Backdoor entry or pentest of network printers and MFPs
Introduction
In this article we will touch upon the analysis of network принтеров/МФУ in the company. Each of you has probably noticed that these devices are located in almost every office and floor (the latter is more dangerous, since anyone can gain access to these devices: a company employee, an external guest or a contractor).
Many companies do not take the necessary steps to pre-configure these devices, and these hosts can be a vulnerable link in the perimeter of the information system.
This article is presented for educational purposes only. Red Team community “GISCYBERTEAM” is not responsible for any consequences of its use by third parties.
Access
Let's proceed to the first stage of compromising our devices – this is direct access to административной панели. We can access it in two ways:
Through
беспроводную точкуaccess on the printer (if included in the functionality)за периметром компании/в периметре компании.Via direct connection to the printer
по витой паре.
Via direct connection to the printer via twisted pair
This option is faster because it does not require any password information to get into the same subnet with the printer.
We simply connect via twisted pair and access the web application interface.
Via wireless access point
It's no secret that all manufacturers set standard passwords for their components of the devices they produce, and with wireless points on the printers themselves, each manufacturer has its own passphrase. For example, many manufacturers, for example HP And Pantum – 12345678.
If standard passwords do not work, you can try your luck and intercept handshake via software solution Airgeddon.
After intercepting the handshake, try to guess the password using Aircrack-ng and specially created (via crunch) or well-known dictionaries.
Let's imagine that we received a task from the Customer to test his infrastructure without access to the site. But as it turns out, many printers are located in offices on the border of the controlled area with the Wi-Fi Direct and we can influence them without entering the Customer’s perimeter.
Let's launch our solution while on the street Airgeddonand do the following:
Well… as you can see, we have received the password from WiFi Direct our network printer and we can easily connect to it and open the web interface of the admin panel.
Bypass weak password policies
Access to the settings of most MFPs is provided through the web interface.
By default, these authorization forms use standard логины And пароли and in most cases, before being put into operation, these passwords are not replaced with more secure ones (more than 10 characters, upper and lower case, special characters).
Below are logins and passwords from the most common MFP manufacturers:
More information about логинах And паролях for a specific model can be found in the electronic instructions on the Internet.
If, as a result of checking standard accounts, they do not work, we can brute force the password via Burp Suite Professional using pre-generated dictionaries.
Collection of sensitive information
After gaining access to the admin panel and analyzing the configuration of our принтеров/МФУ it is possible to identify public addresses SMB-ball and available via anonymous authorization FTP-servers.
Compromising Credentials via LDAP Configuration
As part of this attack, we will consider another МФУ – Konica Minolta Bizhub C224 with the ability to connect to LDAP-server.
Before starting the attack, let's deploy the organization's domain controller and create a domain account on it share_printer And Ivanov_I.
And so, we have: AD-server at address 192.168.1.114 and printer at 192.168.1.11. According to legend, we have already gained access to the web interface МФУ using any of the methods described above, we can now begin the attack…
Compromising an account to connect to an LDAP server
Let's go to the integration settings with LDAP-server (Network -> LDAP Settings -> Setting UP LDAP) and check the connection.
The settings for this profile look like this:
Replace the original one IP-address to ours – 192.168.1.52where we will deploy the fake one LDAP-server.
Let's run it on our host Metasploit Framework and select the service simulation module LDAP to collect authentication information from a client attempting to authenticate to a service LDAP.
┌──(gorillahacker㉿GORILLAHACKER)-[~]
└─$ msfconsole
Metasploit Documentation: https://docs.metasploit.com/
msf6 > auxiliary/server/capture/ldap
msf6 auxiliary(server/capture/ldap) > set srvhost 192.168.1.52
srvhost => 192.168.1.52
msf6 auxiliary(server/capture/ldap) > run
[*] Server started.
As you can see, we managed to find out the password for the service account share_printer.
Compromise of a user account using LDAP authentication
Let's analyze our MFP a little and in the section User Auth/Account Track -> External Server Settings -> External Server Settings Let's find an entry where the ability to connect via LDAP user Ivanov_I.
We will also replace the original one IP-address to fake address 192.168.1.52 and wait for the user to connect to the web interface of our administrative panel.
As you can see below, we successfully managed to intercept our user's accounts.
Compromise of mail account via SMTP configuration
Let's return to our printer Pantum M6550NW and open the printer input settings on SMTP-server.
As we see on our принтере Authorization on this server is pre-configured, but, unfortunately, we cannot view the password information, since it is hidden from us.
But let's try to find out. To do this, perform the following steps:
Let's change the address SMTP-servers to ours – 192.168.223.101.
Let's send a test message to our address.
As you can see, our password was lit up in one of the intercepted fields (although it’s not in the right place =)).
Thus we compromised почтовую учетную записьand in the future we can use it for:
compromise of the network (if it is still possible to connect);
enriching our vocabulary for brute force and spraying;
examining all letters in a given mailbox for compromise of infrastructure assets.
Conclusion
In our article, we looked at options for compromise принтеров And МФУas well as possible attack vectors for these devices. The information obtained as part of this activity can be used to further compromise the infrastructure under test.
Subscribe to our Telegram channel https://t.me/giscyberteam
