Announcement

Collapse
No announcement yet.

Multi-Function Printers for Internal Pen Testing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multi-Function Printers for Internal Pen Testing

    Recently on multiple internal pen tests I have been paying attention to MFP printers. Here is what I have noticed. The MFP printers often have a guest or user access that does not require authentication. In most cases this would not be of much value. However, here are a couple ideas of things that may be possible on the printers. I have noticed that almost all of them have a SEND TO feature. This can be a network location or email. The configurations often allow you to see the SMTP server and from email address. One potential attack can be to use this internal relay to send phishing emails to gain an additional foothold. For instance, you can send a message that has a a link such as \\KALI-IP\share. This method can be used to grab some hashes for offline cracking or relay them for that initial foothold. Of course you would want to mask the URL as another link. I have often found that internal relays also allow you to spoof the sender. Then you can just use your imagination on how to craft the email. Of course these internal relays are often unprotected because they are internal and trusted. Most of the time all you need is the SMTP internal relay address and perhaps a user name. Its all too often that I see these internal relays that do not require authentication.

    The classic attack on printers is changing the SMB/LDAP connection settings and point them toward your internal pen test box. Its surprising how often the default password is not changed on these MFP. This can be good for getting you an NTLM hash that can be relayed to the file server. From there you may find you have access to other file shares. We often STILL find passwords on file shares.

    Those are two of my ideas.. how have you been levering internal portals for your pen testing.
    Gh0sthax
    Principal Security Engineer

  • #2
    Good comments here Gh0stHax , and they make me think more and more how it's probably a good idea to always run smbserver.py whenever you're "idle" in an engagement don't you think? Since so much SMB traffic flies around the network from various scans/shares/etc. it never hurts to be ready to catch some creds.

    Also, what's your fav way to identify MFPs? Is WitnessMe/Eyewitness/etc. your go-to?
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

    Comment


    • #3
      I am sold on WitnessMe for now. I love the interface and the reports. And yes. I love to just leave smbserver.py running overnight. One of my favorites is having the scanning account like Nessus or Rapid 7 scanner come by and scan me. Those creds always have administrator level permissions. In fact, a lot of the time we see them as Domain Admin. Yes, please.

      Gh0sthax
      Principal Security Engineer

      Comment

      Working...
      X