plunder pillage print
play

Plunder Pillage & Print THE ART OF LEVERAGING - PowerPoint PPT Presentation

Aug 15, 2023 •105 likes •750 views

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS DURING PENETRATION TESTING Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

  1. Plunder Pillage & Print THE ¡ART ¡OF ¡LEVERAGING ¡MULTIFUNCTION ¡PRINTERS ¡DURING ¡PENETRATION ¡TESTING ¡ Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

  2. Introduction • Deral ¡Heiland ¡“@Percent_X” ¡ • Senior ¡Security ¡Consultant ¡Rapid7 ¡ • Dayton, ¡Ohio ¡ • 20+ ¡years ¡IT ¡ • 6+ ¡years ¡consultant/pentester ¡ ¡ • Pete ¡Arzamendi ¡“@thebokojan” ¡ • Senior ¡Security ¡Consultant ¡Rapid7 ¡ • AusMn, ¡TX ¡ • 14+ ¡year ¡IT ¡ • 5+ ¡years ¡consultant/pentester ¡ ¡

  3. Agenda • MulMfuncMon ¡Printers ¡(MFP) ¡aVack ¡vector ¡ • AVack ¡Examples ¡ • AutomaMng ¡the ¡aVacks ¡ • Reducing ¡the ¡risk ¡

  4. So Why Multi-Function Printer

  5. So Why Multi-Function Printer What is it that all pentesters want USERNAMES PASSWORDS Which leads to shell

  6. So Why Multi-Function Printer • Since ¡becoming ¡the ¡printer ¡security ¡evangelist ¡ • 2010 ¡printer ¡hacking ¡success ¡during ¡pentesMng ¡ ▪ Gain ¡access ¡to ¡Windows ¡acMve ¡directory ¡user ¡account ¡less ¡then ¡10-­‑15% ¡ ▪ Gained ¡domain ¡admin ¡creds ¡rarely ¡ • 2014 ¡printer ¡hacking ¡success ¡during ¡pentesMng ¡ ▪ Gain ¡access ¡to ¡Windows ¡acMve ¡directory ¡user ¡account ¡45-­‑50%+ ¡ – Which ¡leads ¡to ¡gaining ¡Domain ¡Admin ¡access ¡25-­‑30% ¡ ▪ Gain ¡direct ¡domain ¡admin ¡creds ¡ ¡> ¡5% ¡

  7. So Why Multi-Function Printer • How is this possible ▪ Usage tracking ▪ Scan to email ▪ Scan to file ▪ LDAP authentication ▪ Remote firmware upgrades • Printer need access to credentials for these features to work correctly • So let us Plunder Pillage & Print our way to SHELL

  8. Plunder

  9. Plunder plun · der [pluhn-der] 1. To rob of goods or valuables by open force, as in war, hostile raids, brigandage, etc.: to plunder a town. 2. To rob, despoil, or fleece: to plunder the public treasury.

  10. Plunder • Pulling user data • What kind of data can we get that will help with the assessment? ● Usernames ● Applications ● Hostnames

  11. Plunder Examples: Dell Gives up usernames, applications, and client hostname Xerox Gives up usernames and applications HP Gives up usernames and applications

  12. Dell Exposing Usernames, Applications, and Hostnames

  13. Xerox Exposing Usernames and Applications

  14. HP Exposing Usernames and Applications

  15. Pillage

  16. Pillage pil · lage verb (used with object), pil · laged, pil · lag · ing. 1. To strip ruthlessly of money or goods by open violence, as in war; plunder: The barbarians pillaged every conquered city. 2. To take as booty. verb (used without object), pil · laged, pil · lag · ing. 3. To rob with open violence; take booty: Soldiers roamed the countryside, pillaging.

  17. - Pillage - Address Book Extraction Attacks

  18. Pillage • Address books • User name • Email Addresses • Passwords • Konica Minolta • Canon IR-ADV

  19. Pillage Canon ImageRunner Advanced • Canon IR-ADV • Exported address books can contain password ▪ Requires special setting • Passwords by default are encrypted during export ▪ Encryption settings are controlled on end user side ▪ So encryption can be turned off (FAIL)

  20. Pillage Canon ImageRunner Advanced • Canon IR-ADV enable password export

  21. Pillage Canon ImageRunner Advanced • Canon IR-ADV encrypt output password

  22. Pillage Canon ImageRunner Advanced • Canon IR-ADV address book export results

  23. Pillage Canon ImageRunner Advanced • Canon IR-ADV captured address book post request

  24. Pillage Canon ImageRunner Advanced • Canon IR-ADV captured address book request with web proxy

  25. Pillage Canon ImageRunner Advanced • Canon IR-ADV address book export results PWNED ¡

  26. Pillage Konica Minolta • Konica Minolta • Exported address books can contain passwords ▪ Not accessible via web console ▪ Managed via Konica Management application ▪ Soap message transactions ▪ TCP Ports 50001 50003

