Potatoes, EternalBlue, PrintNightmare: способы детектирования уязвимостей протокола SMB

Всем привет! Меня зовут Влад Кузнецов, я аналитик SOC в К2 Кибербезопасность . SMB — один из самых распространенных протоколов сетевой коммуникации для безопасного управления файлами и различными службами удаленного сервера. Несмотря на свою незаменимость, протокол SMB может быть отличной лазейкой для хакерских атак. В этой статье я расскажу о принципах эксплуатации и способах детектирования таких уязвимостей, как Potatoes, EternalBlue, PrintNightmare, а также о скрипте SMBExec. В конце материала вы найдете подробную информацию о настройке политик расширенного аудита и список общих рекомендаций по локализации и устранению уязвимостей, связанных с протоколом SMB.

https://habr.com/ru/companies/k2tech/articles/892202/

#smb #smb_протокол #уязвимости #уязвимость #rottenpotato #eternalblue #printnightmare #сетевой_протокол #кибербезопасность #информационная_безопасность

𝐇𝐎𝐖 𝐓𝐎 𝐃𝐈𝐒𝐀𝐁𝐋𝐄 𝐏𝐑𝐈𝐍𝐓 𝐒𝐏𝐎𝐎𝐋𝐄𝐑 𝐎𝐍 𝐃𝐎𝐌𝐀𝐈𝐍 𝐂𝐎𝐍𝐓𝐑𝐎𝐋𝐋𝐄𝐑𝐒

Print Spooler is a service that takes care of print management. This includes, but is not limited to, managing printer drivers, scheduling print jobs, etc.

Print Spooler had a critical vulnerability in the past referred to as PrintNightmare (CVE-2021-34527). This vulnerability allowed attackers to execute code with administrator privileges.

The Print Spooler vulnerability was patched promptly, so if you have updated systems, the immediate risk associated with PrintNightmare is no longer present. And for normal systems, it is usually not feasible to disable Print Spooler. It would make printing impossible, which is usually not desirable.

But domain controllers are a critical part of Active Directory and need to be as secure as possible, which means blocking everything that is not needed. And you certainly should not need to print on domain controllers, so it’s a good idea to disable Print Spooler on domain controllers.

📺 Watch my YouTube video bellow on how to disable Print Spooler on Domain Controllers 👇 👇
https://youtu.be/O80HHKdnbcQ

#cswlrd #printspooler #domaincontrollers #printnightmare #videotutorial

🆕 New blog post! "The PrintNightmare is not Over Yet"

ℹ️ In this article, I take a look back at a previous post I wrote earlier this year about PrintNightmare. It turns out the Point and Print configuration I recommended at the end is still prone to Man-in-the-Middle attacks. So, I discuss that here, as well as additional mitigation I considered.

Props to @parzel and @l4x4 who both reported this issue to me.

👉 https://itm4n.github.io/printnightmare-not-over/

#printnightmare #windows #privesc #pentesting #pentest

Another Hypetweet FAIL

#CUPS vuln isnt exactly nothing. It's an rce vulnerability and is now exploitable. however it isnt #Printnightmare.

Im firmly of the opinion that one should either fully disclose or coordinate disclosure of vulnerabilities.

anything else just panics people, harms our ability to respond to real threats, and distracts from things that really matter.

pick a lane.

#Glassof0J #Infosec #Vulnerability #TVM

https://youtu.be/WimG264WkXM

Print Spooler is a service that takes care of print management. This includes, but is not limited to, managing printer drivers, scheduling print jobs, etc.

Print Spooler had a critical vulnerability in the past referred to as PrintNightmare (CVE-2021-34527). This vulnerability allowed attackers to execute code with administrator privileges.

The Print Spooler vulnerability was patched promptly, so if you have updated systems, the immediate risk associated with PrintNightmare is no longer present. And for normal systems, it is usually not feasible to disable Print Spooler. It would make printing impossible, which is usually not desirable.

But domain controllers are a critical part of Active Directory and need to be as secure as possible, which means blocking everything that is not needed. And you certainly should not need to print on domain controllers, so it’s a good idea to disable Print Spooler on domain controllers.

📺 𝐖𝐚𝐭𝐜𝐡 𝐭𝐡𝐞 𝐫𝐞𝐜𝐨𝐫𝐝𝐢𝐧𝐠 𝐨𝐧 𝐏𝐚𝐭𝐫𝐞𝐨𝐧 (English)
https://www.patreon.com/posts/how-to-disable-106780220?utm_medium=clipboard_copy&utm_source=copyLink&utm_campaign=postshare_creator&utm_content=join_link

📺 𝐖𝐚𝐭𝐜𝐡 𝐭𝐡𝐞 𝐫𝐞𝐜𝐨𝐫𝐝𝐢𝐧𝐠 𝐨𝐧 𝐅𝐨𝐫𝐞𝐧𝐝𝐨𝐫𝐬 (Czech)
https://www.forendors.cz/p/39ff110621ce2c644f22b4208dbd07d4

📺 𝐖𝐚𝐭𝐜𝐡 𝐭𝐡𝐞 𝐫𝐞𝐜𝐨𝐫𝐝𝐢𝐧𝐠 𝐨𝐧 𝐇𝐞𝐫𝐨𝐡𝐞𝐫𝐨 (Czech)
https://herohero.co/cswrld/post/bceroxowdykkdetywahfshfeaca

👍Share, like, comment!

#video #tutorial #cswrld #printspooler #printnightmare

A Practical Guide to #Windows #PrintNightmare in 2024 by @itm4n

https://itm4n.github.io/printnightmare-exploitation/

Что общего между PetitPotam, NTLM Relay и PrintNighmare? Рассказываем, к чему может привести отсутствие обновлений

Команда Центра кибербезопасности УЦСБ продолжает рассказывать о самых интересных практиках пентеста. Напоминаем, что в прошлой статье мы писали о том, как нам удалось пробить периметр с двух точек: Windows- и Linux-серверов, а также захватить внутреннюю инфраструктуру компании. В этот раз мы покажем, как компрометация домена Active Directory (AD) может привести к полной остановке деятельности компании на неопределенное время. Надеемся, наши кейсы будут вам полезны, а этот опыт позволит избежать схожих проблем!

https://habr.com/ru/articles/787018/

#информационная_безопасность #пентест #activedirectory #petitpotam #ntlm_relay #printnightmare

Happy Monday everyone!

I am sifting through the Cisco Talos Intelligence Group "Year In Review" report that was recently published and highlighting some of the things that I found useful/interesting from my perspective.

Top Targeted Vulnerabilities:
7/10 of the top CVE's belonged to #Microsoft. Now I am not pointing fingers, I think it is there simply because the vast majority of environments are Windows.
What IS concerning is that there are multiple vulnerabilities that were being exploited that were either 10 years old or ALMOST 10 years old.
8/10 of the top CVE's had a score of 9 or above.

One of these CVE's was CVE-2021-1675, which is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. One product of this vulnerability was the #PrintNightmare exploit that was leveraged by the #Magniber ransomware group.

Stay tuned for more as we work our way through this report! Enjoy and Happy Hunting!

https://blog.talosintelligence.com/talos-year-in-review-2022/

Do you have Print Spooler enabled on your Domain Controllers? Do you know that the PrintNightmare critical vulnerability was related to the Print Spooler service?

Print Spooler should be disabled on Domain Controllers completely. You can easily disable it via GPO. #cybersecurity #tip #ad #dc #printspooler #printnightmare https://www.cswrld.com/2023/12/how-to-disable-print-spooler-on-domain-controllers/