PSExec is not downloaded and executed from Windows host

GoSecure / pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.

https://gosecure.net/blog/

MIT License

286 stars 44 forks source link

PSExec is not downloaded and executed from Windows host #6

Closed GeeBay closed 3 years ago

GeeBay commented 3 years ago

Hello,

I am have the following test case :

Windows 10 build is 19041.76 in a domain.
For the MITM portion, I configured via gpedit the Wsus to be my pywsus server (running on Debian 10).
My pywsus server receives a SyncUpdate and a GetExtendedUpdateInfo is triggered.
The windows host does not download my PsExec at http://:8530/8c1dee0a-8dfa-48c9-b21f-9993ec978214/PsExec64.exe

[edit : I managed to have the GetExtendedUpdateInfo, once I joined a domain as you mentioned in another issue. Do you know, what are the registry keys involved ?]

Thanks for your time,

nitbx commented 3 years ago

To be sure: In verbose mode, did you see a GET request for “/PsExec64.exe” or did the targeted host did not requested PsExec64.exe.

Thank you

GeeBay commented 3 years ago

The targeted host did not request PsExec64.exe and Windows update shows "device is up to date". In gpedit.msc, "Configure Automatic Update" is set to " 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed", so my understanding is that at least the download should occur.

Thank you,

nitbx commented 3 years ago

Hi @GeeBay

Did you restart Pywsus to have new UUIDs ? If it is still not working, PsExec64 is probably cached by the client. I would suggest you try another signed Microsoft signed binaries and see if you receive the GET request.

I will try to reproduce your problem at soon I have some time.

Thank you.

nitbx commented 3 years ago

Hi @GeeBay,

I have the same problem as you. I will continue to work on it.

Thank you.

nitbx commented 3 years ago

https://github.com/GoSecure/pywsus/issues/8#issuecomment-829535191