Automating the WSUS Attack
Gaining local administrative access to a Windows machine that is part of a domain is typically the first step in gaining domain admin privileges during a penetration test. In many cases, the Windows Server Update Service (WSUS) is configured to deploy updates to clients over the local network using HTTP. Without the security of HTTPS, an attacker can mount a machine-in-the-middle attack to serve an update to the client, which will then execute with SYSTEM privileges. Any Microsoft signed executable can be served as an update, including a custom command with which the executable is executed.
To automatically exploit the WSUS attack, this tool spoofs the IP address of the WSUS server on the network using ARP, and when the client requests Windows updates, it serves PsExec64.exe with a predefined PowerShell script to gain local admin privileges. Both the executable file that is served (default: PsExec64.exe) and the command that is executed can be changed if required.
By default, a Windows client will check for updates approximately every 24 hours.
Prerequisits:
- The target client must be on the local network
- The Windows Server Update Service (WSUS) must be configured using HTTP
Result:
- After successful execution the user provided will be added to the local admin group. If no user was specified a user with the format user[0-9]{5} (e.g. user12345) and a random password will be created
Implemented features:
- ARP spoofing the target
- Routing the ARP spoofed packets to the local HTTP server
- HTTP server to serve the malicious updates
- Automatic detection of the WSUS server
- Included PowerShell script and executable to gain local admin access
Using pipx (recommended):
sudo apt install pipx python3-nftables
pipx ensurepath
pipx install wsuks --system-site-packages
sudo ln -s ~/.local/bin/wsuks /usr/local/sbin/wsuksUsing poetry:
sudo apt install pipx git python3-nftables # poetry should still be installed with pipx, but apt will work as well
sudo pipx install poetry
sudo ln -s /root/.local/bin/poetry /usr/local/sbin/poetry
git clone https://github.com/NeffIsBack/wsuks
cd wsuks
sudo poetry install❗wsuks must be run as root❗
With pipx, you can just run sudo wsuks ... anywhere on the system.
If you are using poetry, you must be in the wsuks folder and start each command with sudo poetry run wsuks ...
This tool requires the nftables package to be installed, which is the default on all debian based systems.\
There are 3 different modes/attack scenarios in which wsuks can be run, which are described below.
If the WSUS server is already known, you can simply specify the target IP and the WSUS server IP.
The default executable is PsExec64.exe, which runs a predefined PowerShell script with the following actions:
- Create a new user of the format user[0-9]{5} (e.g. user12345) and a random password
- Set the LocalAccountTokenFilterPolicy to 1 (disabling UAC ⚠)
- Add the created user to the local admin group
⚠ Before setting the LocalAccountTokenFilterPolicy to 1, the original value is stored in the user description field so that it can be restored later
sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20If you already have a domain user and you know the IP of the WSUS server, wsuks will simply add the user to the local Administrators group.
sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 -u User -d domain.localIf you already have a domain user, wsuks will parse the GPOs on the domain controller to find the WSUS server.
A PowerShell script is executed, which will add the provided domain user to the local admin group.
sudo wsuks -t 10.0.0.10 -u User -p Password -d domain.local --dc-ip 10.0.0.1Tipp: If you only want to check for a WSUS server, you can use the --only-discover flag.
Here is a short demo of the attack with a known WSUS server:
In the PyWSUS repository from GoSecure you can find a great documentation how you could detect and mitigate this attack. They also wrote a great Guide demonstrating how this attack works in detail here.
Parts of this tool are based on the following projects: