From Printer To Pwnd
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40558 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 1985 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Software testingInformation securityMultiplicationFunction (mathematics)Presentation of a groupSoftware testingFunctional (mathematics)Slide ruleAreaBitMultiplication signInformation securitySoftware developerInformationComputer animationLecture/Conference
02:25
EmailComputer fileFunction (mathematics)MultiplicationSanitary sewerPredicate transformer semanticsAddress spaceInformation securityEuler anglesPasswordPatch (Unix)AuthenticationEmulationSystem programmingLatin squareMeta elementAvatar (2009 film)Proxy serverForm (programming)Mean free pathLoginMoment of inertiaSet (mathematics)Maxima and minimaPrice indexPasswordInformationAuthenticationComputer networkMoving averageType theoryData managementOffice suiteInformation securityUser interfaceDatei-ServerLetterpress printingPort scannerDirectory serviceDefault (computer science)Proxy serverFunctional (mathematics)Multiplication signLoginFile Transfer ProtocolComputer data loggingBackupPresentation of a groupMessage passingRemote procedure callForm (programming)Point cloudPower (physics)Cartesian coordinate systemSlide ruleConfiguration spaceIntegrated development environmentFactory (trading post)Computer fileWeb pageSoftware bugRight anglePatch (Unix)InternetworkingWindowComa BerenicesLatent heatAreaPoint (geometry)Software testingVector spaceEmailNumberTouchscreenPhysical system1 (number)Process (computing)Address spaceSet (mathematics)SharewareUniform resource locatorService (economics)Server (computing)Electronic mailing listCloningSystem administratorSelf-organizationVulnerability (computing)Surjective functionCore dumpComputer animationLecture/Conference
10:35
Proxy serverInformationMultiplicationFunction (mathematics)AuthenticationConfiguration spaceAddress spaceWeb pageMereologyPasswordUniform resource locatorLecture/Conference
11:38
InformationMultiplicationFunction (mathematics)Web pageOpen sourceCodeMean free pathServer (computing)Mountain passDynamic random-access memorySineUniform boundedness principleData typeHill differential equationSimultaneous localization and mappingExtension (kinesiology)Level (video gaming)Address spaceGamma functionForceProduct (business)Computer-generated imagerySmith chartCommunications protocolSelf-organizationCloningBackupConfiguration spaceKeyboard shortcutEmailMessage passingFile Transfer ProtocolPasswordConnectivity (graph theory)Service (economics)Data managementProcess (computing)Configuration spaceWorkstation <Musikinstrument>Field (computer science)Category of beingNumberSource codeExtension (kinesiology)HTTP cookiePoint (geometry)Computer fileWeb pageCASE <Informatik>Level (video gaming)BackupSet (mathematics)PasswordSystem administratorInformationAreaDefault (computer science)Address spaceCloningGame theoryNoise (electronics)TouchscreenInformation securityCanonical ensembleRight angleDot productEmailOpen sourceForcing (mathematics)Domain-specific languageUniform resource locatorWeb browserHome pageMultiplication signAuthenticationType theoryComputer-generated imagerySocial engineering (security)Datei-ServerHash functionQuery languageCuboidSoftwareIntegrated development environmentPhysical systemDifferent (Kate Ryan album)Virtual machineFunctional (mathematics)Product (business)Function (mathematics)Model theoryData conversionPort scannerMedical imagingInternetworkingLoginEncryptionComputer animation
21:05
Line (geometry)Revision controlElectronic signatureCloningProcess (computing)Module (mathematics)Data typeScheduling (computing)Complete metric spaceAerodynamicsStack (abstract data type)Directory serviceError messagePhysical systemDefault (computer science)String (computer science)Kerberos <Kryptologie>NumberServer (computing)PasswordDomain-specific languageMeta elementHolographic data storageCommunications protocolVolumeFile formatEmailEncryptionGame controllerDirection (geometry)Point (geometry)Internet forumCloningKey (cryptography)Computer fileMultiplication signRight angleType theoryInternetworkingPasswordPersonal digital assistantMereologyProcess (computing)DatabaseConfiguration spaceInformation securityTranslation (relic)Hash functionMechanism designForm (programming)CASE <Informatik>Codierung <Programmierung>Shooting methodLecture/ConferenceSource code
