We covered the Print Nightmare Exploit from a defensive perspective where we performed an incident response and extracted the related artifacts to the exploit using Wireshark, Brim and Windows event viewer. This was part of TryHackMe Printermare room.

Understanding Denial of Service (DoS) Attacks

I learned that a Denial of Service (DoS) attack aims to make a machine or network resource unavailable to its intended users. This is typically achieved by temporarily or indefinitely disrupting services of a host connected to the internet.

The video specifically focused on Slowloris, which is a type of DoS attack tool. It works by opening many partial HTTP connections to a target web server and keeping them open for as long as possible. This ties up the server’s resources, eventually making it unable to accept new connections from legitimate users.

How Slowloris Works

I understood that Slowloris operates by:

  1. Sending a complete HTTP request, but not a complete one. It sends a partial request, like just the headers, and then slowly sends additional headers at regular intervals.
  2. This makes the server wait for the rest of the request to arrive.
  3. By doing this with many concurrent connections, Slowloris exhausts the server’s connection pool. Once the server runs out of available connections, it can no longer serve legitimate users, leading to a denial of service.

The attack is effective because it uses minimal bandwidth from the attacker’s side and can be executed from a single machine. It’s particularly effective against web servers that rely on a limited number of worker threads or processes to handle connections.

Practical Demonstration and Technical Commands

The video demonstrated how to use Slowloris, including setting up a test environment.

Setting up a Test Environment (Implied Commands/Actions):

  • I would need a Kali Linux machine (attacker) and a Windows Server (target) with IIS (Internet Information Services) installed.
  • I’d configure the firewall on the Windows Server to allow HTTP traffic on port 80.

Using Slowloris:

  1. Downloading Slowloris:
    • I’d typically clone it from a GitHub repository.
    • Command: git clone https://github.com/gkbrk/slowloris.git (This command was not explicitly shown but is the standard way to get it).
    • Then, I would navigate into the cloned directory: cd slowloris.
  2. Running Slowloris:
    • The basic command to launch a Slowloris attack is: python3 slowloris.py <target_IP_address>
      • Example: python3 slowloris.py 10.10.10.100 (assuming 10.10.10.100 is the target IP).
  3. Monitoring the Attack:
    • On the attacker machine, the Slowloris script would show output indicating the number of open connections.
    • On the target Windows Server, I would monitor the Task Manager (specifically the “Performance” tab or “Resource Monitor”) to observe the CPU and memory usage, and the number of active HTTP connections. I’d expect to see a significant increase in connections and potentially high resource utilization as the attack progresses.
    • I’d also try to access the web server from another machine to confirm the denial of service.
Per Microsoft, “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights“.
Microsoft defines the Print spooler service as a service that runs on each computer system. As you can guess from the name, the Print spooler service manages the printing processes. The Print spooler’s responsibilities are managing the print jobs, receiving files to be printed, queueing them, and scheduling.

To better understand the PrintNightmare vulnerability (or any vulnerability), you should get into the habit of researching the vulnerabilities by reading Microsoft articles on any Windows-specific CVE or browsing through the Internet for community and vendor blogposts.

There has been some confusion if the CVE-2021-1675 and CVE-2021-34527 are related to each other. They go under the same name: Windows Print Spooler Remote Code Execution Vulnerability and are both related to the Print Spooler.

As Microsoft states in the FAQ, the PrintNightmare (CVE-2021-34527) vulnerability “is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well.”

What did Microsoft mean by the attack vector? To answer this question, let’s look into the differences between the two vulnerabilities and append the timeline of events.

Per Microsoft’s definition, PrintNightmare vulnerability is “a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”.

Running arbitrary code involves executing any commands of the attacker’s choice and preference on a victim’s machine.
Suppose you had a chance to look at both CVE’s on Microsoft. You would notice that the attack vectors for both are different.

To exploit the CVE-2021-1675 vulnerability, the attacker would need to have direct or local access to the machine to use a malicious DLL file to escalate privileges. To exploit the CVE-2021-34527 vulnerability successfully, the attacker can remotely inject the malicious DLL file.

Room Answers
Where would you enable or disable Print Spooler Service?
Provide the CVE of the Windows Print Spooler Remote Code Execution Vulnerability that doesn’t require local access to the machine.

What date was the CVE assigned for the vulnerability in the previous question? (mm/dd/yyyy)

Provide the CVE of the Windows Print Spooler Remote Code Execution Vulnerability that doesn’t require local access to the machine.

What date was the CVE assigned for the vulnerability in the previous question? (mm/dd/yyyy)

What is the flag residing on the Administrator’s Desktop?
Provide the first folder path where you would likely find the dropped DLL payload.

Provide the function that is used to install printer drivers.

What tool can the attacker use to scan for vulnerable print servers?

Provide the name of the dropped DLL, including the error code. (no space after the comma)
Provide the event log name and the event ID that detected the dropped DLL. (no space after the comma)

Find the source name and the event ID when the Print Spooler Service stopped unexpectedly and how many times was this event logged? (format: answer,answer,answer)

After some threat hunting steps, you are more confident now that it’s a PrintNightmare attack. Hunt for the attacker’s shell connection. Provide the log name, event ID, and destination port. (format: answer,answer,answer)

Oh no! You think you’ve found the attacker’s connection. You need to know the attacker’s IP address and the destination hostname in order to terminate the connection.  Provide the attacker’s IP address and the hostname. (format: answer,answer)

Sysmon FileCreated event was generated and logged. Provide the full path to the dropped DLL and the earliest creation time in UTC.  (format:answer,yyyy-mm-dd hh-mm-ss)

What is the host name of the domain controller?

What is the local domain?

What user account was utilized to exploit the vulnerability?

What was the malicious DLL used in the exploit?

What was the attacker’s IP address?

What was the UNC path where the malicious DLL was hosted?

There are encrypted packets in the results. What was the associated protocol?

Provide two ways to manually disable the Print Spooler Service. (format: answer,answer)

Where can you disable the Print Spooler Service in Group Policy? (format: no spaces between the forward slashes)

Provide the command in PowerShell to detect if Print Spooler Service is enabled and running.

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles