From Printer To Pwnd

Video thumbnail (Frame 0) Video thumbnail (Frame 3494) Video thumbnail (Frame 6395) Video thumbnail (Frame 8150) Video thumbnail (Frame 12449) Video thumbnail (Frame 13896) Video thumbnail (Frame 15427) Video thumbnail (Frame 16508) Video thumbnail (Frame 17308) Video thumbnail (Frame 19486) Video thumbnail (Frame 20966) Video thumbnail (Frame 27114) Video thumbnail (Frame 28651) Video thumbnail (Frame 29673) Video thumbnail (Frame 30504) Video thumbnail (Frame 31634) Video thumbnail (Frame 32758) Video thumbnail (Frame 33876) Video thumbnail (Frame 35147) Video thumbnail (Frame 36630) Video thumbnail (Frame 38836) Video thumbnail (Frame 40160) Video thumbnail (Frame 41569) Video thumbnail (Frame 42701) Video thumbnail (Frame 43899) Video thumbnail (Frame 44873) Video thumbnail (Frame 45843) Video thumbnail (Frame 47293) Video thumbnail (Frame 49812) Video thumbnail (Frame 50786) Video thumbnail (Frame 53837) Video thumbnail (Frame 59915)
Video in TIB AV-Portal: From Printer To Pwnd

Formal Metadata

Title
From Printer To Pwnd
Subtitle
Leverage Multifunction Printers During Penetration Testing
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
In this presentation we go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing we are able to harvest a wealth of information from MFP devices including usernames, email addresses, and authentication information including SMB, Email, LDAP passwords. Leveraging this information we have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. We will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws. Tying this altogether we will discuss the development of an automated process for harvesting the information from MFP devices with the updated release of our tool 'PRAEDA'. Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Layered Defense Research a group of security professionals responsible for discovering and publishing multiple vulnerabilities. Deral is also co-founder and president of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous conferences including ShmooCon, DEF CON, AFCEA InfoTech, Ohio Digital Government Summit , University of Wisconsin lockdown conference and has also been a guest lecturer at the Airforce Institute of Technology (AFIT). Deral has over 18 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst where he was responsible for delivering security guidance and leadership in the area of risk and vulnerability management for a global Fortune 500 manufacturer.

Related Material

Video is accompanying material for the following resource
Area Slide rule Presentation of a group Functional (mathematics) Software developer Multiplication sign Software testing Software testing Information security Information security
Email Functional (mathematics) Server (computing) Service (economics) Computer file Multiplication sign Predicate transformer semantics Port scanner Login Latent heat Multiplication Sanitary sewer Physical system Authentication User interface Area Email Information Computer file Datei-Server File Transfer Protocol Function (mathematics) Computer data logging Backup Point cloud Configuration space Moving average Remote procedure call Window Address space
Slide rule Default (computer science) Patch (Unix) Patch (Unix) Authentication Electronic mailing list Password Set (mathematics) Euler angles Software bug Power (physics) File Transfer Protocol Data management Integrated development environment Function (mathematics) Password Factory (trading post) Self-organization Moving average Information security Information security Multiplication Vulnerability (computing) Physical system
Point (geometry) Meta element Functional (mathematics) Presentation of a group 1 (number) Coma Berenices Emulation Internetworking Cloning Proxy server Information security Multiplication Physical system User interface Default (computer science) Touchscreen Information Latin square Directory service Avatar (2009 film) Type theory Message passing Uniform resource locator Vector space Integrated development environment Function (mathematics) Password Factory (trading post) System programming Backup Right angle
Authentication Web page Default (computer science) Proxy server Computer file Authentication Mean free path Login Uniform resource locator Function (mathematics) Password Configuration space Information security Proxy server Multiplication Form (programming) Form (programming)
Web page Authentication Proxy server System administrator Letterpress printing Port scanner Cartesian coordinate system Number Process (computing) Moment of inertia Software Set (mathematics) Configuration space Software testing Office suite Information security Proxy server Data management Address space
Authentication Proxy server Password Maxima and minima Price index Mereology Shareware
Web page Configuration space Address space
Area Point (geometry) Default (computer science) Email Dot product Proxy server Information Server (computing) Web page Open source Code Mean free path Set (mathematics) Field (computer science) Social engineering (security) Category of being Personal digital assistant Function (mathematics) Password Information Information security Multiplication
Noise (electronics) Touchscreen Open source Sine Mountain pass System administrator Simultaneous localization and mapping Set (mathematics) Web browser Dynamic random-access memory Personal digital assistant Password Hill differential equation Right angle Information Game theory Uniform boundedness principle Data type
System administrator Multiplication sign Workstation <Musikinstrument> Port scanner Set (mathematics) Different (Kate Ryan album) Cuboid Cloning Backup Extension (kinesiology) Information security Physical system Email Computer-generated imagery Web page Mean free path Product (business) Type theory Process (computing) Hash function Configuration space Energy level Point (geometry) Web page Functional (mathematics) Computer file Computer-generated imagery Virtual machine Canonical ensemble Smith chart Number Product (business) Configuration space Gamma function Communications protocol Address space Self-organization Authentication Home page Dot product Information Forcing (mathematics) Model theory Datei-Server Uniform resource locator Software Integrated development environment Query language Personal digital assistant Function (mathematics) Password Backup HTTP cookie Force Extension (kinesiology) Address space Cloning