  27. Pillage Konica Minolta Step 1: Authenticate and retrieve session key

  28. Pillage Konica Minolta Reply: Valid authentication Responds with AuthKey

  29. Pillage Konica Minolta Step 2: Post request with Authkey Set and proper version

  30. Pillage Konica Minolta If all the pieces are correct the Konica will deliver data in plain text including : • PASSWORDS Effective in retrieving password for: • SMTP • SMB PWNED ¡ • FTP

  31. - Pillage - The Pass-back Attack

  32. Pillage • Pass-back-attacks ¡ ¡ ¡ ¡ ¡Target ¡the ¡printers ¡authenMcaMon ¡services ¡ ¡ ¡ ¡ ¡ ● LDAP ¡ ¡ ● FTP ¡ ● SMB ¡(Windows ¡file ¡sharing) ¡ ● SMTP ¡

  33. Lets ¡focus ¡on ¡ ¡the ¡LDAP ¡Pass-­‑Back-­‑AVack ¡ PWNED Change IP Address LDAP Auth Trigger LDAP lookup LDAP Reply Capture Plain Text Password

  34. Xerox LDAP Pass-Back-Attack Example: Executing a pass-back-attack against a Xerox ColorQube 9303 1. Login as admin user (Most Xerox’s are configured with an admin password … We’ll show you how to get this later...) 2. Access the ldap setting under Properties -> Connectivity -> Protocols 3. Change IP address to point to your system 4. Set up netcat listener on your system 5. Issue a search under User Mappings

  35. Xerox LDAP Setup Screen

  36. Xerox User Mappings

  37. Xerox Passing the Credentials PWNED ¡

  38. Sharp LDAP Pass-Back-Attack Example: Executing a LDAP pass-back-attack against a Sharp MX-4101N 1. Login as admin user (Most Sharp’s are configured with an admin password of admin) 2. Access the LDAP setting under Network Settings 3. Change IP address to point to your system 4. Set up netcat listener on your system 5. Issue a test connection

  39. Sharp LDAP Setup Screen

  40. Sharp LDAP Setup Screen

  41. Sharp Passing the Credentials

  42. Print

  43. Print print verb (used with object). 1. To produce (a text, picture, etc.) by applying inked types, plates, blocks, or the like, to paper or other material either by direct pressure or indirectly by offsetting an image onto an intermediate roller. 2. To reproduce (a design or pattern) by engraving on a plate or block. print verb (used with object). 1. The evil take over of a printer for the purpose of pillaging and plundering, accomplished using a print job over port 9100

  44. - Print - Xerox Workcentre Firmware Attack

  45. Print • Firmware attacks attack against Xerox • Xerox firmware files “.dlm” are simple Tar file with XRX job ticketing header

  46. Print • Extract a Xerox workcentra firmware you can find some interesting files • opt/nc/dlm_toolkit • dlm_tookit is used to build DLM firmware packages and sign them

  47. Print • dlm_maker application

  48. Print Demo Video Print Job to Remote Root Shell

  49. Print • Detail white paper on Xerox firmware attack • http://h.foofus.net/goons/percx/Xerox_hack.pdf Vulnerable Xerox Models WorkCentre Pro 232/238/245/255/265/275 WorkCentre 232/238/245/255/265/275 WorkCentre Pro C2128/C2636/C3545 WorkCentre Pro 165/175 WorkCentre Pro M165/M175 WorkCentre Pro 32/40 Color WorkCentre Pro 65/75/90 WorkCentre Pro 35/45/55 WorkCentre M35/M45/M55 WorkCentre 5030 WorkCentre 5632/5635/5645/5655/5665/5675 WorkCentre 5735/5740/5745 WorkCentre 6400 WorkCentre 7655/7665/7675 WorkCentre 7755/7765/7775 ColorQube 9201/9202/9203 ColorQube 9301/9302/9303

  50. Praeda+ Metasploit= Praedasploit

  51. Praeda Praeda ¡(LaMn ¡for ¡ plunder, ¡booty, ¡spoils ¡of ¡war) ¡ Current ¡Praeda ¡version ¡(WriVen ¡in ¡Perl) ¡ ¡ Embedded ¡device ¡informaMon ¡harvesMng ¡tool ¡ • Enumerate ¡103 ¡devices/models ¡ • Fingerprints ¡devices ¡using: ¡ 1. Title ¡page ¡& ¡server ¡type ¡ 2. SNMP ¡ ¡

  52. Praeda How it works: • Scan network for embedded systems • Fingerprint embedded systems • Run Preada modules based on fingerprint • Gather data and log it

