Script broadcast-wpad-discover

Script types: prerule
Categories: broadcast, safe

Script Summary

Retrieves a list of proxy servers on a LAN using the Web Proxy Autodiscovery Protocol (WPAD). It implements both the DHCP and DNS methods of doing so and starts by querying DHCP to get the address. DHCP discovery requires nmap to be running in privileged mode and will be skipped when this is not the case. DNS discovery relies on the script being able to resolve the local domain either through a script argument or by attempting to reverse resolve the local IP.

Script Arguments


instructs the script to retrieve the WPAD file instead of parsing it


instructs the script to skip discovery using dhcp


instructs the script to skip discovery using DNS


the domain in which the WPAD host should be discovered


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script broadcast-wpad-discover

Script Output

| broadcast-wpad-discover:



  • Patrik Karlsson

License: Same as Nmap--See