Web page Email Keyboard shortcut Service (economics) Computer file Information Computer-generated imagery Source code Password File Transfer Protocol Data management Category of being Process (computing) Password Connectivity (graph theory) Configuration space Backup Energy level Backup Configuration space Message passing Data type
Computer file Password Cloning Set (mathematics) Data conversion Function (mathematics) Cloning
Game controller Computer file
Email Module (mathematics) File format Line (geometry) Multiplication sign Translation (relic) Complete metric space Electronic signature Type theory Internet forum Internetworking Personal digital assistant Revision control Process (computing) Aerodynamics Scheduling (computing) Cloning Data type
Email Directory service Complete metric space Stack (abstract data type) Electronic signature Error message String (computer science) Revision control Process (computing) Scheduling (computing) Physical system Cloning Default (computer science)
Meta element Server (computing) Direction (geometry) Kerberos <Kryptologie> Password Domain-specific language Number Error message String (computer science) Password Configuration space Holographic data storage Communications protocol Volume Information security Physical system Default (computer science) Data type Cloning
Point (geometry) Email Key (cryptography) Mountain pass Multiplication sign Database Mereology Type theory Mechanism design Process (computing) Hash function Personal digital assistant Function (mathematics) Password Encryption Cloning Multiplication Form (programming)
Authentication Area Server (computing) Distribution (mathematics) Service (economics) Mountain pass Mean free path IP address Number Message passing Function (mathematics) Configuration space Software testing Multiplication
Web page Server (computing) Distribution (mathematics) Touchscreen Mountain pass Server (computing) Authentication Password Set (mathematics) Client (computing) IP address Shareware Field (computer science) Type theory Number Macro (computer science) Series (mathematics) Password Configuration space Software testing Vacuum Address space Data type
Authentication Filter <Stochastik> Area Distribution (mathematics) Server (computing) Computer-generated imagery Mountain pass Computer-generated imagery Limit (category theory) Client (computing) Control flow Density of states IP address Number Type theory Kerberos <Kryptologie> Configuration space Software testing Right angle output
Mountain pass Videoconferencing Shareware
Web page Default (computer science) Execution unit Server (computing) Radio-frequency identification Password System administrator MIDI Configuration space Set (mathematics) Right angle
Authentication Area Distribution (mathematics) Server (computing) Content (media) Bit Web browser Mereology IP address 2 (number) Connected space Type theory Password Configuration space Computer-assisted translation Proxy server
Email Distribution (mathematics) Server (computing) Message passing Password MIDI
Module (mathematics) Beta function Computer file Latin square Mereology Login Web 2.0 Revision control Different (Kate Ryan album) Information Pressure Physical system Vulnerability (computing) User interface Module (mathematics) Building Model theory Latin square Electronic mailing list Type theory Integrated development environment Password Interface (computing) Automation Booting
Web page Server (computing) Computer file Code Multiplication sign Electronic mailing list Function (mathematics) Mereology Virtual memory Field (computer science) Cartesian coordinate system Number Usability Sequence Latent heat Human migration Blog Computer configuration Different (Kate Ryan album) Core dump Logic Query language Encryption Computer worm Software testing Data structure Series (mathematics) Fingerprint Physical system Module (mathematics) Matching (graph theory) Information Validity (statistics) Tape drive Web page Projective plane Model theory Electronic mailing list Computer network Sequence Type theory Software Password Backup Data logger Automation
Default (computer science) Centralizer and normalizer Software developer Weight Password Software 1 (number) output Solid geometry Right angle Information security
so let's go ahead and get started my presentation from printed upon leveraging multifunction printers during penetration testing a little bit about
myself my name is Darrell Highland also go by the handle or a % x I live from in a dayton ohio area I've been an IT for about 18 years 10 of those insecurities and three of those as a pen tester I remember the Foose of the nest team you guys are pretty sad okay I've been this is my third time speaking to Def Con and this is always fun always have a ball being here so let's go ahead and get started I do have a guy showing up with a 50 foot because I don't know if anyone see me speak before but tether me on a five foot rope can be dangerous so the agenda for days Perez presentation is multifunction printer features we're going to quickly go over some of the features and functions you typically see in multifunction printers that we want to attack or steal information from second we have a single one slide on multifunction printer security from there we're going to go to attacking multifunction printer devices and leveraging those attacks during penetration testing and at the end we'll go ahead and conclude with development of automated Harbor see tool Edward just enough to move back and forth okay I guess we get started again so let's go ahead and move into this let's
start off by talking about multifunction printer features up don't like that
happening there we go okay I don't know
