Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution. (Laurent Gaffié)
option 252in the network parameters, with a short lease (10 seconds). Responder can also be used to attempt at injecting a DNS server instead.
wpad.datfile on the rogue WPAD. Responder will then require the client to authenticate.
-d/--DHCP(WPAD injection) argument. By default, a rogue WPAD server will be injected in the configuration. If the additional
-D/--DHCP-DNSargument is set, a rogue DNS server address will be injected in the configuration instead of a WPAD.
-d/--DHCPargument. Those options can also be used along
-D/--DHCP-DNSsince the WPAD DNS entry will be one of the first queries by the poisoned machine.
-P/--ProxyAuthoption to force the Windows client to authenticate after the
wpad.datis accessed and when the client starts using the proxy