Today SecureState is releasing another module for the Metasploit Framework. This new module takes advantage of a feature in Windows browsers that allows them to be automatically configured for a Proxy. Setting a browser to automatically detect and configure itself for a proxy involves retrieving a specially formatted configuration file from a server on the network. When a host that is configured to use this opens its browser, the browser makes a request for the WPAD host on the network. If a request to resolve this address succeeds then the configuration file is requested from it.
The security issue often exists when there is no WPAD record in the DNS server, causing the Windows host to fall back to making a request via NBNS. This NBNS request is broadsp_ConvertSQLServerDateed to the entire network. An attacker can easily use existing tools to intercept and respond to this with the appropriate hostname. In the case of the WPAD server, the victim will then request the proxy configuration file from the attacker. Using this new MSF module, the proxy file can easily be configured and served from right within the Metasploit Framework. Once the attacker controls the proxy configuration, they can easily configure the victim to send all http/https traffic through them.
The features of this module make it very easy to pick what traffic is sent through the configured proxy. One nice feature of the module is the default setting to send all HTTPS traffic directly to the original host. This will prevent the victim from seeing any invalid certificate errors because the encrypted traffic is not sent to the attacker.
Additional information on the Metasploit Framework Module can be found here.
The module can be found here.