-
Notifications
You must be signed in to change notification settings - Fork 995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WPAD? #3
Comments
Great idea! I haven't tried it, but agree supporting WPAD on the DHCP and DNS server would be great...in fact, by injecting a PAC, you could then get the user to send all of their HTTPS URLs back to the attacker. |
just wanted to say i love your work! |
You just need to answer DNS A requests for WPAD.* function FindProxyForURL(url, host){ return 'PROXY proxyhost:3141; DIRECT'; } You could also force NTLM authentication when the wpad is requested and other fun things. https://github.com/lgandx/Responder |
The reason I mention DHCP is that A) typically the WPAD DNS request is only done on browser startup in my understanding and in our case the browser is already open, and B) it's possible the DNS server is pointing to a local IP, meaning PoisonTap will never see those WPAD DNS requests (PoisonTap can only then interfere with the HTTP communication to the public IPs that are ultimately resolved by the internal DNS server), however PoisonTap does still have the ability to include WPAD during the DHCP response. |
Presumably you have seen the work from mubix https://room362.com/post/2016/snagging-creds-from-locked-machines/ ? that uses WPAD via responder (https://github.com/SpiderLabs/Responder) to carry out the attack |
@Oneiroi @samyk
As I'm using a hand build composite gadget I plan to add in HID support, which needs testing - as I don't want to destroy the Plug'n'Play capability. So as the needed Responder patches are already sent with a PR, you're maybe interested. Another idea is to use nmap for target OS discovery, with the shortcoming raising boot time of the Pi - so this has to be tested, too. |
I'm still cleaning my scripts to bring my (now called P4wnP1) project online. I want to kindly ask you to review the "Modification to PoisonTap approach of fetching traffic to the whole IPv4 address range" section of my README, because I want to make sure you don't have any implications with it. |
Have you tried to force feed a windows 'victim' a WPAD response to get some of that sweet https action?
The text was updated successfully, but these errors were encountered: