-
Notifications
You must be signed in to change notification settings - Fork 118
Advanced
DHCPv6 or the ADIDNS (coming soon) WPAD attack can be leveraged to capture hashes from default connection endpoints. Windows reached out to a lot of connection endpoints for weather updates, etc. A lot of these connections are under a user context. Through wpad and proxy auth, user hashes can be captured without requiring the logged in users to perform any actions.
Most of the connections are over HTTPS so proxy auth works well. I've had limited success triggering authentication directly to the few that are HTTP.
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-2004-endpoints
-
Example
Inveigh.exe -DHCPv6 Y -WPADAuth anonymous -Proxy Y
-
Cleanup
The wpad configs seem to stick around for awhile to to prevent Windows from continuing to reach out to your proxy, an all direct proxy can be delivered to clear out the config.
Inveigh.exe -DHCPv6 Y -WPADAuth anonymous
DHCPv6 spoofing can be conducted against the host running Inveigh in order to add a DNS server to the list.
- Example
Inveigh.exe -DHCPv6 Y -DHCPv6Local Y