IPPrint C2: PoC for using MS Windows printers for persistence / C2 via Internet Printing
IPPrint C2
A Proof-of-Concept for using Microsoft Windows printers for persistence/command and control via Internet Printing.
Printing systems are an often overlooked target for attackers looking to establish command and control (C2) channels on a victim’s network. An attacker can abuse the operating system’s printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication. We have developed a complete proof of concept of such a solution that we have successfully tested in real-world red teaming exercises. By understanding the approach taken in this specific abuse of printing systems, we can take steps to secure them and prevent them from being exploited by malicious actors.
Background story
The idea was to create a basic C2 for engagements using built-in Windows functionalities, which can then be used to execute arbitrary commands or load a preferable C2 solution.
A feature in Microsoft Windows was used that enables to install of shared printers through Internet Printing Protocol. Regular users can add a printer without administrative privileges as long there is no driver installation, so usage of existing drivers was mandatory. A default “Microsoft Print to PDF” driver was used.
The commands that will be executed are sent from the C2 Internet Printing server to the printer’s document queue as base64-encoded document names. With basic PowerShell, clients can then obtain these document names from the queue and execute commands on themselves. Also, clients can print documents to this printer that will be saved to a file on the C2 server which is useful to fetch results from executed commands or to exfiltrate documents. An additional plus was that adding a printer shared on the Internet passed through a couple of web proxy solutions commonly used in enterprises. Tested on Windows Server 2019 and Windows 10 / 11.
Server
Internet Information Services, Windows Print Services, Print Server and Internet Printing are required to set up a C2 server. Anonymous authentication is enabled on Internet Information Services so clients can obtain the document queue without authentication and the owner of print jobs is the IUSR user account. The server also installs the shared printer for itself and uses it to submit jobs to its print queue, otherwise, the document owner would not be the IUSR user and clients would not be able to obtain the document name from the queue.
The installation script is provided in this repository and should work. Check if you can access your printer to make sure everything went well:
Once all is set up, run the IPPrintC2.ps1 and enter commands that you would like to execute on the client through the document name. The document name has its length limitations, so if the length of the base64 encoded command in the document name is larger than 255 characters, it gets split to several documents in the print queue. This is handled by the IPPrintC2 script while the concatenation is handled by the client.
You can also load PowerShell scripts. Keep the scripts simple as they may take a while to get split and sent to the document queue. Also, the scripts are one-off since the print queue eventually gets cleared and the character limit is 32767.
Client
To execute commands on the client, the addition of a printer and a persistent job to obtain and execute commands is needed. Examples:
Copyright (c) 2024 Diverto
