GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GoSecure → Pywsus

GoSecure / Pywsus

Licence: mit
Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

attack

Projects that are alternatives of or similar to Pywsus

Singularity
A DNS rebinding attack framework.
Stars: ✭ 621 (+639.29%)
Mutual labels:  attack
Wi Pwn
ESP8266 Deauther ​with a material design WebUI 📶
Stars: ✭ 839 (+898.81%)
Mutual labels:  attack
Ska
Simple Karma Attack
Stars: ✭ 55 (-34.52%)
Mutual labels:  attack
Evilurl
Generate unicode evil domains for IDN Homograph Attack and detect them.
Stars: ✭ 654 (+678.57%)
Mutual labels:  attack
Tcp Connection Hijack Reset
Simple scapy-based tool to hijack and reset existing TCP connections
Stars: ✭ 17 (-79.76%)
Mutual labels:  attack
Arpspoof
arpspoof for macOS - intercept packets on a switched LAN
Stars: ✭ 40 (-52.38%)
Mutual labels:  attack
Impulse
💣 Impulse Denial-of-service ToolKit
Stars: ✭ 538 (+540.48%)
Mutual labels:  attack
Esp8266 deauther
Affordable WiFi hacking platform for testing and learning
Stars: ✭ 9,312 (+10985.71%)
Mutual labels:  attack
Physics Command
Physics platform is a tool for hardware systems (e.g: raspberryPi 3B ). It retrieves data passing through the network and sends it to a control panel. It works the same way as a botnet by receiving remote commands. (you can imagine that as a black box)
Stars: ✭ 23 (-72.62%)
Mutual labels:  attack
Mhddos
Best DDoS Attack Script Python3, Cyber Attack With 36 Method
Stars: ✭ 55 (-34.52%)
Mutual labels:  attack
Autordpwn
The Shadow Attack Framework
Stars: ✭ 688 (+719.05%)
Mutual labels:  attack
Cti
Cyber Threat Intelligence Repository expressed in STIX 2.0
Stars: ✭ 822 (+878.57%)
Mutual labels:  attack
Timeless Timing Attacks
A Python implementation that facilitates finding timeless timing attack vulnerabilities.
Stars: ✭ 45 (-46.43%)
Mutual labels:  attack
Dhcpwn
All your IPs are belong to us.
Stars: ✭ 642 (+664.29%)
Mutual labels:  attack
Ctfsubmitter
A flag submitter service with distributed attackers for attack/defense CTF games.
Stars: ✭ 56 (-33.33%)
Mutual labels:  attack
Esp8266 beaconspam
Creates up to a thousand WiFi access points with custom SSIDs.
Stars: ✭ 575 (+584.52%)
Mutual labels:  attack
Curl Collisions
An implementation of Heilman et al.'s differential attack on IOTA's Curl hashing function.
Stars: ✭ 20 (-76.19%)
Mutual labels:  attack
Apt
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 83 (-1.19%)
Mutual labels:  attack
Google Chinese Handwriting Ime
Written in Electron for Linux.
Stars: ✭ 58 (-30.95%)
Mutual labels:  attack
Eddsa Fault Attack
Fault attack agaisnt EdDSA demonstrated on an Arduino Nano board, allowing for partial key recovery and fake signatures.
Stars: ✭ 53 (-36.9%)
Mutual labels:  attack
View All Similar Projects ➔

PyWSUS

The main goal of this tool is to be a standalone implementation of a legitimate WSUS server which sends malicious responses to clients. The MITM attack itself should be done using other dedicated tools, such as Bettercap.

Installation

virtualenv -p /usr/bin/python3 ./venv
source ./venv/bin/activate
pip install -r ./requirements.txt

Usage

Usage: pywsus.py [-h] -H HOST [-p PORT] -c COMMAND -e EXECUTABLE [-v]

OPTIONS:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  The listening adress.
  -p PORT, --port PORT  The listening port.
  -c COMMAND, --command COMMAND
                        The parameters for the current payload
  -e EXECUTABLE, --executable EXECUTABLE
                        The executable to returned to the victim. It has to be signed by Microsoft--e.g., psexec
  -v, --verbose         increase output verbosity.

Example: python pywsus.py -c '/accepteula /s calc.exe' -e PsExec64.exe

Mitigations

From our perspective, the best way to avoid exploitability of this issue is to force WSUS deployments to use a secured HTTPS channel.

The certificate presented by the WSUS server must be validated by the client. Error in validating the certificate will result in the wupdate client closing the connection.

The three major ways of generating a certificate for a WSUS server are:

  • Using an internal PKI for which a Root CA certificate is deployed on domain computers and a certificate signed by that Root CA is used to serve WSUS updates
  • Purchasing a certificate signed by a third-party CA authority trusted in the Windows OS trust store
  • Using a self-signed certificate and push a copy of this certificate on all domain computers using a GPO

On the detection side, a client enrolled with WSUS will report their installed updates inventory periodically. Looking for installed updates that stand-out from the ones approved and deployed could be a way to detect such attack. This is a preliminary idea that we have not explored yet. Let us know on Twitter or LinkedIn if you have any experience doing this kind of installed patches differential analysis at the scale of an organization.

Acknowledgements

For their contributions to this research and blogpost.

  • Olivier Bilodeau from GoSecure
  • Romain Carnus from GoSecure
  • Laurent Desaulniers from GoSecure
  • Maxime Nadeau from GoSecure
  • Mathieu Novis from SecureOps

For writing and researching the original proxy PoC

  • Paul Stone and Alex Chapman from Context Information Security

Reference

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].