PrintNightmare
Last updated
Was this helpful?
Last updated
Was this helpful?
Massive scanner:
The python script will attempt to bind to the Print Service and identify the driver path. Then will execute the malicious driver from the UNC path. The “multi/handler” Metasploit module was used in order to capture the connection. Looking at the Meterpreter session SYSTEM level privileges have been obtained on the domain controller. This is because the malicious driver was executed under the context of the Print Spooler service and not from the perspective of the user.
In this case, the error is returned for RpcEnumPrinterDrivers. I don't know in detail if this is also a valid sign of a patched system, but it does seem likely.
A scanner has been also incorporated to which is a tool that can benchmark the security posture of an active directory. The “spooler” from the scanner menu can scan all hosts on the domain, only servers, only workstation or only the domain controllers.
The Impacket implementation of PrintNightmare was developed by and could be found in the GitHub repository. The current version of Impacket produce errors while attempting to exploit the PrintNightmare vulnerability through the python script. Therefore it is recommended to use the version which is included in the repository. The script requires domain user credentials, the IP address of the domain controller and the UNC path which the DLL is hosted.
0x8001011b is the error code for RPC_E_ACCESS_DENIED. I know that this is an indication of a fixed system when returned for RpcAddPrinterDriver (see, e.g., the functionality of ).
seems to reference the same issue, so I am cross-referencing it here in case others are looking for an answer.
