From charlesreid1

What is it?

WPAD is an Internet Explorer vulnerability in the way that IE searches for a proxy server. When IE is set to auto-detect proxy settings, it sends out a request for a server named WPAD to ask for a proxy server IP address. A malicious attacker can set up their own proxy server, and listen for that WPAD request. When the request comes in, the attacker responds with the fake proxy's IP address.

To add additional maliciousness, you can ask the user to re-enter their network credentials, and then store those.

In the end, the sheep's browser has asked for, and received, an IP address for what it thinks is a trusted web proxy on a trusted network. However, the web proxy is actually controlled by the attacker. Thus, the sheep's browser is now willingly passing all of its traffic through this hostile proxy server.


The MITMf (man in the middle framework) is capable of doing this: