diff --git a/README.md b/README.md index 7912e74..37dec6b 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ cd impacket python3 ./setup.py install ``` -#### CVE-2021-1675.py +### CVE-2021-1675.py ``` usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share @@ -84,3 +84,28 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_ # Reboot ``` +### Scanning + +We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable + +``` +rpcdump.py @192.168.1.10 | grep MS-RPRN + +Protocol: [MS-RPRN]: Print System Remote Protocol +``` + +### Mitigation + +Disable Spooler service + +```powershell +Stop-Service Spooler +REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f +``` + +Or Uninstall Print-Services + +```powershell +Uninstall-WindowsFeature Print-Services +``` +