printer-bug-ms-prn

Microsoft exchange misconfiguration

Exchange is often granted considerable privileges the domain and Exchange Windows Permission is not listed as a protected group. Members have ability to write DACL to domain object and leverage to given a user DCSync privilege.
Organization management is another extremely powerful group.

The PrivExchange attack results from a flaw in the exchange server PushSubscription feature which allow any domain user with a mailbox to force the exchange server to authenticate to any host.
The Exchange service runs as SYSTEM and is over-privileged by default (i.e., has WriteDacl privileges on the domain pre-2019 Cumulative Update). This flaw can be leveraged to relay to LDAP and dump the domain NTDS database. If we cannot relay to LDAP, this can be leveraged to relay and authenticate to other hosts within the domain. This attack will take you directly to Domain Admin with any authenticated domain user account.

Check vulnerability: https://github.com/NotMedic/NetNTLMtoSilverTicket
The printer bug is a flow in the MS-RPRN protocol which allows communication of print job procession & print management b/w client and print server.
To leverage this flow, any domain user can connect to the spool's named pipe with the RpcOpenPrinter method and use the RpcRemoteFindFirstPrinterChangeNotificationEx method, and force the server to authenticate to any host provided by the client over SMB.
This attack can be leveraged to relay to LDAP and grant your attacker account DCSync privileges to retrieve all password hashes from AD.

Enumerate MS-PRN printer Bug

Import-module .\SecurityAssessment.ps1

Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Last updated 21 hours ago