Within a corporate network, system administrators usually allow employees to access the internet through a proxy server. The proxy server usually improves performance and security, and monitors web traffic entering and leaving the corporate network. WPAD is a technique that is used on client machines to discover the URL of a configuration file via DHCP discovery methods. Once a client machine discovers a file, it is downloaded on the client machine and executed. The script will determine the proxy for the client.

In this exercise, we are going to use Responder on Kali Linux to capture a victim's user credentials. Before we begin, the following topology will be used in this exercise:

Using the following steps, we will be able to easily exploit WPAD in a Windows environment:

1. Ensure that the Windows 10 client machine has joined the domain hosted by Windows Server.
2. On your Kali Linux machine, change your working directory to the Responder location using the cd /usr/share/responder command.

3. Execute the python Responder.py -I eth0 -wFb command:

The switches used in the snippet provide the following functions:

• • -I: Specifies the interface to use
  • -w: Enables the WPAD rogue proxy server
  • -F: Forces NTLM authentication on wpad.dat file retrieve
  • -b: Is used to return basic HTTP authentication

4. When the victim attempts to browse or access any local resources on the network, the following login window will appear:

Just as a reminder, all logs generated and data captured by Responder are stored in the /usr/share/responder/logs directory. Now, you are able to capture employees' user credentials by exploiting WPAD on a corporate network:

In the next section, we will learn about Wireshark.