Remote Weaponization of WSUS MITM

WPAD ATTACK

  1. Did I get a proxy configuration during DHCP negation?
  2. If not, resolve “wpad.domain.com” and get the configuration from that server.
  3. If we did not get a result, broadcast using NetBIOS (NBT-NS) to resolve the name “WPAD”
  4. If a server has been found, request the resource from that server with the uri “/wpad.dat (http://<SERVER>/wpad.dat) which will contain the settings for the proxy
  • HTTP MITM with an iframe (HTA, Exploit, Java Applet, etc.)
  • HTTP Auth Prompt / Social Engineering
  • WSUS Injection
  • …and many many more

WSUS MITM

Putting It Together

1. Identify the Possibilities

  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings (Note: If the 5th byte is even, automatic detection of the proxy is likely set in internet explorer which enabled WPAD)

2. Network Bending Kung-fu

3. Poison

  • -IP <IP OF POISON VICTIM> : Set the IP to bind the raw socket to
  • -NBNS Y : Set NBNS spoofing to be enabled
  • -LLMNR Y : Set LLMNR spoofing to be enabled
  • -HTTP Y : Turn on the HTTP server for serving up WPAD.dat files
  • -SMB N : Do not do any sort of SMB relay kind of stuff
  • -StatusOutput Y : Print status outputs
  • -Tool 2 : Configure the settings to run this in a certain tool. The Empire setting works well for Cobalt Strike
  • -SpooferIPsReply <TARGET IP> : IP of the target or CSV list of targets
  • -WPADAuth Anonymous : Do not pop a creds box for the WPAD
  • -WPADIp <ProxyHost> : IP of poison host where the rportfwd command is run
  • -WPADPort 8080 : port of the rportfwd command

4. MITM Updates

Fixing the Vulnerabilities

WPAD Controls / Fixes

WSUS Fixes

Detection

PowerShell v5

Event Logs

WMI Event Subscription

Conclusion

--

--

--

Tech: Threat Intel | Photographer @ https://www.justinwarnerphoto.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

This week in Dapps: Ep.30

Cyber Security in Critical Infrastructure Systems

SOC 2 Trust Services Criteria: How To Select What’s Best For You! (Part 4 of 6)

Downtime Dangers - why disruption is not always a good thing

{UPDATE} Hannah's High School Crush Hack Free Resources Generator

⭐️DNFT Airdrop Checklist⭐️

Java Cryptography & Security

CAPTCHA should be abandoned

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Justin Warner

Justin Warner

Tech: Threat Intel | Photographer @ https://www.justinwarnerphoto.com

More from Medium

VulnHub’s Unknowndevice64:A Walkthrough

Ghidra Setup

Driver — Hackthebox Walkthrough

picoCTF: Wireshark twoo twooo two twoo…