InfoSec Answers-Printer Hacking
I was asked a question the other day that made me think, this might be good to have a regular (or somewhat regular) part on my blog. I am going to attempt an "InfoSec Answers" portion where people can ask me a question, and I will answer based on the information at that time.
Today's question is "Have you heard about people using printer connections to gain access to a network? Is that an advanced hacking secret, or is it pretty standard?"
Great question! So to answer, I could say, "Yes, and it is pretty standard", but lets expound on the issue.
Why Printers?
- Printers are often left in their default configurations. This means, no password to manage the printer (or a very easily discoverable default account), all ports available, and they trust everyone that connects to them. What it comes down to is printers are a great pivot point for attackers.
- Printers are often left in their default configurations. This means, no password to manage the printer (or a very easily discoverable default account), all ports available, and they trust everyone that connects to them. What it comes down to is printers are a great pivot point for attackers.
What can you get from a printer?
- Username and passwords are a big one. Most printers (at least multi-function printers) allow for scanning to a network location, which requires a username and password to access. The username and password is stored on the printer. If not scanning, the printer may use LDAP to connect to AD to populate the address book, which you can get access to credentials from.
- Previous print jobs. You can access previous jobs on most of these devices. Some people print pretty sensitive information.
- Username and passwords are a big one. Most printers (at least multi-function printers) allow for scanning to a network location, which requires a username and password to access. The username and password is stored on the printer. If not scanning, the printer may use LDAP to connect to AD to populate the address book, which you can get access to credentials from.
- Previous print jobs. You can access previous jobs on most of these devices. Some people print pretty sensitive information.
How do attackers pull this off?
- They connect to the insecure printer
- Obtain credentials for AD
- Get access to client PCs
- Grab local hashes
- Pass-the-Hash around
- Locate and impersonate DA account
- Game Over
- They connect to the insecure printer
- Obtain credentials for AD
- Get access to client PCs
- Grab local hashes
- Pass-the-Hash around
- Locate and impersonate DA account
- Game Over
This may sound a bit difficult to pull off, but in reality it is extremely easy, and can be done pretty fast.
How do you obtain credentials for AD from the printer?
- Start netcat listener on port 389 (nc -lp 389)
- Change LDAP IP Address on printer to attacker IP address
- Trigger LDAP query on printer
- Start netcat listener on port 389 (nc -lp 389)
- Change LDAP IP Address on printer to attacker IP address
- Trigger LDAP query on printer
At this point, netcat should have captured the credentials in clear text. Since most of the time the account used is a privileged account, this makes it easy to gain access to other resources.
OK, so how do I protect my printers?
- CHANGE the default/factory passwords
- Limit the access granted to service accounts
- Patch the device
- Do not expose printer to the internet
- Don't assume your printer cannot be compromised
- Use functional isolation (keep sensitive printers isolated for only those types of users)
- CHANGE the default/factory passwords
- Limit the access granted to service accounts
- Patch the device
- Do not expose printer to the internet
- Don't assume your printer cannot be compromised
- Use functional isolation (keep sensitive printers isolated for only those types of users)
Have an InfoSec question you would like answered? Wonder how attackers do certain things? Leave me a note in the comments and I will look into answering. On Twitter? Follow me @kirkphayes and send a tweet with #InfoSecAnswers and I will use those as well.