TL:DR

If an attacker controls a machine with unconstrained delegation, they could use the printer bug to coerce a domain controller to authenticate to their controlled machine and extract the domain controller’s computer account TGT. even between different domains.

Background

The printer bug is a “feature” within the Windows Print System Remote Protocol (MS-RPRN) that allows a host to query another host, asking for an update on a print job. The target host then responds by authenticating to the host that initiated the request, via TGS (which contains a TGT in the case of unconstrained delegation).

What this means, is that if an attacker controls a machine with unconstrained delegation, they could use the printer bug to coerce a domain controller to authenticate to their controlled machine and extract the domain controller’s computer account TGT.

Step by step for Unconstrained Delegation + “The Printer Bug” :

  1. Compromise a server configured with unconstrained delegation\
  2. Begin monitoring for delegated TGTs
  3. Coerce a domain controller to authenticate to the unconstrained server using SpoolSample (Lee’s printer bug implementation)
  4. Load the extracted ticket, DCSync, profit!

Bottom line

If you compromise a computer configured for unconstrained delegation, you can compromise the entire domain (and forest!)

Worth Noting

Cross domains

We can use a compromised domain controller to trigger a spool request to a different domain controller in a different domain (with bidirectional trust).

Step by step (See picture on the right):

  1. Compromise any server with unconstrained delegation, for example a domain controller (e.g. DCB) in FOREST B.
  2. Begin monitoring for 4624 logon events on the compromised FOREST B server, extracting new TGTs from any new logon sessions through established LSA APIs. This can be done with Rubeus’ monitor action.
  3. Trigger the MS-RPRN “printer bug” against a domain controller (e.g. DCA) in FOREST A. This can be done with Lee’s proof of concept code.
  4. FOREST A’s domain controller will authenticate to the attacker-controlled server in FOREST B with the FOREST A domain controller machine account (DCA$ in this case). The TGT of FOREST A’s DC will be contained within the service ticket sent to the attacker-controlled server and cached in memory for a short period of time.