Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. (Laurent Gaffiรฉ)
DHCP REQUEST
messagesoption 252
in the network parameters, with a short lease (10 seconds). Responder can also be used to attempt at injecting a DNS server instead.wpad.dat
file on the rogue WPAD. Responder will then require the client to authenticate.-d/--DHCP
(WPAD injection) argument. By default, a rogue WPAD server will be injected in the configuration. If the additional-D/--DHCP-DNS
argument is set, a rogue DNS server address will be injected in the configuration instead of a WPAD.-d/--DHCP
argument. Those options can also be used along -D/--DHCP-DNS
since the WPAD DNS entry will be one of the first queries by the poisoned machine.-w/--wpad
option to start the WPAD rogue server so that fake wpad.dat
file can be served to requesting clients (i.e. WPAD spoofing)-P/--ProxyAuth
option to force the Windows client to authenticate after the wpad.dat
is accessed and when the client starts using the proxy