An authenticated domain user can force the print spooler service to authenticate to an arbitrary IP.
Requirements
- A valid set of AD user credentials.
- Network connectivity to the target’s SMB service.
- The target host must be running the Print Spooler service.
- The host must not have enforced SMB signing.
Check if target is vulnerable
Print Spooler Service present on target host
Check if print spooler service is running on a target host:
Equivalent powershell:
If the check errors...
Sometimes Microsoft disables network access to these ports. If that happens, just try the exploit.
SMB Signing not enforced
Check if either the source (if on a remote pivot host) or the destination requires SMB signing.
Exploitation
The below example attacks the auth.server.domain.name
by forcing a compromised host’s print spooler to authenticate against it.
Set up Authentication Relay on attacker machine (may be unstable) and specify what command to execute on auth.server.domain.name
:
This relays the authentication request from the print spooler service to a domain-joined machine.
Start attack on compromised host (authenticate against auth.server.domain.name
through attacker_ip
):
Wait for the relay to receive authentication attempt and execute the command.