how many people have actually logged on to the web interface on a multifunction printer but that's generally what we're going to be talking about today and there's a wealth of features and functions that can be pulled information can be pulled out of that an example here is scan the file functionality the ability to walk up to that multifunction printer and scan data or scan something and actually have it store it on a Microsoft file server on a ftp server also scan to email ability scan stuff and have it go out an email so these have to be able to integrate into those services smtp server SME authentication on to windows devices such stuff like that also one big one is ldap authentication to be able to go up to a device authenticate yourself to that printer and then have that printer give you specific features or functions associated directly with you also system logs a lot of us overlook what kind of information exists in system logs on these device and it could be a wealth of information an example would be color printers a lot of times have chargeback functions so they have to be able to log who's actually used in the printer so a lot of times it'll log user names that can be stripped off these printers and used and of course remote functionality with the new cloud concepts coming out there we're seeing more and more stuff roll into this area so that's an interesting one and of course backup and cloning the ability to back up the entire configuration on the device so if an attacker can pull the backup and cloning information and then strip it apart offline he can pull that information in one fell swoop so the
next thing I want to get into is multifunction printer security so we have one slide four steps to
security failure on multifunction device pretty straightforward what do we do we roll these things then we power them up we integrate these into the business system so they connect to our smtp they connect to our Microsoft Active Directory environment that connect to ftp servers and then the third thing what do we do we set no passwords on these or we leave them at the factory default password settings so I have a question for you so we can qualify there so quantify this how many people in here their company requires you to set a complex password on all Monte multifunction printers that are deployed within your organization so raise your hands so everyone else look around the room that's probably the typical amount that I see nobody is doing this and of course the last one on this list is no patch management so if there is a bug or vulnerability that exists in these printers we're not putting patches on these to fix those problems so let's roll into the fun stuff attacking
multifunction printer devices so why do
we want to attack multifunction printer devices besides it being fun as hell basically to gather information as an attacker we can gather this information and use it to escalate our rights into other course systems within your environment so when are we going to typically do this an example would be if you expose it to the Internet and I know everyone's thinking why would anyone expose a printer to the Internet well go out to Google when you get a chance and and type in there and try to pull out some printer information and you'll find there's literally thousands hundreds and thousands of printers out on the internet that are exposed out there and probably half of them have no password set or default factory passwords the other example is once somebody gains a foothold into your environment whether it's an internal user disgruntled employee or an external attacker who has gained access to your environment earlier this year I was on Paul com episode 2 37 we were talking about this and Paul made a real interesting point about this and that is the fact that this vector falls underneath the radar screen no one's monitoring it paying attention to it no one's logging or doing any auditing against anyone corian information from your printer it's totally ignored so if an attacker gets a foothold he can quarry your printers well below the radar screen through the web interface and potentially pull information that he could use the log on to your Active Directory environment without anyone ever knowing so it's a real concern so how are we going to do this obviously leveraging default passwords to get into the printer to start with we've seen all the hands that were raised so we know that no one's changing these passwords second is access bypass attacks and that's an attack against a printer where they have set a password but you found a way to bypass all the security on the device and gain access to that printer the third one information leakages once we gain access to that printer how do we extract some of that data do these printers leaked that information fourth one on there forceful browsing if you know what the URL you want to get access to forget about the password you need to get to it with you just enter that URL and the printer gives you access and of course backup and cloning functions ability to pull all those backups or clones offline and pull the information out of those and the last one on here is a pass back attack typically to be able to trick that printer into sending the information to you we're going to go into some detail in that toward the end of this presentation so the first one I
want to talk about is the bypass attack this is the ability to bypass the authentication of device by passing various forms of data in the actual URL we got two examples we're going to show today and that's the toshiba and HP so on the toshiba if you look at this URL
this would give us access to the scan the file configuration page on that runner the end of this URL n the toshiba is going to take you or redirect you to a logon page if you happen to know the default password which is no it's at 123456 ok so that's a default password so you know what it is for all the e studio toshibas ok it should be easy for you to remember them ok so if they've actually changed the password how do we get into this device well there's a
little trick with this particular device I don't know if you've noticed there it's an extra / put the extra / in between top axis and administrator and so goes your security and now you're into the configuration page so the second example and this is an HP