25:53
MultiplicationFunction (mathematics)Mountain passMean free pathMacro (computer science)SharewareVacuumPasswordSeries (mathematics)Address spaceServer (computing)Data typeAuthenticationNumberComputer-generated imageryLimit (category theory)outputControl flowDensity of statesSet (mathematics)Server (computing)Service (economics)Field (computer science)TouchscreenRight angleDistribution (mathematics)AuthenticationSoftware testingConfiguration spaceNumberType theoryClient (computing)Filter <Stochastik>Kerberos <Kryptologie>Web pageAreaIP addressSharewarePasswordComputer-generated imageryMessage passingVideoconferencingLecture/ConferenceComputer animation
29:54
Mountain passRadio-frequency identificationMIDIExecution unitEmailAutomationBuildingWeb pageRight anglePasswordLoginBitServer (computing)Set (mathematics)Distribution (mathematics)AreaConfiguration spaceType theoryAuthentication2 (number)Software testingProxy serverContent (media)Bit error rateMereologyConnected spaceWeb browserIP addressDefault (computer science)System administratorMessage passingComputer-assisted translationLecture/Conference
34:06
BuildingAutomationLatin squarePressureInformationInterface (computing)BootingModule (mathematics)Tape driveLogicSequenceWeb pageVirtual memoryQuery languageElectronic mailing listBlogComputer networkHuman migrationComputer wormCartesian coordinate systemComputer networkSoftwareSolid geometrySoftware developerInformation securityElectronic mailing listField (computer science)Computer fileInformationProjective planeSoftwareValidity (statistics)Multiplication signSequenceUsabilityLatent heatType theoryWeb pageServer (computing)Default (computer science)Model theorySeries (mathematics)Vulnerability (computing)Web 2.0Software testingModule (mathematics)LoginIntegrated development environmentRight angleFunction (mathematics)Covering spacePasswordMatching (graph theory)Different (Kate Ryan album)1 (number)EncryptionUser interfaceRevision controlPareto distributionoutputMereologyPhysical systemIP addressData structureBuildingFingerprintNumberCloningBackupCodeComputer configurationCentralizer and normalizerLatin squareBeta functionCore dumpData loggerComputer networkComputer animationLecture/Conference
Transcript: English(auto-generated)
00:00
So let's go ahead and get started. My presentation from Printer2Pwn, Leveraging Multifunction Printers During Penetration Testing. A little bit about myself. My name's Darryl Hyland. I also go by the handle of percentx. I live in the Dayton, Ohio area. I've been in IT for about 18 years. 10 of those in security, and three of
00:21
those as a pen tester. I'm a member of the Fusan Nest team. You guys are pretty sad. OK, this is my third time speaking at DEFCON, and this is always fun. I always have a ball being here. So let's go ahead and get started. I do have a guy showing up with a 50 foot, because I don't
00:42
know if anyone's seen me speak before, but tethering me on a five foot rope can be dangerous. So the agenda for today's presentation is multifunction printer features. We're going to quickly go over some of the features and functions you typically see in multifunction printers that we want to attack or steal information from.
01:03
Second, we have a single one slide on multifunction printer security. From there, we're going to go to attacking multifunction printer devices and leveraging those attacks during penetration testing. And at the end, we'll go ahead and conclude with development of an automated harvesting tool.
02:17
OK, I guess we can get started again. So let's go ahead and move into this.
02:21
Let's start off by talking about multifunction printer features. There we go. OK, I don't know how many people have actually logged onto the web interface on a multifunction printer, but that's generally what we're going to be talking about today. And there's a wealth of features and functions that
02:42
can be pulled, information can be pulled out of that. An example here is scan the file functionality. The ability to walk up to that multifunction printer and scan data or scan something and actually have it store it on a Microsoft file server or on a FTP server.
