Trying to replicate the PoC in a simple setting involving two Win10 boxes with a direct network connection (i.e., no MITM involved), the process gets stuck after the SyncUpdates phase.
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.
Setup
Client (Win10, 10.0.0.14 ) <----------> pywsus (Win10, 10.0.0.4, local firewall disabled)
Client
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19043 Nicht zutreffend Build 19043
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~3003 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4577266
[03]: KB4577586
[04]: KB4580325
[05]: KB4586864
[06]: KB4589212
[07]: KB4593175
[08]: KB4598481
[09]: KB5000736
[10]: KB5004237
[11]: KB5003742
PYWSUS
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19042 Nicht zutreffend Build 19042
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1803 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4562830
[03]: KB4577266
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB4589212
[08]: KB4593175
[09]: KB4598481
[10]: KB5004237
[11]: KB5003742
Windows Update Client + WSUS Configuration
Client configuration via GPO
- Internal update server + intranet server for statistics: http://10.0.0.4:8530
- no connection to MS Windows Update Servers allowed
- setting 3 enabled
pywsus is run with simplified command line: python pywsus.py -v -H 10.0.0.4 -p 8530 -e PsExec64.exe -c "/accepteula"
Results + Output of tools
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request and responds. However, a GetExtendedUpdateInfo request is never received by pywsus. After some time the client initiates a ReportEventBatch action, which is subsequently answered by pywsus.
- The Win10 updates GUI shows no error, but also no available updates.
- The WindowsUpdateClient eventlog just contains an event with ID 26 (no updates found), but no errors.
- The WindowsUpdate log file (etl) is attached: WindowsUpdate.20210802.etl.txt
- The output of pywsus is as follows: pywsus_output.txt
Trying to replicate the PoC in a simple setting involving two Win10 boxes with a direct network connection (i.e., no MITM involved), the process gets stuck after the SyncUpdates phase.
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request. However, unlike the PoC, a GetExtendedUpdateInfo request is never received by pywsus.
Setup
Client (Win10, 10.0.0.14 ) <----------> pywsus (Win10, 10.0.0.4, local firewall disabled)
Client
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19043 Nicht zutreffend Build 19043
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 23 Stepping 10 GenuineIntel ~3003 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4577266
[03]: KB4577586
[04]: KB4580325
[05]: KB4586864
[06]: KB4589212
[07]: KB4593175
[08]: KB4598481
[09]: KB5000736
[10]: KB5004237
[11]: KB5003742
PYWSUS
Betriebssystemname: Microsoft Windows 10 Pro
Betriebssystemversion: 10.0.19042 Nicht zutreffend Build 19042
Betriebssystemhersteller: Microsoft Corporation
Betriebssystemkonfiguration: Eigenständige Arbeitsstation
Typ des Betriebssystembuilds: Multiprocessor Free
Systemtyp: x64-based PC
Prozessor(en): 1 Prozessor(en) installiert.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~1803 MHz
Domain: WORKGROUP
Hotfix(es): 11 Hotfix(e) installiert.
[01]: KB5004331
[02]: KB4562830
[03]: KB4577266
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB4589212
[08]: KB4593175
[09]: KB4598481
[10]: KB5004237
[11]: KB5003742
Windows Update Client + WSUS Configuration
Client configuration via GPO
pywsus is run with simplified command line: python pywsus.py -v -H 10.0.0.4 -p 8530 -e PsExec64.exe -c "/accepteula"
Results + Output of tools
Whenever 'check for updates' is performed on the client, pywsus receives a SyncUpdates SOAP HTTP request and responds. However, a GetExtendedUpdateInfo request is never received by pywsus. After some time the client initiates a ReportEventBatch action, which is subsequently answered by pywsus.