Upgrade Attack

Added: 09/30/2013


The LLMNR (Local Link Multicast Name Resolution) protocol is used to answer wpad requests sent by Microsoft Windows. A rogue WPAD server delivers a wpad.dat file to poisoned hosts forcing them to proxy web requests through the SAINT server. In addition, HTTP requests are analyzed and matched against known insecure auto update features. All HTTP based requests for EXE files are replaced with the SAINT remote control client.


This tool only works against machines configured with Automatic Proxy Configuration turned on (default) and on versions of Microsoft Windows Vista and later.


WPAD should not be enabled if it is not something that is being used by your organization. It can be turned off manually or using group policy.
Back to exploit index