03:01
Also scan to email, the ability to scan stuff and have it go out in email. So these have to be able to integrate into those services, SMTP server, SMB authentication onto Windows devices, such stuff like that. Also, a big one is LDAP authentication. The ability to go up to that device, authenticate
03:21
yourself to that printer, and then have that printer give you specific features or functions associated directly with you. Also, system logs. A lot of us overlook what kind of information exists in system logs on these devices, and it could be a wealth of information. An example would be color printers a lot of times have
03:41
chargeback functions, so they have to be able to log who's actually using the printer. So a lot of times it will log usernames that can be stripped off these printers and used. And, of course, remote functionality with the new cloud concept coming out there. We're seeing more and more stuff roll into this area. So that's an interesting one.
04:00
And, of course, backup and cloning. The ability to back up the entire configuration of the device. So if an attacker can pull the backup and cloning information and then strip it apart offline, he can pull that information in one fell swoop. So the next thing I want to get into is multifunction printer security. So we have one slide, four steps to security failure on a
04:23
multifunction device. Pretty straightforward. What do we do? We roll these things in. We power them up. We integrate these into the business system so they connect to our SMTP. They connect to our Microsoft Active Directory environment. They connect to FTP servers. And then the third thing, what do we do?
04:40
We set no passwords on these, or we leave them at the factory default password settings. So I have a question for you. So we can qualify this, or quantify this. How many people in here, their company requires you to set a complex password on all multifunction printers that are deployed within your organization?
05:01
So raise your hands. So everyone else, look around the room. That's probably the typical amount that I see. Nobody is doing this. And, of course, the last one on this list is no patch management. So if there is a bug or vulnerability that exists in these printers, we're not putting patches on these to
05:23
fix those problems. So let's roll into the fun stuff. Attacking multifunction printer devices. So why do we want to attack multifunction printer devices, besides it being fun as hell? Basically, to gather information as an attacker.
05:40
We can gather this information and use it to escalate our rights into other core systems within your environment. So when are we going to typically do this? An example would be if you expose it to the internet. And I know everyone's thinking, why would anyone expose a printer to the internet? Well, go out to Google when you get a chance and
06:00
type in there and try to pull out some printer information. And you'll find there's literally thousands, hundreds and thousands of printers out on the internet that are exposed out there. And probably half of them have no password set or default factory passwords. The other example is once somebody gains a foothold into your environment.
06:22
Whether it's an internal user, a disgruntled employee, or an external attacker who has gained access to your environment. Earlier this year, I was on paul.com, episode 237, we were talking about this. And Paul made a real interesting point about this. And that is the fact that this vector falls underneath
06:41
the radar screen. No one's monitoring it, paying attention to it, no one's logging, or doing any auditing against anyone querying information from your printer. It's totally ignored. So if an attacker gets a foothold, he can query your printers well below the radar screen through the web
07:00
interface and potentially pull information that he could use to log on to your Active Directory environment without anyone ever knowing. So that's a real concern. So how are we going to do this? Obviously leveraging default passwords to get into the printer to start with. We've seen all the hands that were raised, so we know
07:20
that no one's changing these passwords. Second is access bypass attacks. And that's an attack against a printer where they have set a password, but you found a way to bypass all the security on the device and gain access to that printer. Third one, information leakages. Once we gain access to that printer, how do we extract some
07:41
of that data? Do these printers leak that information? Fourth one on there, forceful browsing. If you know what the URL you want to get access to, forget about the password you need to get to it with. You just enter that URL, and the printer gives you access. And of course, backup and cloning functions. The ability to pull all those backups or clones offline
08:02
and pull the information out of those. And the last one on here is a passback attack. Typically, to be able to trick that printer in to send in the information to you. And we're going to go into some detail in that toward the end of this presentation. So the first one I want to talk about is the bypass attack.
