-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL interception does not work #6
Comments
Microsoft implemented a certificate pinning mechanism to protect against this attack after the issue was disclosed to them. If the WSUS certificate pinning feature is enabled, the tool is not expected to work. See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668 Is this feature currently enabled in your setup ? |
I thought this too, but i set the tick to not enforce it in the GPO and as i've read it in the docs, it is not enabled anyway, if there are no certificates in the corresponding certificate store. So no, it is not enabled. |
My setup:
dc01.lsc.lab
The Client has WSUS over HTTPS configured and uses it correctly (
https://dc01.lsc.lab:8531
). The certificate is accepted by Microsoft Edge when accesing the IIS default page and WSUS endpoint (using a Certificate with SAN issued by the domain CA).I'm setting the systems proxy via admin powershell with
netsh winhttp set proxy 127.0.0.1:13337
.I'm executing the following command:
.\WSuspicious.exe /command:" -accepteula -s -d cmd /c echo 1 > C:\hacked.txt" /autoinstall /enabletls
(The attack does work, if WSUS over HTTP is configured, so all prerequisites are met.)This is, what I get after running the command:
The Windows Update GUI shows error code
0x800b0109
(displayed as "signature errors"):When accessing any IIS page with the proxy activated and running, the certificate cannot be validated due to missing subject alternative name (SAN).
The text was updated successfully, but these errors were encountered: