Most networks have become harder to breach due to increased converged security operations; however there is still a gap that has never moved at the same pace; This issue lies in configuration management which largely is a key downer on most networks. Some of the most common misconfigured devices on any network that usually have default configurations include:
- Downstream switches
- Routers
- Printers
- Scanners etc.
Today we look at enablers that have attackers winning against your secure networks with very little effort. The start of the problem is with using default credentials on most of these support/downstream devices as they are seen as auxiliary and low risk. Today we focus on Printers.
Advancements
Initially most printers were pretty rudimentary making them hard to truly exploit and leverage fully in such context ; Most worked in a standalone fashion but this has changed a lot. Most printers nowadays come with a 3 in 1 functionality.
-
- Printing
- Scanning
- Faxing
This introduces a wider attack surface based on the following reasons:
-
- Need for an administrative interface to manage this multi-faceted functionality
- They are networked
- The ability to login to other networked devices
Printers are not your super computing devices and therefore when it comes to the 3rd functionality that deals with storing credentials to allow automated login to connected devices; they would use encryption that doesn’t consume a lot of computing resources.
Attack Process
The attack process against these advancements is quite simple; we will take a Kyocera case to showcase this:
-
- Login to the admin interface
- Scan Self In
- Print Password Out
Login Admin
System admins are known for having priority paralysis and most times “unimportant items/devices” would be unattended to; printers are at the top of the list. As long as there’s no printer connectivity issue then most times it is unmanned leaving an unguarded gate open. For an attacker at this point is find the printer version through a scan and then search for default credentials and the default administrative URL.
Scan Self In
The next step is that an attacker would scour through the configuration of the printer and identify if the scan to folder functionality is enabled; This is supported by the address book functionality which allows configuration of SMB credentials. The issue here is most networks are based on an Active Directory environment; In order for the system admin to configure a folder they wouldn’t know all the machine’s passwords. This would necessitate them to configure a single account with super user (Domain Admin) privileges to be able to login to all machines in the address book for purposes of scanning to folder.
In order to view the configuration it is possible to export the configuration via the print utility KNET Viewer; below is a sample exported address book.
Password encrypted; Attack thwarted or No?
Print Password Out
As mentioned earlier printers don’t have high computational power they would therefore utilise weaker algorithms that require less intensive computing power. In our particular case there are two enablers:
-
- Symmetric Key
- Weak Encryption algorithm i.e. DES
- Key Re-use across multiple models
We will cover key retrieval in a separate article however a simple automation of decrypting the same with the key in hand is as below:
This would give you access to one of the following:
- Local Admin
- Domain Admin
The code can be found here in event one would want to understand the inner workings of the utility.
Summary
The summarised attack workflow is as below:
The GitHub repo for this attack is available here.
2 replies on “Printing Domain Passwords”
Goodstuff!
Thank You