Discover and read the best of Twitter Threads about #PrintNightmare

Most recents (7)

Little #printnightmare (ep 4.3) upgrade : user-to-system as a service🥝
> Open SYSTEM prompt

connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this time🤪)
Of course, video quality: video.twimg.com/tweet_video/E7…
And how to protect you (reminder):

(cause you know, Microsoft does not make statements and fix for now...)
Read 4 tweets
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
You can prevent this behavior by settings some parameters/GPO:

'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…

Of course, disable outbound access to CIFS/SMB/RPC...
Very bad impersonation when: docs.microsoft.com/windows-hardwa…
Read 5 tweets
Few things you could do with the Print Spool service even before #printnightmare

0/6
The so called #printerbug allowed an attacker to get the NetNTLM hash of the affected server. Depending on the computer account privileges, this could lead to full domain compromise: dionach.com/blog/printer-s…

1/6
By design, some systems need to have local administrator privileges to the other, like on the Exchange Trusted Subsystem group. No SMB signing + printerbug + ntlmrelayx = Exchange server compromise, which basically means a full compromise due to exchange group privileges.

2/6
Read 8 tweets
Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
🍺
Is "Disable Point and Print" a thing that people can do? And if so, how?
Otherwise, I'll attribute this all to an unfortunate game of telephone.
More along the lines of Microsoft confusion:
"NoWarningNoElevationOnUpdate" isn't a term that existed until Microsoft published their CVE-2021-34527 advisory on July 6.
The registry value actually associated with updating drivers is called UpdatePromptSettings
Read 7 tweets
Infosec Entry level Interview Questions 101 📜🏆

PS: These are the list of questions I have come across and questions faced by my students in their interviews.

Feel free to add more below 👇

1. What is your fav OWASP Top 10 bug
2. Explain your methodology?
#infosec #bugbounty
3. CSRF vs SSRF
4. What can an attacker do with XSS
5. Requirements of CSRF to happen
6. Root cause of Clickjacking
7. What is diff between SAST & DAST
8. Black/White/Grey Box Testing
9. What is threat, vulnerability, risk
10. What is CIA Triad
11. What are cookie attributes
12. What are most common business logic issues?
13. Question on Burpsuite Tabs
14. What are your fav open source tools?
15. How will you protect against ransomware?
16. What is XXE attack, explain any payload?
17. SSRF and what can be achieved?
18. How can we fix SQLi
#infosec
Read 7 tweets
Disabling spooler on just your DC's is not enough #PrintNightmare ImageImageImage
Quick testing from me and @filip_dragovic
* NoWarningNoElevationOnInstall can be set to 0
* Authenticated users do not need to be in Pre-Windows 2000 Compatible Access group
Impacket 🤝[MS-PAR] Image
Read 4 tweets
This #printnightmare / CVE-2021-1675 is really serious 🤪

Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*

Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local

➡️ disable service now (no patch yet)
As usual, video quality: video.twimg.com/tweet_video/E5…
Yes, DC is 2019 and fully patched
And 'localspl.dll' is 06/06/2021 (10.0.17763.1999)

@byt3bl33d3r @allevon412 @PythonResponder

But to be transparent, I don't have a recent CPU & TPM 2.0
That might be the problem, @msftsecurity, isn't it?
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!