to check if a Win domain is a possible candidate to a MITM WSUS attack check
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
https://github.com/pimps/wsuxploit/ (requires a MITM attack for ex. with bettercap)
https://github.com/GoSecure/WSuspicious/ (all in one tool, with changing local proxy settings )
Update : CVE-2020-1013 if patched, Windows update will use the SYSTEM proxy settings and not the User proxy.
If regkey HKLM\Software\Policies\Microsoft\WindowsUpdate\SetProxybehaviorForUpdateDetection is set to reg_dword : 1
Then only if system proxy doesn’t work, then user proxy will be used.
References :
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::CorpWuURL
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
0
Recent Comments