Recently on multiple internal pen tests I have been paying attention to MFP printers. Here is what I have noticed. The MFP printers often have a guest or user access that does not require authentication. In most cases this would not be of much value. However, here are a couple ideas of things that may be possible on the printers. I have noticed that almost all of them have a SEND TO feature. This can be a network location or email. The configurations often allow you to see the SMTP server and from email address. One potential attack can be to use this internal relay to send phishing emails to gain an additional foothold. For instance, you can send a message that has a a link such as \\KALI-IP\share. This method can be used to grab some hashes for offline cracking or relay them for that initial foothold. Of course you would want to mask the URL as another link. I have often found that internal relays also allow you to spoof the sender. Then you can just use your imagination on how to craft the email. Of course these internal relays are often unprotected because they are internal and trusted. Most of the time all you need is the SMTP internal relay address and perhaps a user name. Its all too often that I see these internal relays that do not require authentication.

The classic attack on printers is changing the SMB/LDAP connection settings and point them toward your internal pen test box. Its surprising how often the default password is not changed on these MFP. This can be good for getting you an NTLM hash that can be relayed to the file server. From there you may find you have access to other file shares. We often STILL find passwords on file shares.

Those are two of my ideas.. how have you been levering internal portals for your pen testing.