From 2f4b1def9478fb2e496453590f36d50c961d865e Mon Sep 17 00:00:00 2001
From: cube0x0 <vidfelt@protonmail.com>
Date: Wed, 30 Jun 2021 13:05:18 +0200
Subject: [PATCH] updated readme

Signed-off-by: cube0x0 <vidfelt@protonmail.com>
---
 README.md | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7912e74..37dec6b 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ cd impacket
 python3 ./setup.py install
 ```
 
-#### CVE-2021-1675.py
+### CVE-2021-1675.py
 
 ```
 usage: CVE-2021-1675.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share
@@ -84,3 +84,28 @@ REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_
 # Reboot
 ```
 
+### Scanning
+
+We can use `rpcdump.py` from impacket to scan for vulnerable hosts, if it returns a value, it's vulnerable 
+
+```
+rpcdump.py @192.168.1.10 | grep MS-RPRN
+
+Protocol: [MS-RPRN]: Print System Remote Protocol
+```
+
+### Mitigation
+
+Disable Spooler service
+
+```powershell
+Stop-Service Spooler
+REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f
+```
+
+Or Uninstall Print-Services
+
+```powershell
+Uninstall-WindowsFeature Print-Services
+```
+