New wsus_enum module

[qu35t-code]

Description

Hey NetExec,

This PR adds a new module, wsus_enum, which enumerates a host’s full WSUS configuration by reading the relevant registry values. The module supports both WinRM and SMB (SMB requires administrative privileges) and reports the WSUS settings found on the target. It also evaluates whether the client is susceptible to WSUS spoofing.

Output examples / Screenshots

Not vulnerable (No custom server)

SMB

• Target is not vulnerable to WSUS Spoofing (no custom WSUS configured)

• SMB access to this module requires admin privileges

WinRM

• Target is not vulnerable to WSUS Spoofing (no custom WSUS configured)

Not vulnerable (Custom WSUS with HTTPS)

• Target is not vulnerable to WSUS Spoofing (WSUS uses HTTPS)

Not vulnerable (Custom WSUS not enforced)

• Target is not vulnerable to WSUS Spoofing (WSUS not enforced)

Vulnerable

• Target use HTTP and WSUS is enforced - WSUS Spoofing

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

• Mac
• Linux

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: Add WSUS enum doc NetExec-Wiki#72)

[qu35t-code]

I saw the PR #485 where you mention that the wcc module already implements this. The advantage of my addition is that it’s compatible with both WinRM (user level privs) and SMB (admin privs), and it outputs the full WSUS configuration, providing additional contextual information. Also, I think it's possible to support RDP protocol :)

[NeffIsBack]

Thanks for the PR!

I will wait until i have reviewed #893 to check if it makes sense to have a standalone module or if we would integrate it into the wcc module.