Skip to content

GoSecure/pywsus

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PyWSUS

The main goal of this tool is to be a standalone implementation of a legitimate WSUS server which sends malicious responses to clients.

The MITM attack itself should be done using other dedicated tools, such as Bettercap.

Prerequisites

Some conditions must be met to make a successful exploitation possible. These prerequisites are:

1. WSUS must be enabled

Check the following registry key on the targeted machine to see if WSUS is enabled (Ox1 means enabled):

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer

2. WUServer must use HTTP

Check the following registry key on the targeted machine to see if the WUServer URL is using the HTTP protocol (https:// will not work):

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer

3. UpdateServiceUrlAlternate must use HTTP

Check the following registry key on the targeted machine to see if the alternate server is defined and if the URL is using the HTTP protocol (https:// will not work):

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v UpdateServiceUrlAlternate

4. WUServer must be vulnerable to MITM attacks

You must be able to perform a MITM attack to intercept the traffic between the targeted machine and WindowsUpdate server.

You can use other dedicated tools, such as Bettercap, to perform the MITM attack.

5. UpdateServiceUrlAlternate must be vulnerable to MITM attacks

If defined, you must be able to perform a MITM attack to intercept the traffic between the targeted machine and alternate server.

Installation

virtualenv -p /usr/bin/python3 ./venv
source ./venv/bin/activate
pip install -r ./requirements.txt

Usage

Usage: pywsus.py [-h] -H HOST [-p PORT] -c COMMAND -e EXECUTABLE [-v]

OPTIONS:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  The listening adress.
  -p PORT, --port PORT  The listening port.
  -c COMMAND, --command COMMAND
                        The parameters for the current payload
  -e EXECUTABLE, --executable EXECUTABLE
                        The executable to returned to the victim. It has to be signed by Microsoft--e.g., psexec
  -v, --verbose         increase output verbosity.

Example: python pywsus.py -c '/accepteula /s calc.exe' -e PsExec64.exe

Mitigations

From our perspective, the best way to avoid exploitability of this issue is to force WSUS deployments to use a secured HTTPS channel.

The certificate presented by the WSUS server must be validated by the client. Error in validating the certificate will result in the wupdate client closing the connection.

The three major ways of generating a certificate for a WSUS server are:

  • Using an internal PKI for which a Root CA certificate is deployed on domain computers and a certificate signed by that Root CA is used to serve WSUS updates
  • Purchasing a certificate signed by a third-party CA authority trusted in the Windows OS trust store
  • Using a self-signed certificate and push a copy of this certificate on all domain computers using a GPO

On the detection side, a client enrolled with WSUS will report their installed updates inventory periodically. Looking for installed updates that stand-out from the ones approved and deployed could be a way to detect such attack. This is a preliminary idea that we have not explored yet. Let us know on Twitter or LinkedIn if you have any experience doing this kind of installed patches differential analysis at the scale of an organization.

Acknowledgements

For their contributions to this research and blogpost:

  • Olivier Bilodeau from GoSecure
  • Romain Carnus from GoSecure
  • Laurent Desaulniers from GoSecure
  • Maxime Nadeau from GoSecure
  • Mathieu Novis from SecureOps

For writing and researching the original proxy PoC:

  • Paul Stone and Alex Chapman from Context Information Security

Reference

About

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.

Topics

Resources

License

Stars

Watchers

Forks

Contributors

Languages