officejet our office jet device a lot of you guys probably have these sitting in your home right now the reason why I mentioned this is a really good example of a bypass attack Plus as a pen tester I've been noticing a large number of these showing up on corporate networks there's small devices less than a couple hundred dollars and we find them actually be used in managers offices so they don't have to walk down the hallway to get their print job or do little copies and scan stuff and they're cheap so if you actually try to get to a fax address book on with these devices an authentication has been enabled it's going to prompt you to log on so we have
a little demo where you can actually show this taking place
you
so if we go up to the setting part of this and we click on setting and authentication is required it's actually going to prompt you for username and password and this is my printer and I actually forgot the password like years ago so you go ahead hit cancel when you
get to the URL up here where the actual facts address is at and what you do is you actually copy it and you paste it back in there so we actually have what says page equals page equals fax address book 1 by adding that extra page equals we can bypass the security and get to
the configurations on the device
so the next area we want to delve into is information leakage now that we've gained access to a device because of default passwords or four byte by bypassing the actual security on the device how can we pull information from this device so the first one we're going
to look at is an information leakage on an HP device this is a gig I did here
it's probably about a year and a half ago turned out they'd actually exposed this printer to the internet and besides stealing all their faxes off the device as you notice that the email settings on this points to one of the employees that's taken care of the devices gmail account so as an attacker would be really nice if you could get the password for their gmail account because then you could use it to carry out other attacks against them or social engineering attacks so when you look down here and you look at the password you see all those black dots a lot of us go all our passwords protect it well that's not always the case especially when we're dealing with embedded devices like multifunction printers so the big thing here is if you have Firefox you can right-click on that field and go show properties we expand that up we see that it is basically a plaintext password in there so the next device we
move on to is the toshiba so if we know the password or in the case of toshiba bypass the actual password on the device and we want to go to the SMB settings on this device of Samba settings and take a
close look at what we have up there I mean really close look we have it set up the log on to the domain and guess what the logon name is administrator so would it be sweet if we right clicked on that and we got the password pretty much game over at that point and remember this is all underneath the radar screen no one ever knows you're not generating any noise you're just logging on with a web browser to a printer right clicking and viewing to source and now this device is given up your domain and password so the next one on we'll
move on to is forceful browsing attacks basically with a forceful browsing attack it's a concept of if you know the URL that you want to get to in spite of the security a device you just type in the URL and you go to it one of the things I've noticed over many years of looking at embedded devices and multifunction printers is a lot of times they will properly handle security on file extensions that are standard like CGI dot HTM tml but if it's a non-standard type file extension on a lot of printers and a lot of embedded devices you can actually just query for that and it'll give it to you without any requirement for authentication so what we want to look at is the canon what's interesting about the Canon printer we're going to be looking at the address books on this device canon printers in a lot of other devices the address books contain more than what you typically expect an address book to contain or they can we normally expect to see you know username email address you know phone number typical stuff like it may be some facts information well it turns out on this particular device there's a lot more information so let's look into forceful browsing gaining access to that again the extensions on this device or the files where after a dot ldif or dot ABK very non-standard X file extension so maybe that plays a role in why we can get access to it the imagerunner actually has 11 address books or up to 11 address books that you can quarry on it so if you type in this URL you should be able to extract it but first thing you got to do is you have to have a valid cookie to be able to do this so if you just type in this URL and point it to your imagerunner it's going to fail because you don't have a valid cookie now I didn't say unauthenticated cookie I said a valid cookie so if you hit the home page on the printer it will give you a valid cookie and then enter this in and it'll give you the first address book if you increment the a ID up 1 through 11 you can get each and every one of the address books the data typically comes off the address books is in plain text also a quick note early this year I had mentioned that I thought this was patched in a lot of devices because i was getting failures on a number of occasions well started analyzing a number of imagerunner devices and i noticed that these two models here these product name ir35 80 and i are 40 80 are the only two that i can find that this fails on it works on all the others that have this address book functionality not that there may not be a way to get around on these devices but this method fails on them but it doesn't fail on all the other one so let's cook this data so we pull the address book we can quickly see that URL