Maandelijks archief: december 2013

Misuse Utilman.exe on Windows systems and obtain NT Authority rights

Most windows systems (Vista, Windows 7, Window 8 etc.) allow you to access the Utilman.exe “Ease of Access” application on the login page. As the end-user has not yet logged in, Windows will start this application using NT Authority rights.

So if you are able to boot a Windows machine with for example a Kali image and no drive encryption is applied. You can easily replace the Utilman.exe with cmd.exe or your own payload and have it run with  NT Authority rights by clicking on the Ease of Access icon on the logon page.

Want to know how? Just follow the steps below:

1. Boot you windows machine with for example Kali or any other Live CD.

2. Browse to the Windows System32 folder of you Windows machine and locate the Utilman.exe


3. Rename the orginal Utilman.exe to for example Utilman-old.exe


4. Browse to the Windows System32 folder of you Windows machine and locate CMD.exe


5. Make a copy of CMD.exe and rename it to Utilman.exe


6. Boot you Windows machine as normal.

7. Click on the Ease of Access button and check put the Command Prompt.


Capture and re-print print-jobs on your network

Recently I was asked to audit a network printer environment to find out if it was possible to capture and re-print print-jobs of other network users.

This was actually more easy then I thought.

Check out the steps below:

In this example the following IP’s are used:

Victims Windows Desktop:
Central Printer server       :
Network Printer                 :
Attacker Kali Laptop         :

Scenario: a victim Windows Desktop user summits a print-job to a central printer server. The victim walks to the nearest network printer and uses a personal code or RFID card to identify him or herself on the printer. The printer gets the pending print-jobs of the central printer sever and starts printing them.

In order to capture the summited print-job you can do one of the following:

  1. Perform a ARP-Spoof attack between the victims desktop and the central print server so that traffic directed to the central print server gets intercepted by your machine.
  2. Perform a ARP-Spoof attack between the central print servers and the network printer so that traffic directed to the printer gets intercepted by your machine.
  3. Place a small managed switch between the network printers UTP cable connection and the UTP wall socket and create a SPAN port.

Step 1: Capture print-jobs

During my test I choose option three. Whatever you choose the aim is to capture the raw print-job packets that is send to either the print server or the network printer.

Once you have captured the packets, open it with Wireshark:


Step 2: Create a Wireshark filter

In order to filter out the traffic you are looking for, you must create a Wireshark filter. In my case this was the following:

ip.addr == && ip.addr == && tcp.port == 9100 = the central printer server = the local network printer
9100 = printer port used

When you appy the filter you should get something like this:


Step 3: Follow the TCP stream to obtain the raw packets

Now that you have filtered the interesting traffic it is time to select any TCP session entry, right click on it and select the “Follow TCP Stream” option. Once this is done you will see that all TCP packets related to one print-job are combined together.

This will look like this: (notice the print and user information)


Step 4: Export the captured data

Once you have combined all TCP packets it is time to export the information to a new .pcap file. You do this by selecting all traffic between the two selected sources from the dropdown menu, select Raw and click on Save As


Step 5: Print the captured print-job to your own printer

Now that you have a raw packet file containing a print-job you are ready to replay or resend this information to you own network printer. In my case I used netcat  on Kali for this.


Step 6. Walk to you printer and collect you treasure


If you don’t like to send the captured data to a network printer you are also able to convert it to PDF format using a PCL converter program.

Want to know how? read the easy steps below:

1.  Download and install “VeryPDF PCL Converter” which is available in a free trial version;

2.  Open the PCL Converter tool, import the captured RAW data and select the output destination;

3. Click start and a PDF file will be opened.