Skip to content

Commit 0b00c59

Browse files
NeffIsBackNeffIsBack
committed
Typo
1 parent e412f85 commit 0b00c59

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# wsuks
44
_Automating the WSUS Attack_
55

6-
Gaining local administrative access to a Windows machine that is part of a domain is typically the first step in gaining domain admin privileges during a penetration test. In many cases, the Windows Server Update Service (WSUS) is configured to deploy updates to clients over the local network using HTTP. Without the security of HTTPS, an attacker can mount a machine-in-the-middle attack to serve an update to the client, which will then execute with SYSTEM privileges. Any Microsoft signed executable can be served as an update, including a custom command with which the executable is executed. Should an attack be able to obtain a TLS-certificate for the WSUS server, the attack can be performed over HTTPS as well (see [ESC17](https://github.com/NeffIsBack/esc17-wiki/blob/master/06-%E2%80%90-Privilege-Escalation.md#esc17-enrollee-supplied-subject-for-server-authentication) and our [blog post](https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/)).
6+
Gaining local administrative access to a Windows machine that is part of a domain is typically the first step in gaining domain admin privileges during a penetration test. In many cases, the Windows Server Update Service (WSUS) is configured to deploy updates to clients over the local network using HTTP. Without the security of HTTPS, an attacker can mount a machine-in-the-middle attack to serve an update to the client, which will then execute with SYSTEM privileges. Any Microsoft signed executable can be served as an update, including a custom command with which the executable is executed. Should an attacker be able to obtain a TLS-certificate for the WSUS server, the attack can be performed over HTTPS as well (see [ESC17](https://github.com/NeffIsBack/esc17-wiki/blob/master/06-%E2%80%90-Privilege-Escalation.md#esc17-enrollee-supplied-subject-for-server-authentication) and our [blog post](https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/)).
77

88
To automatically exploit the WSUS attack, this tool spoofs the IP address of the WSUS server on the network using ARP, and when the client requests Windows updates, it serves PsExec64.exe with a predefined PowerShell script to gain local admin privileges. Both the executable file that is served (default: PsExec64.exe) and the command that is executed can be changed if required.\
99
By default, a Windows client will check for updates approximately every 24 hours.

0 commit comments

Comments
 (0)