WPAD (Proxy Auto-Discovery) Abuse

Why it matters

If auto-detect is enabled, clients discover wpad and fetch a PAC file. An attacker who controls resolution can serve a malicious PAC and run a rogue proxy to capture NTLM proxy auth (NetNTLMv2) for footholds.

Vulnerability Requirements

• “Automatically detect settings” enabled via WinINet/Edge policy.
• No legitimate wpad host/DNS/DHCP option 252 in use, or attacker can win resolution on the segment.
• Outbound reachability to attacker’s proxy port.

How it works

• Spoof wpad
• Victim fetches wpad.dat
• PAC points to attacker proxy
• Proxy returns 407
• Victim negotiates NTLM
• Capture/relay NetNTLM.

Tools

• Responder — WPAD/PAC + rogue proxy
• ntlmrelayx — receives/relays captured creds

Detection & hardening

• Disable “Automatically detect settings” and use explicit proxy or pinned HTTPS PAC (DNS only).
• If WPAD is required, publish a real wpad over HTTPS and restrict PAC changes.
• Monitor requests for http://wpad/wpad.dat and Proxy-Authorization NTLM patterns.
• Egress filter unexpected proxy ports.

Related

• Insecure Name Resolution