|
|
|
|
|
|
by jlgaddis
3568 days ago
|
|
|
(It's actually "broadcasting" to the proxy (WPAD) server.) I just skimmed the article but the idea sounded really familiar (so forgive me if I'm wrong) but this is what I think is going on... You set up a "rogue" host providing DHCP and proxy services. In the DHCP response to the client, the server can tell the client what proxy server to use (see "WPAD"). When the client contacts it, the "rogue" proxy server then basically sends back an "Authorization Required" to the client (workstation), noting that NTLM authentication is just fine, thank you. That client will then happily respond and send along its (NTLM) credentials to the "rogue" server. If I was on a computer I'd do a quick Google. I'm almost certain that I've read of pretty much this same exact attack before. Edit: Here's a very, very similar attack over three years ago: https://www.trustedsec.com/july-2013/wpad-man-in-the-middle-... |
|
|