You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+23-13Lines changed: 23 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,10 +49,22 @@ If you are using poetry, you must be in the wsuks folder and start each command
49
49
50
50
This tool requires the `nftables` package to be installed, which is the default on all debian based systems.\
51
51
52
-
There are 3 different modes/attack scenarios in which wsuks can be run, which are described below.
53
-
### Specify known WSUS Server and create local admin user:
54
-
If the WSUS server is already known, you can simply specify the target IP and the WSUS server IP.\
55
-
The default executable is PsExec64.exe, which runs a predefined PowerShell script with the following actions:
52
+
There are 3 different modes/attack scenarios in which wsuks can be run:
53
+
- AUTOMATIC: If the WSUS server is not known, wsuks will automatically discover the WSUS server by parsing the GPOs on the domain controller. In this case, the IP of the domain controller must be provided, as well as credentials for the domain.
54
+
- MANUAL: If the WSUS server is already known, the attack can be performed by simply providing the IP of the WSUS server.
55
+
- SERVE ONLY: If the traffic is already being redirected to the attacker's machine (e.g. with control over DNS), wsuks can be used to only serve the malicious executable and command.
56
+
57
+
### AUTOMATIC: Autodiscover the WSUS Server by only specifying the domain user with the DC IP:
58
+
If you already have a domain user, wsuks will parse the GPOs on the domain controller to find the WSUS server.\
59
+
A PowerShell script is executed, which will add the provided domain user to the local admin group.
**Tipp:** If you only want to check for a WSUS server, you can use the `--only-discover` flag.
65
+
66
+
### MANUAL: Specify known WSUS Server and create local admin user:
67
+
The predefined PowerShell script will execute the following actions:
56
68
1. Create a new user of the format user[0-9]{5} (e.g. user12345) and a random password
57
69
2. Set the LocalAccountTokenFilterPolicy to 1 (disabling UAC ⚠)
58
70
3. Add the created user to the local admin group
@@ -63,24 +75,22 @@ The default executable is PsExec64.exe, which runs a predefined PowerShell scrip
63
75
sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20
64
76
```
65
77
66
-
### Specify known WSUS Server and add provided domain user to local admin group (domain is required!):
78
+
### MANUAL: Specify known WSUS Server and add provided domain user to local admin group (domain is required!):
67
79
If you already have a domain user and you know the IP of the WSUS server, wsuks will simply add the user to the local Administrators group.
68
80
```shell
69
81
sudo wsuks -t 10.0.0.10 --WSUS-Server 10.0.0.20 -u User -d domain.local
70
82
```
71
83
72
-
### Autodiscover the WSUS Server by only specifying the domain user with the DC IP:
73
-
If you already have a domain user, wsuks will parse the GPOs on the domain controller to find the WSUS server.\
74
-
A PowerShell script is executed, which will add the provided domain user to the local admin group.
84
+
### SERVE ONLY: Only serve the malicious executable and command:
85
+
If the traffic is already being redirected to the attacker's machine (e.g. with control over DNS), wsuks can be used to only serve the malicious executable and command without performing the ARP spoofing and routing itself.
86
+
This will simply spawn the HTTP server on the provided interface.
0 commit comments