GoSecure/WSuspicious GoSecure/WSuspicious

  • Stars
    star
    338
  • Rank 124,226 (Top 3 %)
  • Language
    C#
  • License
    MIT License
  • Created over 4 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
GoSecure/WSuspicious
github

GoSecure

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations

WSuspicious

Summary

This is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post: https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/ It was inspired from the WSuspect proxy project: https://github.com/ctxis/wsuspect-proxy

Acknowledgements

Privilege escalation module written by Maxime Nadeau from GoSecure

Huge thanks to:

  • Julien Pineault from GoSecure and Mathieu Novis from ‎SecureOps for reviving the WSUS proxy attack
  • Romain Carnus from GoSecure for coming up with the HTTPS interception idea
  • Paul Stone and Alex Chapman from Context Information Security for writing and researching the original proxy PoC

Usage

The tool was tested on Windows 10 machines (10.0.17763 and 10.0.18363) in different domain environments.

Usage: WSuspicious [OPTION]...
Ex. WSuspicious.exe /command:"" - accepteula - s - d cmd / c """"echo 1 > C:\\wsuspicious.txt"""""" /autoinstall

Creates a local proxy to intercept WSUS requests and try to escalate privileges.
If launched without any arguments, the script will simply create the file C:\\wsuspicious.was.here

/exe                The full path to the executable to run
				    Known payloads are bginfo and PsExec. (Default: .\PsExec64.exe)
/command            The command to execute (Default: -accepteula -s -d cmd /c ""echo 1 > C:\\wsuspicious.was.here"")
/proxyport          The port on which the proxy is started. (Default: 13337)
/downloadport       The port on which the web server hosting the payload is started. (Sometimes useful for older Windows versions)
				    If not specified, the server will try to intercept the request to the legitimate server instead.
/debug              Increase the verbosity of the tool
/autoinstall        Start Windows updates automatically after the proxy is started.
/enabletls          Enable HTTPS interception. WARNING. NOT OPSEC SAFE. 
				    This will prompt the user to add the certificate to the trusted root.
/help               Display this help and exit

Examples

WSuspicious Privesc Example gif

Compilation

The ILMerge dependency can be used to compile the application into a standalone .exe file. To compile and compile the application, simply use the following command:

dotnet msbuild /t:Restore /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /t:ILMerge /p:TrimUnusedDependencies=true

More Repositories

1

pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
Python
1,483
star
2

malboxes

Builds malware analysis Windows VMs so that you don't have to.
Python
1,026
star
3

dtd-finder

List DTDs and generate XXE payloads using those local DTDs.
Kotlin
601
star
4

php7-opcache-override

Security-related PHP7 OPcache abuse tools and demo
Python
306
star
5

pywsus

Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
Python
286
star
6

csp-auditor

Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP configuration from crawling a Website
Java
135
star
7

DLLPasswordFilterImplant

DLL Password Filter Implant with Exfiltration Capabilities
C
133
star
8

template-injection-workshop

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.
CSS
118
star
9

xxe-workshop

Workshop given at Hack in Paris 2019
JavaScript
118
star
10

ldap-scanner

Checks for signature requirements over LDAP
Python
92
star
11

frida-xamarin-unpin

A Frida script to bypass Xamarin certificate pinning implementations
C#
65
star
12

advanced-binary-analysis

Materials for the Binary Analysis Workshop presented at NorthSec 2020
HTML
63
star
13

break-fast-serial

A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
Python
54
star
14

security-cheat-sheet

Minimalist cheat sheet for developpers to write secure code
HTML
54
star
15

xfsc

eXtensions for Financial Services (XFS) proof of concept client to explore and issue commands directly to the devices that support the protocol. Force ATMs to dispense cash if you have code execution on them.
C
53
star
16

gophish-cli

Gophish Python cli to perform huge phishing campaigns
Python
40
star
17

linkedin-osint

A simple proof of concept that demonstrate how emails can easily be tie to LinkedIn profile
Python
36
star
18

presentations

Material from presentations done by GoSecure researchers
HTML
32
star
19

burp-ntlm-challenge-decoder

Burp extension to decode NTLM SSP headers and extract domain/host information
Kotlin
32
star
20

request-smuggling-workshop

Python
22
star
21

Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
Python
21
star
22

unicode-pentester-cheatsheet

An easy to navigate list of unicode characters that have risky transformations 💥
HTML
20
star
23

zap-autodecode-view

ZAP plugin demonstrating custom view for WebSocket messages.
Kotlin
13
star
24

goinsecure-deserialization

Accompanying material needed for the workshop
Java
11
star
25

LansweeperPasswordRecovery

Lansweeper Password Recovery Tool
C#
11
star
26

malware-ioc

Indicators of Compromise (IOCs) for malware we have researched
YARA
10
star
27

44con-code-review-workshop

References, tools and sample payloads
10
star
28

hackfest-deserialization-workshop

8
star
29

jenkins-fsb

Jenkins instance with preconfigured jobs to analyze Java binaries using Find Security Bugs.
Shell
6
star
30

orange-code-widget

🍊 Widget for Orange to visualize code sample
Python
6
star
31

request-smuggling-nsec-demo

PHP
5
star
32

burp-fuzzy-encoding-generator

Quickly test various encoding for a given value in Burp Intruder
Kotlin
5
star
33

malware_investigation_template

Because .idb files should be version controlled.
Shell
4
star
34

fq-pyrdp

fq format for parsing PyRDP replays
Go
4
star
35

owasp-workshop-zap

Atelier pratique sur le développement d'extension ZAP / Workshop on ZAP extension development
HTML
4
star
36

caplets

Fork of caplets with RDP proxy caplet
JavaScript
3
star
37

confoo-xss-bypass-demos

Demonstration for the presentation Modern XSS
3
star
38

java-hostname-verification-poc

Java
2
star
39

missing-security-controls

HTML
1
star
40

notebooks

Cybersecurity Research Jupyter Notebooks for the Community
Jupyter Notebook
1
star
41

gosecure.github.io

HTML
1
star