08:22
This is the ability to bypass the authentication of a device by passing various forms of data in the actual URL. We've got two examples we're going to show today, and that's the Toshiba and an HP. So on the Toshiba, if you look at this URL, this would give us access to the scan the file configuration page on
08:41
that printer. If you enter this URL in, the Toshiba is going to redirect you to a log-on page. If you happen to know the default password, which is? No, it's 123456. So that's the default password, so you know what
09:00
it is for all the eStudio Toshibas. OK. It should be easy for you to remember, then. OK, so if they've actually changed the password, how do we get into this device? Well, there's a little trick with this particular device. I don't know if you've noticed there.
09:20
It's an extra slash. Put the extra slash in between top access and administrator, and so goes your security, and now you're into the configuration page. So the second example, and this is an HP OfficeJet device.
09:43
A lot of you guys probably have these sitting in your home right now. The reason why I mention this is it's a really good example of a bypass attack. Plus, as a pen tester, I've been noticing a large number of these showing up on corporate networks. They're small devices, less than a couple of hundred dollars, and we find them actually be used in managers'
10:02
offices so they don't have to walk down the hallway to get their print job or do little copies and scan stuff, and they're cheap. So if you actually try to get to a fax address book on one of these devices and authentication has been enabled, it's going to prompt you to log on.
10:20
So we have a little demo where we can actually show this taking place.
10:48
So if we go up to the setting part of this and we click on setting and authentication is required, it's actually going to prompt you for a username and password. And this is my printer, and I actually forgot the password like years ago.
11:00
So you go ahead, hit cancel, and you get to the URL up here where the actual fax address is at. And what you do is you actually copy it, and you paste it back in there so we actually have what says page equals, page equals, fax address book one. By adding that extra page equals, we can bypass this
11:22
security and get to the configurations on the device.
11:43
So the next area we want to delve into is information leakage. Now that we've gained access to a device because of default passwords or by bypassing the actual security on the device, how can we pull information from this device? So the first one we're going to look at is information leakage on an HP device.
12:02
This is a gig I did here. It's probably about a year and a half ago. Turned out they had actually exposed this printer to the internet. And besides stealing all their faxes off the device, as you notice that the email settings on this points to one of the employees that's taking care of the device is
12:20
Gmail account. So as an attacker, it would be really nice if you could get the password for their Gmail account, because then you could use it to carry out other attacks against them or social engineering attacks. So when you look down here and you look at the password, you see all those black dots. A lot of us go, oh, are passwords protected? Well, that's not always the case, especially when we're
12:42
dealing with embedded devices like multifunction printers. So the big thing here is if you have Firefox, you can right click on that field and go Show Properties. We expand that up, we see that it is basically a plain text password in there. So the next device we move on to is the Toshiba.
13:02
So if we know the password, or in the case of Toshiba, bypass the actual password on the device, and we want to go to the SMB settings on this device, the Samba settings, and take a close look at what we have up there. I mean, really close look.
13:21
We have it set up to log on to the domain, and guess what the log on name is? Administrator. So wouldn't it be sweet if we right clicked on that and we got the password? Pretty much game over at that point.
13:40
And remember, this is all underneath the radar screen. No one ever knows. You're not generating any noise. You're just logging on with a web browser to a printer, right clicking, and viewing the source. And now this device has given up your domain admin password. So the next one I want to move on to is forceful
14:01
browsing attacks. Basically, with a forceful browsing attack, it's the concept of if you know the URL that you want to get to, in spite of the security of the device, you just type in the URL and you go to it. One of the things I've noticed over many years of looking at embedded devices and multi-function printers is a
14:21
lot of times they will properly handle security on file extensions that are standard, like .CGI, .HTM, .HTML. But if it's a non-standard type file extension, on a lot of printers and a lot of embedded devices, you can actually just query for that and it'll give it to you without any requirement for authentication.
14:42
So what we want to look at is the Canon. What's interesting about the Canon printer, we're going to be looking at the address books on this device. Canon printers and a lot of other devices, the address books contain more than what you typically expect an address book to contain, or they can. We normally expect to see username, email address, phone
15:06
number, typical stuff like that. Maybe some fax information. Well, it turns out on this particular device, there's a lot more information. So let's look into forceful browsing, gaining access to that. Again, the extensions on this device, or the files we're after, are .LDIF or .ABK.
