Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the WSUS module - Detect if WSUS is Vulnerable to MITM Attacks #485

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add the WSUS module - Detect if WSUS is Vulnerable to MITM Attacks #485

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions nxc/modules/wsus.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
from impacket.dcerpc.v5.rrp import DCERPCSessionError

class NXCModule:
"""
Check if the WSUS configuration on the target is vulnerable by inspecting the WUServer registry value.
Module by @Tw1sm
Modified for WSUS by @H4ckT0Th3Futur3
"""

name = "wsus"
description = "Checks if WSUS server is vulnerable by inspecting if WUServer registry value starts with 'http://'."
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True

def options(self, context, module_options):
self.output = "WSUS VULNERABLE: {} - WUServer URL = {}"
self.suspect_prefix = module_options.get("SUSPECT_PREFIX", "http://")

def on_admin_login(self, context, connection):
try:
# Initialiser les opérations à distance
remote_ops = RemoteOperations(connection.conn, False)
remote_ops.enableRegistry()

# Vérifier si RemoteOperations est actif
if remote_ops._RemoteOperations__rrp:
# Ouvrir la clé de registre HKEY_LOCAL_MACHINE
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
reg_handle = ans["phKey"]

# Ouvrir la sous-clé de WSUS
ans = rrp.hBaseRegOpenKey(
remote_ops._RemoteOperations__rrp,
reg_handle,
"SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate"
)
key_handle = ans["phkResult"]

try:
# Récupérer la valeur de WUServer
rtype, data = rrp.hBaseRegQueryValue(
remote_ops._RemoteOperations__rrp,
key_handle,
"WUServer\x00"
)

# Vérifier si la valeur de WUServer commence par le préfixe suspect
if data and data.startswith(self.suspect_prefix):
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
else:
context.log.info("WSUS is not vulnerable or WUServer registry value is secure.")

except rrp.DCERPCSessionError:
context.log.debug("Unable to find WUServer, registry key may not exist or is not accessible.")

except DCERPCSessionError as e:
context.log.debug(f"Error connecting to RemoteRegistry: {e}")
finally:
# Fermer proprement la connexion au registre
remote_ops.finish()