WPAD, the Web Proxy Automatic Discovery protocol, does exactly what the name says - finds web proxies on the LAN. Unfortunately, WPAD is based on a number of other protocols which are widely known to be insecure, ultimately leading to by-design pwnership of an entire corporate network with just two packets. This presentation is in two parts. First, I'll explore the WPAD protocol, explaining and demonstrating its weaknesses as I go along. The focus will be on IE (which has WPAD enabled by default, and extends the protocol in a number of insecure ways) although other browsers will be considered, as well as a number of other non-browser products which use WPAD. The intent will be to prove how easy it is for someone to become your proxy server on any LAN (corporate network, cable modem segment, etc). The two-packet attack will be demonstrated and explained in detail. The second part of the presentation goes on to explore what can be done once you have established yourself as someone's proxy server. Much more than just sniffing traffic, I'll explore SSL attacks, social engineering, credential harvesting (with a unique implementation of rainbow tables), page manipulation, browser-specific attacks, and more - all with working code.