15:23
Very non-standard file extension. So maybe that plays a role in why we can get access to it. The image runner actually has 11 address books, or up to 11 address books that you can query on it. So if you type in this URL, you should be able to extract it. But first thing you've got to do is you have to have a
15:43
valid cookie to be able to do this. So if you just type in this URL and point it to your image runner, it's going to fail because you don't have a valid cookie. Now, I didn't say an authenticated cookie. I said a valid cookie. So if you hit the home page on the printer, it will give you a valid cookie.
16:01
And then enter this in, and it'll give you the first address book. If you increment the AID up one through 11, you can get each and every one of the address books. The data that typically comes off the address books is in plain text. Also, a quick note. Early this year, I had mentioned that I thought this
16:22
was patched in a lot of devices because I was getting failures on a number of occasions. Well, I started analyzing a number of image runner devices, and I noticed that these two models here, these product name IR3580 and IR4080, are the only two that I can find that this fails on.
16:42
It works on all the others that have this address best book functionality. Not that there may not be a way to get around on these devices, but this method fails on them. But it doesn't fail on all the other ones. So let's look at this data. So we pull the address book. We can quickly see that URL information, a user name, and
17:01
a password can actually be pulled out of the address book. So what are we looking at? This device is actually configured so you can walk up to the printer and do a scan job after you authenticate yourself as D. Smith. And what it'll do is it'll do the scan job, and it'll save it on your workstation. That URL happens to be his workstation. I've also seen these configured to point to actual
17:24
file servers. But predominantly, I see it pointing to the individual's workstation. So he can do a scan job, and it shows up on his workstation. So now I have the password to his workstation. So I can log on. Well, if they screwed that up and they actually created the user name of Canon as an administrator on his local
17:42
workstation, the next step is I'm admin on his workstation, which we've done before. At that point, I can extract the hashes associated with all the users on the device, particularly the administrator account, and use that to break in on every other machine on the network that actually has the same
18:00
administrator password. So the next thing we want to delve into is backups and cloning. The purpose of backups and cloning is ability one, to make a backup of the configuration of your device, which is very important if you need to fix it or rebuild it or whatever the case may be.
18:22
Xerox really does what they call cloning. It gives them the ability to roll out multiple systems. So if you're rolling out 50 Xerox multi-function printers in your environment, you really don't want to go to 50 devices and configure them. So you can pull a clone off one device that's configured and deploy it across all these different
18:40
devices and configure. It's a really nice process. So the whole idea of this is if this contains information that we could use to attack you, then of course we can log on, pull this, and we'll all have usernames and passwords. So let's look at the first one. This is a Lexmark. The settings, import, export, export setting file
19:02
functionality. And this export file is all in plain text. So we easily go to this page, import, export. We click export setting file. And we're able to extract this. And as you see, plain text passwords are actually stored in this file. The interesting thing about this device, this particular
19:23
device that I tested, was that they've done a really good job of not having information leakages. So when you go to the configuration pages, you can't extract the passwords out of the source code. So they've made an attempt to actually secure the device from that level, but yet have made it possible for you to actually pull all of the configurations, including
19:42
the usernames and passwords off the device in a backup file. The next one we want to delve into is the Xerox. Fairly simple. If you go to log on to a Xerox WorkCentra, and what's the password for a Xerox WorkCentra?
20:01
I don't know if I heard it, but it's 1111. That seems to be the normal for the WorkCentras. Username is admin. So we get to this, we go to the Xerox WorkCentra, general setup under properties. Go to cloning, and we have all these settings that you can select to extract the cloning data. You click on that, and you get a cloning.DLM file.
20:22
You right click on this, and you can save this. So what is a DLM file? So let's go ahead and show you. Before we do that, the previous example with the Lexmark, we noticed that it exports everything out in plain text. Xerox used to do that. They fixed that problem.
20:41
So the newer stuff, the outputs of the DLM, is actually the passwords and encrypted. So we're gonna show you the older stuff, the newer stuff, some conversation around that, and where we're going with that, and how to get access to the DLM data.