information a username and a password can actually be pulled out of the address book so what are we looking at this device is actually configured so you can walk up to the printer and do a scan job after youth indicate yourself as d smith and what it'll do is it'll do the scan job and it'll save on your workstation that URL happens to be his workstation I've also seen these configured to point to actual file servers but predominantly I see it pouchon pointing to the individuals workstation so the he can do a scan job and it shows up on his workstation so now I have the password to his workstation so I can log on well if they screwed that up and actually created the username of cannon as an administrator in his local workstation the next step is I'm admin on his workstation which we've done before at that point I can extract the hashes associated with all the users on the device particularly the administrator account and use that to break in on every other machine on the network that actually has the same administrator password so the next thing we want to delve into
is backups and cloning backups and the purpose of backups in colonias bility one to make a backup if you configuration of your device which is very important if you need to fix it or rebuild or whatever the case may be Xerox really does what they call cloning it gives them the ability to roll out multiple systems so if you're rolling out fifty xerox boxes Xerox multifunction printers in your environment you really don't want to go to fifty devices and configure them so you can pull a clone off one device is configured and deploy it across all these different devices and configure it's really nice nice process so the whole idea this is if this contains information that we could use to attack you then of course we can log on pull this and we'll all we have usernames and passwords so let's look at the first one this is a lexmark the settings import export export setting file functionality and this export file is all in plain text so we easily go to this page import
export we click export setting file and we're able to extract this and as you see plaintext passwords are actually stored in this file the interesting thing about this device this particular device that I test it was that they've done a really good job of not having information leakages so when you go to the configuration pages you can't extract the passwords out of the source code so they've made an attempt to actually secure the device from that level but yet have made it possible for you to actually pull all of the configurations including usernames and passwords off the device in a backup file the next one we went delve into is
the xerox fairly simple you've got to log on to a xerox workcentre and what's the password for a xerox workcentre i don't know if i heard it but it's 1111 that seems to be the normal for the work centers username is admin so we get to this we go to the xerox workcentre general setup under properties go to
cloning and we have all these settings that you can select to extract a cloning data you click on that and you get a cloning dlm file you right
click on this and you can save this so what is a dlm file so well let's go ahead and show you before we do that the previous example with the lexmark we notice that exports everything out in plain text xerox used to do that they fix that problem so the newer stuff the outputs of the dlm is actually the passwords and encrypted so we're going to show you the older stuff the newer stuff some conversation around that and where we're going with that and how to get access to the dlm data
everyone see that good everyone see that that shouldn't be let's see I can't control that so a typical dlm file that you extract off this let's go ahead and look at the dlm file as you can see it looks like a
whole bunch of compressed encrypted it's
some kind of data with the header
somewhat of a pgl type header so I really didn't know what the format of this was so I spent some time on the internet searching around I searched and I searched and I searched and I finally found a message board out of Norway all written in bork bork which I couldn't read but I knew they were talking about this so I actually fed it through a translator online and basically the jest was and it was between 20 acts employees thank you that this is nothing but a tarball so if that's the case let's just
get rid of this header
maybe I need to Oh neat hell is spelled dlm there we go okay they were able to extract it so it was a tarball the item of interest in this particular extract is under data
so if we search down through there and obviously you can see it's the entire configuration mostly in plain text go down through here looking at all the passwords there's one and there's one
down here so we instantly find that the ldap password is like nope dead so we're able to extract the data and now this is this is what they were doing several years ago they've actually fixed this which is which is a good thing and that's what this is all about anyway it's about security not in security so I like to see companies moving in the right direction so let's go ahead and look at the other example so we can see what it is we've already extracted that so
and as you can see it's some kind of encryption and I have to admit the first time I saw this I thought oh it's just an md5 hash or something like that but the truth is remember this is the ldap password so it has to be some form of encryption encoding we haven't cracked this yet so I'm just throwing it out there so you can see this and see where we're thinking we're moving forward this has to be some kind of encoding or encryption of the password it's 32 characters hex we also know that it's a clone so this has to be have the same keys or the same encryption process on every one of that brand of printer or the clone wouldn't work so we know that much so it's consistently reused research I've done so far up to this point leads me to believe that the cloning process isn't the part that's encrypting this that more than likely the encryption mechanism this is actually being maintained within the Postgres database that these devices use using some type of postgres encryption and that's where it's being handled so that's where we're at on that right now so as we move forward anyone interested in helping me with this down the road you know shoot me an email definitely open to getting some assistance
