Last updated
Was this helpful?
Last updated
Was this helpful?
WSUS (Windows Server Update Services) allow administrators to centralize the management and deployment of Windows updates within their organization network. When first configuring this set of services, the default configuration makes the WSUS use HTTP without any secure layer like SSL/TLS. HTTPS is not enforced by default.
When pulling an update from the WSUS server, clients are redirected to the executable file to download and execute (which can only be a binary signed by Microsoft) and obtain a handler named CommandLineInstallation that specifies the additional parameters to pass the binary during the update installation. Without HTTPS, the WSUS is vulnerable to Man-in-the-Middle attacks where adversaries can either pose as the update server and send malicious updates or intercept and modify updates sent to the clients.
The following command prints the WSUS server the client requests when searching for an update. If the path looks like http://wsus.domain.local/, showing the use of HTTP instead of HTTPS, the attacks can be attempted.
The WSUS spoofing attack can be conducted as follows
Obtain a Man-in-the-Middle position between clients and the update server with .
Redirect traffic from clients -> legitimate WSUS to clients -> attacker's WSUS
Have a custom WSUS server running able to send evil updates to clients
In a scenario where the clients and the attacker are on the same subnet, and the update server is on another one, the steps below can be followed. For other scenarios or more info on ARP poisoning, a recipe exists for it.
The evil WSUS server needs to be started before doing any ARP poisoning. The (Python) utility can be used for that matter.
Packets from the client to the WSUS server need to be hijacked and sent to the attacker's evil WSUS server. In order to do so, the attacker must pose as the client's gateway, route all traffic to the real gateway except the packets destined to the WSUS server.
The caplet above can be loaded with the following command in order to launch the ARP poisoning attack.
The search for Windows updates can be manually triggered when having access to the target computer by going to Settings > Update & Security > Windows Update > Check for updates.
Programs other than PsExec.exe can be used here. Using built-in programs features to bypass security restrictions or operate attacks like this is called (LOL). Other Windows LOL binaries and scripts (a.k.a. LOLbins or LOLbas) can be found on .
Once the WSUS server is up and running, the ARP poisoning attack can start. The best tool to operate ARP poisoning is (Go) and for the majority of the scenarios, basic knowledge of the iptables utility is required.
By default, the automatic updates interval is 22 hours ().
Another way of attacking insecure WSUS without having to rely on ARP poisoning but requiring user access to the target machine is explained in the following blogpost :