21:11
Everyone see that good? Everyone see that? That shouldn't be, let's see.
21:40
So a typical DLM file that you extract off this.
21:45
Let's go ahead and look at the DLM file. As you can see, it looks like a whole bunch of compressed, encrypted, some kind of data with a header, somewhat of a PGL type header. So I really didn't know what the format of this was,
22:01
so I spent some time on the internet searching around, and I search, and I search, and I search, and I finally found a message board out of Norway, all written in Bork Bork, which I couldn't read, but I knew they were talking about this. So I actually fed it through a translator online,
22:22
and basically the jest was, and it was between two Xerox employees, thank you, that this is nothing but a tarball. So if that's the case, let's just get rid of this header.
23:03
Maybe I need to, need to have it spelled DLM, there we go. Okay, they were able to extract it, so it was a tarball. The item of interest in this particular extract is under data.
23:27
So if we search down through there, and obviously you can see it's the entire configuration, mostly in plain text, go down through here, looking at all the passwords, there's one, and there's one down here.
23:41
So we instantly find that the LDAP password is like milk dead. So we're able to extract the data. Now this is what they were doing several years ago. They've actually fixed this, which is a good thing, and that's what this is all about anyway. It's about security, not insecurity. So I like to see companies moving in the right direction.
24:02
So let's go ahead and look at the other example so we can see what it is. We've already extracted that, so.
24:30
And as you can see, it's some kind of encryption. And I have to admit, the first time I saw this, I thought, oh, it's just an MD5 hash or something like that. But the truth is, remember, this is the LDAP password.
24:43
So it has to be some form of encryption encoding. We haven't cracked this yet, so I'm just throwing it out there so you can see this and see where we're thinking, we're moving forward. This has to be some kind of encoding or encryption of the password. It's 32 characters hex.
25:01
We also know that it's a clone, so this has to be, have the same keys or the same encryption process on every one of that brand of printer or the clone wouldn't work. So we know that much, so it's consistently reused. Research I've done so far up to this point leads me to believe that the cloning process
25:22
isn't the part that's encrypting this, that more than likely the encryption mechanism of this is actually being maintained within the Postgres database that these devices use using some type of Postgres encryption. And that's where it's being handled. So that's where we're at on that right now.
25:41
So as we move forward, anyone interested in helping me with this down the road, shoot me an email. Definitely open to getting some assistance.
26:00
The next area we want to get into is the passback attack. This is something I've just been working on, I don't know, over the last four or five months. And it's kind of cool and kind of fun, at least I think it is. So the whole idea of a passback attack is an attack where we trick the multifunctional printer into communicating to us, the attacker,
26:20
versus his configured service, as the example. A number of printers we found have a test function on them. So if you go to the LDAP configurations on certain printers, you can hit a test button and it will test the actual authentication of LDAP
26:41
to the configured LDAP server. And there are some other services that do this also. So the whole jest of this attack starts out with the attacker hits the test button on the printer, the printer authenticates to the LDAP server. The attacker changes the LDAP IP address, hits the test button, the printer nicely
27:03
authenticates to the attacker, giving us the ability to capture all the authentication data. So let's start with a couple examples. The first one we're not gonna get into a whole lot of detail, but the second one we're gonna show you a lot of detail. It turns out, here on this Sharp printer,
27:21
if we look at each one of these possible settings on the configuration page, every one of those is passed from client side when you hit the test button. So you have the ability to alter those from the client side versus server side.
27:43
The Sharp printer has the ability to do this on LDAP and SMTP. And like I said, the attacker can send all of these fields except the password field. Password field's stored on the printer. So if you can tell the printer to test this, using what you have stored on the printer as the password,
28:03
you get the plain text password. These are the three fields on the Sharp printer that we want to alter, the server IP address, the auth type, because remember, it may be configured to do NTLM or Kerberos, but during the test function, you can say, let's just do it in plain text.
