-
Notifications
You must be signed in to change notification settings - Fork 118
Advanced
DHCPv6 or the ADIDNS (coming soon) WPAD attack can be leveraged to capture hashes from default connection endpoints. Windows reaches out to endpoints for weather updates, etc. A lot of these connections are under a user context. User hashes can be captured without requiring the logged in users to perform any actions.
Most of the connections are over HTTPS so proxy auth works well. I've had limited success triggering authentication directly from the few that are HTTP.
-
Endpoints
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-2004-endpoints -
Example
Inveigh.exe -DHCPv6 Y -WPADAuth anonymous -Proxy Y -
Cleanup
The wpad configs seem to stick around for awhile to to prevent Windows from continuing to reach out to your proxy, an all direct proxy can be delivered to clear out the config.
Inveigh.exe -DHCPv6 Y -WPADAuth anonymous
DHCPv6 spoofing can be conducted against the host running Inveigh in order to add a DNS server to the list.
- Example
Inveigh.exe -Elevated N -DHCPv6 Y -DHCPv6Local Y