okay the next area we want to get into is the pass back attack this is something I just been working on I don't know over the last four or five months and it's kind of cool and kind of fun at least I think it is so the whole idea of a pass back attack is an attack where we trick the multifunction printer into communicating to us the attacker versus his configured service as the example a number of printers we found have a test function on them so if you go to the ldap configurations on certain printers you can hit a test button and it will test the actual authentication of ldap to the configured ldap server and there are some other services that do this also so the whole jest of this attack
starts out with the attacker hits the test button on the printer the printer authenticates to the ldap server the tack urge Ainge's the ldap path IP address hits the test button the printer nicely authenticates to the attacker given us the ability to capture all the authentication data so let's start with
a couple examples the first one we're not going to get into a whole lot of detail but the second one we're going to show you a lot of detail it turns out here on this sharp printer if we look at each one of these possible settings on the configuration page every one of those is passed from client side when you hit the test button so they are you have the ability to alter those from the client side versus server side the sharp
printer has ability to do this on ldap and smtp and like i said this the attacker can send all of these fields except the password field password fields stored on the printer so if you can tell the printer to test this using what you have stored on the printer is the password you get the plaintext password these are the three fields on the sharp printer that we want to alter with the server IP address the off type because remember it may be configured to do ntlm or Kerberos but during the test function you can say let's just do it in plain text that way you capture it back and here is the screen for the sharp for the smtp settings also so the next we want
to get into show a little more detail is the actual Raikou printer and the right go printer very similar sharp printer easily de tricked into doing this so if we look at the configurations of course we have the server IP address we have the port number and I referenced the port number because if you're attacking this device and have filters between you and him that particular port may not make it back to you so if you can alter that you can get it to go across any filtering they may have and of course the authentication type as you see each we have set their clear text digest or Kerberos and you have the ability client side to alter those during the test function so this happens to be the test CGI that you post the data to so what's follows next is a I chart so this is the
data that actually gets posted to that URL up there the area in red if it's altered will typically reconfigure the printer which is not what you want to do the area in black is what's used by the test function and does not alter the printers configuration the blue areas of the things that I like to alter to carry out this particular tack and we also
have a video demo of this i want to show you real quick
so it's really really simple pneus you go up the right-hand corner on the right coat page and you click log on it this password is really easy to remember it's
blank enter the username of entered the username admin and now you log onto the
device once you're logged on to the right go printer gives you a lot more features and you can go to the configuration page under the configuration page you have the default settings and the one we're interested here is the ldap settings as you can see there's only one ldap server configured on this so what you want to do is you want to actually check that box and go ahead and open it up so you can see the configurations and here we see all the different configurations that are available in this particular device that we want to screw with so to carry out this tack we want to set
up a net cat listen to import 1389 so we fire that up we also want to set up a proxy server to grab the content coming from your web browser here i'm using burp but you could easily use perros proxy also and then we go back to the configurations we go down to the start for the test function and we click start go back to the Paris or Burt proxy and
you can see that I chart that I showed you earlier it captured all that data and I gradually go through here and highlight different parts of that or interest and I'm not sure if you can even actually see any of that out there and the area you don't want to screw with because you will reconfigure their printer you don't want to have to go back and change it so what we want to do is the attacker it's fairly simple we want to change the IP address so it's no longer pointing to the ldap server and we want to change the port so it's pointing to us on 1389 so our netcat listener can grab it and of course if we want to when one alter the auth type is needed so we sent that and if you notice we have a connection coming from that printer to our net cat so our net cat has actually got a connection with the printer speed this up a little bit because it took about 45 seconds to run through but you'll see here real quickly after about 45 seconds the printer nicely passes us the username and the password in plain text so if you have access to the sharp or the Raikou
printers and they are configured and you want to gather information off of it and these devices don't have a whole lot of leakage problems other than this one here you can carry out this pass back attack by altering capturing the data that you send to the test function telling the printer to instead of communicating the test function to its actual ldap server I want you to communicate back to me the attacker and I want you to authenticate to me in plaintext given me the username and password gives you the ability to strip the password off the printer
