Exploiting Multifunction Printers During A Penetration Test Engagement

During our team’s internal penetration test engagements, we regularly come into contact with multifunction printers that are still using the default administrative login credentials. Obviously, using default credentials is never a good idea and I’d like to show how we can often pivot from these seemingly innocent multifunction devices to ultimately obtain privileged access within a Windows environment.

In addition to default credentials issue mentioned above, one of the most common mistakes that we observe with MFP devices is that they have been configured to use privileged accounts (like Domain Administrator) for transmitting scanned documents to network locations. Below is one such example:

In many instances it can be trivial for an adversary to access the masked password and simply requires a small modification to the HTML code within a web browser.

In this instance, we first needed to locate the correct password input form and change: input type=”password” to input type=”text”

The device depicted in this write up was also configured to use LDAP. So, as the device was used throughout the day, authentication requests were made to internal Windows Active Directory servers. In my experience, organizations rarely utilize LDAP over SSL (LDAPS) in order to encrypt traffic and transmit information securely. (https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority). Resultantly, we can take advantage of this oversight.

To exploit this weakness, we simply need to reconfigure the MFP to use a different IP address for the LDAP server. Obviously, the selected IP address needs to be under our control and listening on port 389 (unsecured LDAP). When the MFP eventually makes an LDAP query, it should transmit the credentials back to us in plaintext.

As seen below, we were able to “catch” the plaintext credentials of the Domain Adminstrator account when an authentication attempt was made:

In closing, below are some suggestions mitigating MFP risks:

1. Regardless of the type of device, always change the default password to something complex.
2. Whatever you change the password to, don’t reuse that password anywhere else.
3. Understand the security capabilities that systems offer and utilize them to their fullest potential. For example, if your MFP device supports LDAP over SSL, use it.
4. Organizations have gotten better about hardening servers and workstations, yes. But we can’t neglect the hardening other devices on the network too (e.g. printers, scanners, routers, switches, firewalls, etc.). These devices often present unknown, yet significant, risk because they have unnecessary features enabled.
5. Be extremely careful with privileged accounts. Domain Administrator-level accounts should never be used on MFPs, workstations, or other lower privileged systems that have a higher likelihood of being compromised.