9

This is a home network: a wireless Linksys router serving around 5 wireless devices and 3 wired ones, two PCs and a PS4.

The router is setup to serve DHCP to client devices. It has a setting to change the DNS domain of the network, but it comes set by default to "domain.name" from the factory. This was never changed.

From a few days ago, one of the wired PCs (running Windows 10) had been showing internet issues: slow connection, buffering in videos, and sometimes straight out 404's on every page. Internet Explorer was for some reason setup to detect proxy settings automatically (I don't know if that is the default configuration, but I seriously hope it's not). Disabling that fixed the issue.

However, during the investigation, the browser showed a "Proxy is not responding" page, which surprised me. It stated that the proxy, at a specific IP, was not responding. I then proceeded to go to http://wpad/wpad.dat with the browser and sure enough, a DAT file was downloaded, which seemed to provide two proxy servers: one in Madrid and another one in the US.

Remember that the router is providing "domain.name" as the DNS domain? It turns out that someone must have set up something that serves that DAT file for WPAD in that domain (you can probably get that file right now, I won't provide a link just in case but you can probably figure out the URL). My guess is that those proxies stopped working, and thus the PC started to show those issues.

Needless to say, I changed the domain name in the router immediately.

My main concern right now is multifold:

  • Is there a high risk of sensible data leak? I'm talking about banking stuff (which should have gone through HTTPS so I think it won't be affected). I don't know for how long the PC in question was compromised.
  • Should I consider formatting the PCs, or nuking the whole network?
  • Could the non-Windows machines (the PS4, android devices, a Macbook Pro) have been compromised?
dhcarmona
  • 193
  • 3
  • It would seem you can get a lot of data from WPAD -> https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/ – jrtapsell Dec 28 '17 at 20:49

2 Answers2

1

Assume everything could have been compromised, then balance the effort of nuking everything vs. risk of rootkit/continued data interception. (and the the value of keeping that data confidential)

HTTPS can be defeated easily by SSLstrip - the proxies could have never offered you a HTTPS session, so unless you pay attention to which parts of your bank webpage should be encrypted, and check that they are, you could have sent your bank data in cleartext.

Any system that downloads and installs software (without enforcing the installer having trusted digital signature, specific to the software vendor) could have been affected; ie. a virus posing as a software update automatically gets run as system/root to install.

Any username/password you use to log into your system could also have been requested by the proxy.

CGretski
  • 166
  • 6
  • Good answer, but providing a link to SSLstrip (wikipedia for instance) would have probably been extra helpful – Samuel Allan Feb 08 '18 at 23:39
  • @SamuelAllan then why not giving it yourself: https://moxie.org/software/sslstrip/ and https://en.wikipedia.org/wiki/Moxie_Marlinspike#SSL_stripping – Patrick Mevzek Apr 22 '18 at 22:22
1

I am so sorry to say that it is not only you, but lots of internet users are unaware that http://wpad/wpad.dat and http://proxy/proxy.pac and variations are used by default for automatic proxy discovery. Once you join any network/wifi, whatever security offered for the uplink, you will need an ip address served by an DHCP server that will tell you its ‘friendly’ DNS setting, and wpad is just there, in the middle, between you, and the rest of us. Who do you trust?

bbaassssiiee
  • 363
  • 1
  • 11