impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

WSUSpect Example

Open mubix opened this issue 9 years ago • 2 comments

BlackHat 2015 Talk: WSUSpect – Compromising the Windows Enterprise via Windows Update Video: https://www.youtube.com/watch?v=assJWqBe-vk Paper: http://www.contextis.com/news/new-paper-released-compromising-windows-enterprise/

Basically would like to have a fake "WSUS" server script that serves up fake updates with commands to run. Need "signed" Windows binary to get it to work. Example PoC uses BGInfo.exe but I'm sure there are other fun ones

mubix avatar Oct 09 '15 04:10 mubix

https://github.com/ctxis/wsuspect-proxy

c0d3z3r0 avatar Sep 07 '16 16:09 c0d3z3r0

So just reading about this attack again today, and it appears that the team over at GoSecure has put together some interesting attacks based off further WSUS vulnerabilities.

https://www.gosecure.net/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks/

Since it appears that merely re-directing 8530/tcp to 80/tcp allows NTLM credential interception, would it make sense to just add another HTTP server to impacket on 8530, as a step towards being able to support the WSUSpect attack while also being able to more immediately start intercepting more hashes?

They also included PyWSUS, a tool that exploits WSUS, written in python, so perhaps this should be easier to import into the project at this point?

https://github.com/GoSecure/pywsus

ad0nis avatar Nov 23 '21 15:11 ad0nis