okay the next thing we want to move into is actually the tool so we started
developing this tool wall back it's called pred preta is latin for plunder
spoils of war booty thief and that's what its purpose is its purpose is to go to typically the web interfaces on your multifunction printers using weak passwords vulnerabilities and what other methods that we can put together to strip this data that can be used to attack other key systems within your environment the present version we actually do have one module that a guy has been working with me on that doesn't use the web interface it actually uses rsh it turns out that the RS RS H on the ricoh printer was an easier method for getting the logs off then going through the web interface it was easier to parse it gave it to us in a cleaner fashion so we go ahead and just pull it that way and then parse the logs that way versus the web interface so we do have one module that goes outside the web part the present version is actually written in perl version 1 dot to dot beta we have 17 modules so far extracting data from 40-plus different printer models cannons HP lexmark raikou sharp toshiba and xerox printers simple how the Tool Works it's made up of four pieces you have the parade opl which is a dispatcher you have individual modules designed to go against certain model types you feed it a target file list or a target list of all the IPS or printers that you want to run this attack against and you have a data file which does fingerprinting the data file this is a
structure of the data file there's four plus fields in the data file the first field is more than nothing more than a sequence number the second third field is the method we use for fingerprinting and the way that works is it pulls the second field looks at the title page of the multifunction printer the third field looks at the server type and that works probably about eighty eighty-five percent of the time on fingerprinting and specific models or model series and then fields four five six and continuing out there the actual modules that are actually used to launch the attacks with so generally the tool syntax is pray to PL the target file the TCP port you want to go to whether it's 84 for 380 88,000 and then also the project name what you want to call the project so that creates a folder project name creates a folder and the output file as a log file that's generated so all the data this thing gathers writes it into the project folder and also the outlook put log file writes what's taking place and in some of the modules where extracts specific passwords out or write it into the output log so this core is the printers in the target list if a match is found the data the devices attack the information is pulled and stored in this method here so where do we see a parade of going moving forward in the future the goal here is as we had mentioned with the xerox the the password encryption part of that so we have an ongoing project there to evaluate that and see if we can figure that out also a number of other printers have actually started the backup cloned files that it generates are all encrypted but the fact is that you enter the password to do the encryption so it's just a matter of figuring out what encryption they have you have the password you could easily decrypt it so probably analyzing that and trying to find various methods to do that once we will find those for the different models will build modules to pull the encrypted file and decrypt it and save it for you we also have talked about actually working on migrating this code over to Ruby right now I'm kind of holding off on that we're going to stick with working in Perl and the main thing is I want to see this project go to critical mass right now we have 17 modules 40-plus different device models we go to but the thing is I want the tool to be a valid usable tool for pen testers so we're looking for people to jump in add value to this let's work on actually growing this and once it reaches critical mass where it becomes a real valid tool used by enough people then we'll go ahead and reanalyze it is pearl the best option is Ruby a better option could it be incorporated into other tools or could it be you know written in Python so right now we're going to stick with the pearl and move forward for mayor also we've been looking at developing other modules besides just printers multifunction printer devices there's all kinds of embedded devices sitting on our network everything from UPS's sand systems cameras every one of these devices we as pen testers have actually found usable data that can be extracted from these devices so the goal is expand this project also to actually include all of those type of devices also and I plan on releasing probably about a half dozen or more modules that go against Network appliances next month when I present this in Bangalore India and I think that pretty much covers it looks like a wit a little fast today and we got a minute
here let's uh I got a couple t-shirts to give away people like t-shirts right
well you have to poop is Annette t-shirts and the thing is is you have to answer a question so real quick it's fairly easy what's the default password you have to raise your hand because obviously everyone's gonna say what's the default password for most work central printers gentlemen gentlemen back here in a blue shirt right here yeah okay so i have i have an extra large here you could take one of these and i think the other ones at 2x there's a 2x also 11 more ok what's the default password for a toshiba e-studio printer no that's it looks like you got stuck with a 2x I'm sorry so if anyone has any questions will be over in the question-and-answer room too and please come on over and we'll discuss this further and I hope to hear some input from everybody catch you later
Feedback