-
-
Notifications
You must be signed in to change notification settings - Fork 775
WPAD
WPAD stands for Web Proxy Auto-Discovery or Proxy Auto-Configuration (PAC).
This protocol was implemented on Internet Explorer 5.0, and the concept is to auto-configure local proxy servers on the user browser.
There is several way to configure a WPAD:
- Manually insert a WPAD server in IE -> Options -> Connection Settings -> Lan Settings.
- DHCP options 252.
- Multicast/Broadcast WPAD lookup.
Responder takes advantage of that and effectively poison WPAD broadcast/multicast queries and redirect the victim browser to its WPAD server.
Here there is two scenario:
- Force authentication when serving the WPAD file (Responder switch -F) and grab hash.
- Once the authentication has been grabbed, all browser request will be proxy-ed by Responder.
- Just serve the file, then proxy all browser requests.
Responder WPAD script is specified in Responder.conf and should be changed for your needs (at least the hardcoded name "ProxySrv"):
WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
This function contains the following directives:
-
Use a proxy server for all connections.
-
Responder proxy server is set to ProxySrv:3141 and ProxySrv:3128
-
For any *.ProxySrv requests or if the request is for localhost/127.0.0.1, don't use the proxy.
-
If this proxy server fails for whatever reason, then access the website directly.
Once the requests goes through Responder proxy, a UNC inside a tag is inserted on all requests to grab SMB hashes. This payload can be changed in Responder.conf with the setting "HTMLToInject =".
Responder WPAD proxy server gets activated by providing the "-w" command line switch.
Forcing WPAD file authentication is with the "-F" command line switch.
Example:
./Responder.py -I eth0 -rFwv