WPAD Listener

2013-09-30T00:00:00
ID SAINT:97FDCA5A04F5739D4DC5829E0866DCDE
Type saint
Reporter SAINT Corporation
Modified 2013-09-30T00:00:00

Description

Added: 09/30/2013

Background

The LLMNR (Local Link Multicast Name Resolution) protocol is used to answer wpad requests sent by Microsoft Windows. A rogue WPAD server delivers a wpad.dat file to poisoned hosts forcing them to proxy web requests through the SAINT server. In addition, browsers are tricked into sending the credentials of the logged in user by attempting to force the browser to use NTLM authentication. NTLMv2 hashes are captured with a known/static challenge of 1122334455667788. Hashes can be cracked using John the Ripper 1.7.9-jumbo-7 from www.openwall.com/john

Limitations

This tool only works against machines configured with Automatic Proxy Configuration turned on (default) and on versions of Microsoft Windows Vista and later.

Resolution

WPAD should not be enabled if it is not something that is being used by your orginazation. It can be turned off manually or using group policy.