NeffIsBack · jobarasoined · May 1, 2026 · jobarasoined · May 1, 2026 · jobarasoined
diff --git a/wsuks/lib/argparser.py b/wsuks/lib/argparser.py
@@ -47,6 +47,7 @@ def initParser():
     advanced.add_argument("--WSUS-Server", metavar="", dest="wsusHost", help="IP or DNS name of the WSUS Server.")
     advanced.add_argument("--WSUS-Port", metavar="", dest="wsusPort", type=int, help="Port of the WSUS Server. (DEFAULT: 8530 for HTTP, 8531 for HTTPS)")
     advanced.add_argument("--tls-cert", metavar="", dest="tlsCert", help="Path to a TLS certificate that is valid for the WSUS Server. Turns on HTTPS mode.")
+    advanced.add_argument("--tls-certKey", metavar="", dest="tlsCertKey", help="Path to a TLS certificate private key that is valid for the WSUS Server. Turns on HTTPS mode.")
 
     webserver = mode_parser.add_argument_group("SERVE ONLY MODE", "Only run Webserver. Recommended if you have control over DNS and the traffic comes directly from the victim to your machine.")
     webserver.add_argument("--serve-only", action="store_true", help="Serve the executable and command without any arp spoofing, network magic or WSUS discovery.")

diff --git a/wsuks/wsuks.py b/wsuks/wsuks.py
@@ -140,11 +140,37 @@ def run(self):
             if not os.path.isfile(self.args.tlsCert):
                 self.logger.error(f"TLS certificate file '{self.args.tlsCert}' not found! Exiting...")
                 exit(1)
+
+            if self.args.tlsCertKey:
+                if not os.path.isfile(self.args.tlsCertKey):
+                    self.logger.error(f"TLS certificate Key file '{self.args.tlsCertKey}' not found! Exiting...")
+                    exit(1)
+
             self.logger.info(f"Using TLS certificate '{self.args.tlsCert}' for HTTPS WSUS Server")
+            # checking if the cert has the private key baked within the cert
+            # https://docs.python.org/3/library/ssl.html#combined-key-and-certificate
+
+            if not self.args.tlsCertKey:
+                with open(self.args.tlsCert, 'r') as h:
+                    data = h.read()
+                    has_private_key = "-----BEGIN PRIVATE KEY-----" in data or "-----BEGIN RSA PRIVATE KEY-----" in data
+                    has_cert = "-----BEGIN CERTIFICATE-----" in data
+                    if has_cert and has_private_key:
+                        self.logger.warning("Private key BEGIN in the certfile is not secure separate the two and keep the private key safe")
+                    else:
+                        self.logger.error("No private key found. Supply it using --tls-certKey")
+                        # To perform TLS server authentication (decrypt/session key ops, prove ownership) the server needs the corresponding private key. The cert alone cannot do that.
+                        exit(1)
+
+            self.logger.info(f"Using TLS certificate private key '{self.args.tlsCertKey}' for HTTPS WSUS Server")
+        try:
             context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-            context.load_cert_chain(certfile=self.args.tlsCert)
+            context.load_cert_chain(certfile=self.args.tlsCert, keyfile=self.args.tlsCertKey)
             context.check_hostname = False
             http_server.socket = context.wrap_socket(http_server.socket, server_side=True)
+        except ssl.SSLError:
+            self.logger.error("Make sure The cert in a PEM format not a DER")
+            exit(1)
 
         try:
             self.logger.info(f"Starting WSUS Server on {self.hostIp}:{self.wsusPort}...")