t make it into that bundle. Attached is a replacement trigger which you can just paste over the existing trigger code. Let me know how it works for you! You may still get some of the “buffered data” errors, but if they are minimal, they do not represent a significant malfunction of the trigger.

wpad_trigger.txt (19.3 KB)


#8

Still the same. This is line 71 that has the error.
Application(app).metricAddDetailCount(“Unapproved WPAD DHCP Response Detail URI”,PAC_File_URI,1)

Tue Jan 16 15:30:52
Line 71: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 15:30:37
Line 277: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 15:30:26
Line 322: Uncaught Error: Not enough buffered data to unpack.

Tue Jan 16 15:30:23
Line 71: Uncaught Error: key2: Key cannot be an empty string.

Tue Jan 16 15:29:59
Line 71: Uncaught Error: key2: Key cannot be an empty string.

Looks like I really am getting empty strings for the DHCP Response URI in some cases.


#9

Indeed, that does seem like the case. Please try the modified trigger below. My apologies for the back-and-forth, I am on the road and I don’t have access to my lab to test.
wpad_trigger_v2.txt (19.7 KB)


#10

Thanks richmans! That took care of the empty string error! I’m still getting a lot of the buffered data errors, but maybe that’s ok?


#11

Glad to hear it! I’ll be spending more time on correcting the buffered data errors, which I have seen show up in varying degrees at different customers, so if you have some time next week to jump on a quick remote session, I’ll be happy to do some debugging in your environment. You can contact me at richmans@extrahop.com to coordinate.

I hope the bundle is providing you with valuable insights! WPAD related attacks and vulnerabilities seem to be increasing in frequency every day.


#12

Love this bundle. But I see a lot of false positives. on the Unapproved WPAD HTTP Responses. We believe it is the regex that is being used but are still investigating. I believe it is picking up servers that are passing the Apache server attribute back in the header. but still need to test more. And it was still having some errors about unpacking in our environment as well.
Thanks for putting this out.