Discover and read the best of Twitter Threads about #PrintNightmare
Most recents (7)
Little #printnightmare (ep 4.3) upgrade : user-to-system as a service🥝
> Open SYSTEM prompt
connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this time🤪)
> Open SYSTEM prompt
connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this time🤪)
Of course, video quality: video.twimg.com/tweet_video/E7…
And how to protect you (reminder):
(cause you know, Microsoft does not make statements and fix for now...)
(cause you know, Microsoft does not make statements and fix for now...)
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)
connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
(POC only, will write a log file to system32)
connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
You can prevent this behavior by settings some parameters/GPO:
'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…
Of course, disable outbound access to CIFS/SMB/RPC...
'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…
Of course, disable outbound access to CIFS/SMB/RPC...
Very bad impersonation when: docs.microsoft.com/windows-hardwa…
The so called #printerbug allowed an attacker to get the NetNTLM hash of the affected server. Depending on the computer account privileges, this could lead to full domain compromise: dionach.com/blog/printer-s…
1/6
1/6
By design, some systems need to have local administrator privileges to the other, like on the Exchange Trusted Subsystem group. No SMB signing + printerbug + ntlmrelayx = Exchange server compromise, which basically means a full compromise due to exchange group privileges.
2/6
2/6
Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
🍺
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
🍺
Is "Disable Point and Print" a thing that people can do? And if so, how?
Otherwise, I'll attribute this all to an unfortunate game of telephone.
Otherwise, I'll attribute this all to an unfortunate game of telephone.
More along the lines of Microsoft confusion:
"NoWarningNoElevationOnUpdate" isn't a term that existed until Microsoft published their CVE-2021-34527 advisory on July 6.
The registry value actually associated with updating drivers is called UpdatePromptSettings
"NoWarningNoElevationOnUpdate" isn't a term that existed until Microsoft published their CVE-2021-34527 advisory on July 6.
The registry value actually associated with updating drivers is called UpdatePromptSettings
Infosec Entry level Interview Questions 101 📜🏆
PS: These are the list of questions I have come across and questions faced by my students in their interviews.
Feel free to add more below 👇
1. What is your fav OWASP Top 10 bug
2. Explain your methodology?
#infosec #bugbounty
PS: These are the list of questions I have come across and questions faced by my students in their interviews.
Feel free to add more below 👇
1. What is your fav OWASP Top 10 bug
2. Explain your methodology?
#infosec #bugbounty
3. CSRF vs SSRF
4. What can an attacker do with XSS
5. Requirements of CSRF to happen
6. Root cause of Clickjacking
7. What is diff between SAST & DAST
8. Black/White/Grey Box Testing
9. What is threat, vulnerability, risk
10. What is CIA Triad
11. What are cookie attributes
4. What can an attacker do with XSS
5. Requirements of CSRF to happen
6. Root cause of Clickjacking
7. What is diff between SAST & DAST
8. Black/White/Grey Box Testing
9. What is threat, vulnerability, risk
10. What is CIA Triad
11. What are cookie attributes
12. What are most common business logic issues?
13. Question on Burpsuite Tabs
14. What are your fav open source tools?
15. How will you protect against ransomware?
16. What is XXE attack, explain any payload?
17. SSRF and what can be achieved?
18. How can we fix SQLi
#infosec
13. Question on Burpsuite Tabs
14. What are your fav open source tools?
15. How will you protect against ransomware?
16. What is XXE attack, explain any payload?
17. SSRF and what can be achieved?
18. How can we fix SQLi
#infosec
Disabling spooler on just your DC's is not enough #PrintNightmare
Quick testing from me and @filip_dragovic
* NoWarningNoElevationOnInstall can be set to 0
* Authenticated users do not need to be in Pre-Windows 2000 Compatible Access group
* NoWarningNoElevationOnInstall can be set to 0
* Authenticated users do not need to be in Pre-Windows 2000 Compatible Access group
Impacket 🤝[MS-PAR]
This #printnightmare / CVE-2021-1675 is really serious 🤪
Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*
Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local
➡️ disable service now (no patch yet)
Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*
Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local
➡️ disable service now (no patch yet)
As usual, video quality: video.twimg.com/tweet_video/E5…
Yes, DC is 2019 and fully patched
And 'localspl.dll' is 06/06/2021 (10.0.17763.1999)
@byt3bl33d3r @allevon412 @PythonResponder
But to be transparent, I don't have a recent CPU & TPM 2.0
That might be the problem, @msftsecurity, isn't it?
And 'localspl.dll' is 06/06/2021 (10.0.17763.1999)
@byt3bl33d3r @allevon412 @PythonResponder
But to be transparent, I don't have a recent CPU & TPM 2.0
That might be the problem, @msftsecurity, isn't it?
