none
Fix aPAColypse WPAD But Dont Break DA RRS feed

  • Question

  • Hi,

    Looking to implement a fix for aPAColypse WPAD exploit.

    But, for example on Windows 10 Stopping "WinHTTP Web Proxy Auto-Discovery Service" will also stop "Network Connectivity Assistant" and "IP Helper" These are required for Direct Access to work. Does anyone know a way around this ?

    Thanks


    Please remember to mark the replies as answers if they helped.

    Tuesday, January 9, 2018 11:56 AM

All replies

  • Like you said, I think you will cause problems by forcing the service to be stopped at the service level. NCA isn't necessary for DA (though it's nice to have the NCA running for user visibility into the DA connection), but stopping IP Helper will certainly stop DirectAccess.

    WPAD can happen via DHCP or DNS, but the much more likely scenario for an attack would be DNS, as it is my understanding that an attacker would have to be on-network with a fake DHCP server in order to exploit it at the DHCP level, and how likely is that really?

    For DNS disruptment of WPAD, you could put a fake entry in the HOSTS file. Something like "0.0.0.0 WPAD" - this would force WPAD to fail to connect all the time, at the DNS level.

    You are also supposedly able to disable WPAD in the registry. What I don't know is whether this blocks it at some other level, or if it just simply stops the service, which could then again interfere with DirectAccess. But if you wanted to test it out on a couple of machines and see what happens, here is the regkey:

    “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc”

    The value of "Start" can be set to 4 (disabled).

    Friday, January 12, 2018 2:16 PM