The Web Proxy Automatic Discovery (WPAD) protocol allows clients to obtain proxy configurations for Internet access through a wpad.dat file hosted on a server which address is usually resolved through DNS. This allows corporations to easily manage web proxy configs through a single file.
On old Windows systems (i.e. lacking the MS16-077 security update), the WPAD location could be obtained through insecure name resolution protocols like LLMNR and NBT-NS when standard DNS queries were failing (i.e. no DNS record for WPAD). This allowed attackers to operate LLMNR and NBT-NS spoofing to answer those WPAD queries and redirect to a fake wpad.dat file, hence poisoning the web proxy configuration of the requesting clients, hence obtaining more traffic.
Responder (Python) and Inveigh (Powershell) are great tools for name poisoning. In addition to name poisoning, they also have the ability to start servers (listeners) that will capture authentications and echo the NTLM hashes to the attacker.
The following command will start LLMNR, NBTS and mDNS spoofing. Name resolution queries for the wpad server will be answered just like any other query. Fake authentication servers (HTTP/S, SMB, SQL, FTP, IMAP, POP3, DNS, LDAP, ...) will capture NTLM hashes.
The --wpad option will make Responder start the WPAD rogue server so that fake wpad.dat file can be served to requesting clients.
The --ForceWpadAuth option is needed on servers that applied the MS16-077 security patch. This patch introduced a mitigation that now prevents clients from automatically authenticating. This option forces the authentication request, hence potentially causing a login prompt.
responder --interface eth0 --wpad --ForceWpadAuth
The following command will start LLMNR, NBTS and mDNS spoofing. Name resolution queries for the wpad server will be answered just like any other query. Fake authentication servers (HTTP/S, SMB, SQL, FTP, IMAP, POP3, DNS, LDAP, ...) will capture NTLM hashes (even from machine accounts) and set the Challenge to 1122334455667788 (to crack NTLM hashes with crack.sh).
Inveigh starts a WPAD rogue proxy server by default.
Options like -WPADAuth, -WPADAuthIgnore, -WPADIP, -WPADPort, -WPADResponse (and others) can be used to tweak the WPAD abuse.
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y
through ADIDNS spoofing
On up-to-date machines (i.e. with the MS17-066 security update applied), WPAD can still be abused through ADIDNS spoofing if the WPAD record does not exist. There is however a DNS block list mitigation called GQBL (Global Query Block List) preventing names like WPAD and ISATAP (default entries) to be resolved. This block list exists to reduce vulnerabilities associated with dynamic DNS updates but it can be edited when implementing WPAD.
On up-to-date machines (i.e. with the MS17-066 security update applied), WPAD can still be abused through ADIDNS spoofing, even if the WPAD record does exist. With DNS poisoning through DHCPv6 spoofing, an attacker can reply to DHCPv6 requests, and then reply to DNS queries.
This attack can be conducted with mitm6 (Python), see the DHCPv6 spoofing page for exploitation notes.