28:20
That way you capture it back. And here is the screen for the Sharp for the SMTP settings also. So the next we wanna get into, we're gonna show a little more detail, is the actual Ricoh printer. And the Ricoh printer, very similar to the Sharp printer, easily tricked into doing this. So if we look at the configurations,
28:40
of course we have the server IP address, we have the port number, and I reference the port number because if you're attacking this device and they have filters between you and him, that particular port may not make it back to you. So if you can alter that, you can get it to go across any filtering they may have. And of course, the authentication type. As you see each, we have set there, clear text, digest, or Kerberos.
29:03
And you have the ability, client-side, to alter those during the test function. So this happens to be the test CGI that you post the data to. So what follows next is an eye chart. So this is the data that actually gets posted to that URL up there.
29:20
The area in red, if it's altered, will typically reconfigure the printer, which is not what you wanna do. The area in black is what's used by the test function, and does not alter the printer's configuration. The blue areas are the things that I like to alter to carry out this particular attack. And we also have a video demo of this I wanna show you real quick.
30:17
So it's really simple in this. You go up the right-hand corner on the RightCo page,
30:21
and you click Log On. This password's really easy to remember. It's blank. Enter the username, admin. And now you log on to the device. Once you're logged on to the RightCo printer,
30:41
it gives you a lot more features, and you can go to the Configuration page. Under the Configuration page, you have the default settings, and the one we're interested in here is the LDAP settings. As you can see, there's only one LDAP server
31:01
configured on this, so what you wanna do is you wanna actually check that box and go ahead and open it up so you can see the configurations. And here we see all the different configurations that are available on this particular device. That we wanna screw with.
31:30
So to carry out this TAC, we wanna set up a netcat, listening port 1389. So we fire that up. We also wanna set up a proxy server to grab the content coming from your web browser.
31:41
Here I'm using BERT, but you could easily use Paros proxy also. And then we go back to the configurations. We go down to the start for the test function, and we click Start. Go back to the Paros or BERT proxy, and you can see that eye chart that I showed you earlier. It captured all that data.
32:02
And I gradually go through here and highlight different parts of that are of interest, and I'm not sure if you can even actually see any of that out there. And the area you don't wanna screw with because you will reconfigure their printer. You don't wanna have to go back and change it. So what we wanna do is the attacker, it's fairly simple, we wanna change the IP address
32:22
so it's no longer pointing to the LDAP server. And we wanna change the port so it's pointing to us on 1389 so our Netcat listener can grab it. And of course, if we want to, we wanna alter the auth type if needed. So we sent that, and if you notice, we have a connection coming from that printer
32:41
to our Netcat. So our Netcat has actually got a connection with the printer. Speed this up a little bit because it took about 45 seconds to run through. But you'll see here real quickly, after about 45 seconds, the printer nicely passes us
33:00
the username and the password in plain text. So if you have access to the Sharp or the Ricoh printers and they are configured and you wanna gather information off of it and these devices don't have a whole lot of leakage problems other than this one here,
33:22
you can carry out this passback attack by altering, capturing the data that you send to the test function, telling the printer to, instead of communicating the test function to its actual LDAP server, I want you to communicate back to me, the attacker, and I want you to authenticate to me in plain text,
33:41
giving me the username and password. Gives you the ability to strip the password off the printer. Okay, the next thing we wanna move into
34:01
is actually the tool. So we started developing this tool a while back and it's called Paretta. Paretta is Latin for plunder, spoils of war, booty, thief, and that's what its purpose is. Its purpose is to go to typically the web interfaces
34:20
on your multi-function printers using weak passwords, vulnerabilities, and what other methods that we can put together to strip this data that can be used to attack other key systems within your environment. The present version, we actually do have one module
34:43
that a guy has been working with me on that doesn't use the web interface. It actually uses RSH. It turns out that the RSH on the Ricoh printer was an easier method for getting the logs off than going through the web interface. It was easier to parse. It gave it to us in a cleaner fashion.
