WPADCHECK - Nameserver Network Verifier
Detect potentially dangerous entries in Microsoft DNS and WINS name servers (MS09-008).
Service name registration in local network allows attackers to hijack other users traffic
and conduct “man-in-the-middle” attacks. An attacker who successfully conducted this
attack could analyze target system Internet traffic including confidential data, such as
passwords, credit card numbers, personal correspondence, etc.
There are several ways to register names in a network:
1) Registration on DNS or WINS name server;
2) Certain NetBIOS name usage in a network.
WPAD and ISATAP names are described in the document. These names are used in the
following protocols, respectively:
· WPAD (Web Proxy Auto Discovery) is a method used by web clients to
automatically locate a browser configuration file used to connect through proxy. The
main reason that makes attacks via WPAD such dangerous is that it is widely used
in default configuration. Attacks with WPAD protocols are described in a separate
· ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition
mechanism meant to transmit IPv6 packets on top of an IPv4 network.
Author- Alexander Anisimov Source- packetstorm