Closed yotabytes closed 3 years ago
Hi @yotabytes,
It really looks like #6.
Indeed Microsoft changed a little bit the behaviour of WSUS, but I think it should not block us to perform this attack with a WSUS HTTP server.
I will try with the ARP spoofing like you did.
Thank you.
Hi @yotabytes,
I can confirm the attack work targeting Windows 10 Pro with Bettercap ( Arp spoofing). I would need to double-check with Windows 10 Enterprise.
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
[...]
11 Hotfix(s) Installed.
[01]: KB4601554
[02]: KB4562830
[03]: KB4570334
[04]: KB4577266
[05]: KB4577586
[06]: KB4580325
[07]: KB4586864
[08]: KB4589212
[09]: KB4598481
[10]: KB5001330
[11]: KB5001405
Microsoft Windows 10 Enterprise 10.0.19042 N/A Build 19042 has tested and it's working.
Hotfix(s): 8 Hotfix(s) Installed.
[01]: KB4601554
[02]: KB4562830
[03]: KB4570334
[04]: KB4577266
[05]: KB4577586
[06]: KB4580325
[07]: KB5001391
[08]: KB5003156
This commit should help debug in Wireshark. (HTTP traffic was not correctly shown.)
https://github.com/GoSecure/pywsus/commit/7372d07361e13e38a571ab642d326283cbaec7a8
@nitbx Is the tool still working for you? (PoC is not working for me; log says "found 0 updates and 0 categories", hence call for extended info + subsequent download are not executed)
Hi @fneur, I didn’t have the chance to use it recently but in April I made the demonstration that the tool still works. I have doubts that the attack doesn’t work anymore.
I would invite you to make a new issue with your setup information like we did here.
Thank you !
@nitbx Thanks for the quick reply. See #10 !
Does the tool still correctly respond to syncupdates requests initiated on Windows 10 machines?
I have tried to replicate the PoC and set up a lab domain (Hyper-V) with a single domain controller (server 2016), and a single domain-joined Win10. Wsus has been configured with setting 3 and enabled.
After successfully arp poisoning and having "arp -a" showing the MAC address of the kali where pywsus is running, it was possible for pywsus to receive update requests. Whenever 'check for updates' is clicked on Win10, pywsus received a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.
The Win10 updates GUI shows an error (code 80240439) contacting the update server.
The win10 wsus update log shows the following: (selected extract for brevity):
2021/04/28 12:40:08.8297096 1224 7052 WebServices Auto proxy settings for this web service call. 2021/04/28 12:40:08.8784820 1224 7052 WebServices FAILED [80240439] Web service call 2021/04/28 12:40:08.8784833 1224 7052 WebServices Current service auth scheme=0. 2021/04/28 12:40:08.8784839 1224 7052 WebServices Current Proxy auth scheme=0. 2021/04/28 12:40:08.8785000 1224 7052 Misc Got WSUS Client/Server URL: http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx"" 2021/04/28 12:40:08.8807925 1224 7052 WebServices Proxy Behavior set to 1 for service url http://WIN-LUL8KLLSCLH:8530/ClientWebService/client.asmx 2021/04/28 12:40:08.8807971 1224 7052 ProtocolTalker FAILED [80240439] SyncUpdates_WithRecovery failed 2021/04/28 12:40:08.8808013 1224 7052 IdleTimer WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover, operation # 1303) stopped; does use network; is at background priority 2021/04/28 12:40:08.8808067 1224 7052 ProtocolTalker SyncUpdates round trips: 1 2021/04/28 12:40:08.8808077 1224 7052 ProtocolTalker FAILED [80240439] Sync of Updates 2021/04/28 12:40:08.8808160 1224 7052 ProtocolTalker FAILED [80240439] SyncServerUpdatesInternal failed 2021/04/28 12:40:08.8845612 1224 7052 Agent FAILED [80240439] Synchronize
The Windows 10 VM details are as follows:
Host Name: WIN10 OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18363 N/A Build 18363 OS Manufacturer: Microsoft Corporation Hotfix(s): 10 Hotfix(s) Installed.
I am wondering if there is either a configuration setting that is required for this to be exploitable that I may have missed, or changes may have been made to the communication protocol wherein the SOAP response from pywsus is not considered valid, or security changes have been made that stop the rogue WSUS server from successfully proceeding to patch downloading.
Note I have tried this with both the Windows firewall and windows Defender disabled and enabled, with the same outcome.