35:02
So we go ahead and just pull it that way and then parse the logs that way versus the web interface. So we do have one module that goes outside the web part. The present version is actually written in Perl, version 1.2.beta. We have 17 modules so far, extracting data from 40 plus different printer models,
35:22
Canon's HP, Lexmark, Ricoh, Sharp, Toshiba, and Xerox printers. Simple how the tool works. It's made up of four pieces. You have the Pareto.pl, which is a dispatcher. You have individual modules designed to go against certain model types.
35:42
You feed it a target file list or yeah, a target list of all the IPs or printers that you wanna run this attack against. And you have a data file which does fingerprinting. The data file, this is a structure of the data file. There's four plus fields in the data file. The first field is nothing more than a sequence number.
36:02
The second and third field is the method we use for fingerprinting. And the way that works is it pulls, the second field looks at the title page of the multifunction printer. The third field looks at the server type. And that works probably about 80, 85% of the time on fingerprinting specific models or model series.
36:23
And then fields four, five, six, continuing out there, the actual modules that are actually used to launch the attacks with. So generally, the tool syntax is Pareto.pl, the target file, the TCP port you wanna go to, whether it's 80, 443, 8080, 8000.
36:41
And then also the project name, what you wanna call the project. So that creates a folder, project name creates a folder. And the output file is a log file that's generated. So all the data this thing gathers writes it into the project folder. And also the output log file writes what's taking place. And in some of the modules where it extracts specific passwords out,
37:01
it'll write it into the output log. So this queries the printers in the target list. If a match is found, the data, the device is attacked, the information is pulled and stored in this method here. So where do we see Pareto going moving forward in the future?
37:23
The goal here is, as we had mentioned with the Xerox, the password encryption part of that. So we have an ongoing project there to evaluate that and see if we can figure that out. Also, a number of other printers have actually started the backup clone files
37:43
that it generates are all encrypted. But the fact is that you enter the password to do the encryption. So it's just a matter of figuring out what encryption they have. You have the password, you could easily decrypt it. So probably analyzing that and trying to find various methods to do that. Once we find those for the different models,
38:01
we'll build modules to pull the encrypted file and decrypt it and save it for you. We also have talked about actually working on migrating this code over to Ruby. Right now I'm kind of holding off on that. And we're gonna stick with working in Perl. And the main thing is, I want to see this project go to critical mass.
38:22
Right now we have 17 modules, 40 plus different printer device models we go to. But the thing is I want the tool to be a valid usable tool for pen testers. So we're looking for people to jump in, add value to this. Let's work on actually growing this.
38:41
Once it reads critical mass where it becomes a real valid tool used by enough people, then we'll go ahead and reanalyze it. Is Perl the best option? Is Ruby a better option? Could it be incorporated into other tools? Or could it be written in Python? So right now we're gonna stick with the Perl and move forward from there.
39:04
Also, we've been looking at developing other modules besides just printers, multifunction printer devices. There's all kinds of embedded devices sitting on our network. Everything from UPSs, SAN systems, cameras. Every one of these devices, we as pen testers,
39:22
have actually found usable data that can be extracted from these devices. So the goal is to expand this project also to actually include all of those type of devices also. And I plan on releasing probably about a half dozen or more modules
39:40
that go against network appliances next month when I present this in Bangalore, India. And I think that pretty much covers it. Looks like I went a little fast today. And we got a minute here.
40:00
I got a couple of T-shirts to give away. People like T-shirts, right? We have the FufusNet T-shirts. And the thing is, is you have to answer a question. So real quick, it's fairly easy.
40:23
What's the default password? You have to raise your hand because obviously everyone's gonna say, what's the default password for most WorkCentra printers? A gentleman back there in a blue shirt right here, yeah. Okay, I have an extra large here.
40:45
You can take one of these. And I think the other one's a 2X. There's a 2X. Also, one more. Okay, what's the default password for a Toshiba eStudio printer? No.
41:01
That's it. Looks like you got stuck with a 2X. I'm sorry. So if anyone has any questions, we'll be over in the question and answer room too. And please come on over and we'll discuss this further.
41:21
And I hope to hear some input from everybody. Catch you later.