  53. Praeda • How we use it: • One of the first tools we run on an assessment • Use data harvested to gain foothold in environment • Success rate is pretty darn good. :)

  54. Metasploit • Easier to maintain and less decency issues • Captured data can be stored within Metasploit’s database for later use (ex: psexec and brute force modules) • Large community base. Easier for users to contribute their own printer pwning modules

  55. Praedasploit Beta Modules • Modules we have created: • Xerox LDAP pass-back module • Konica address book extract module • Dell and HP username extract module

  56. Praedasploit module example ExtracMng ¡usernames ¡from ¡a ¡HP ¡Color ¡LaserJet ¡CP3505 ¡ ¡

  57. Praedasploit module example ExtracMng ¡Address ¡books ¡from ¡Canon ¡IR-­‑ADV ¡ ¡

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e corruption, uption, but na but national tional plunder plunder. Brahma Challeny, The Hindu, Dec 6, 2010 ESTIMATE OF DEPOSITS IN SAFE HAVENS

697 views • 56 slides
Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS)

Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS)

Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS) Print Anything. Services Print Smart. Study Findings Campus Print Total of 3,453 Printers on Campus

510 views • 18 slides
Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR

Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR

Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR OF LAW WILLIAM AND MARY LAW SCHOOL WILDLIFE TRAFFICKING IS THE THIRD MOST LUCRATIVE ILLEGAL ENTERPRISE, BEHIND TRAFFICKING OF GUNS AND DRUGS

260 views • 14 slides
Three ways to print

Three ways to print

Three ways to print in Microsoft Office File/Print menu item Print toolbar button

196 views • 6 slides
Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The

Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The

Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The typical White household has $150,000 nearly more in wealth than the typical Black and Latinx household Behind the Curtain: The Creation of

233 views • 21 slides
For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail volume has declined by 20% worldwide , over a period of 5 years.* *Source: PwC, 2013 Print facilities are There has been a decrease in print

269 views • 22 slides
web design print print print e grid system is an aid, not a guarantee. It permits a number

web design print print print e grid system is an aid, not a guarantee. It permits a number

web design print print print e grid system is an aid, not a guarantee. It permits a number of possible uses and each designer can look for a solution appropriate to his personal style. But one must learn how to use the grid; it is an art

357 views • 32 slides
PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE

PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE

PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE STATISTICS Helen Monagle - Senior Assistant Librarian @HelenMonagle MY LIBRARY * Collection includes: -over 1,500 print journal titles, -over

422 views • 8 slides
An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson,

An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson,

An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson, Hewlett-Packard Company October 17, 2006 dean.anderson@ hp.com XHTML -Print So why does the world need another print language? W e already have:

428 views • 29 slides
Tim Berners-Lee Long Live the Web print print print System + Grid The Page order

Tim Berners-Lee Long Live the Web print print print System + Grid The Page order

T e primary design principle underlying the Webs usefulness and growth is universality . T e Web should be usable by people with disabilities. It must work with any form of information, be it a document or a point of data, and information

713 views • 60 slides
Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of

Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of

Renaissance Religion and Cartography: Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of Religious Reformation Th e s e image s are in the public domain. Erasmus, Novum Instrumentum , 1516 edition,

374 views • 21 slides
SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print

SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print

SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print & Distribution: CreateSpace, Ingram Spark and the Espresso Book Machine 3. Selling Your Book at Indies: How Consignment Works 4. Formatuing Your

548 views • 53 slides
Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A

Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A

Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A call expression calls a function on its arguments. 1. 2. 3. wears_jacket(100, True) operator operands Call Expressions A call expression calls

657 views • 43 slides
Avera CE Portal How to print presentations Presentations are available to view and/or print before

Avera CE Portal How to print presentations Presentations are available to view and/or print before

Avera CE Portal How to print presentations Presentations are available to view and/or print before an education activity that you are registered for by going to the Syllabus. Login by clicking the following link: http://avera.cloud-cme.com. Click

368 views • 3 slides
Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print.

Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print.

Bradbury, Ray. Fahrenheit 451 . The 50 th Anniversary Edition. New York: Ballantine Books, 1953. Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print. Concentration Camps 1933 - 1939. Holocaust Encyclopedia .

597 views • 20 slides
A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b ina r will sta rt a t 11:00a m PT / 2:00 pm E T . T he a udio will stre a m thro ug h yo ur c o mpute r spe a ke rs yo u sho uld b e he a

710 views • 24 slides
Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

NW Ministries Conference 2019 Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to that wont run away Me Romans 12:2 (NIV) 2 Do not conform to the pattern of this world, but be transformed by the

446 views • 28 slides
Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ...

Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ...

Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ... FNAL SDK : art + (fhicl, ..., cpp0x) FNAL UPS : ups, gcc, ROOT, etc Linux/BSD OS LBNE Software Stack Working on FNAL SDK, Patrick on LArSoft

445 views • 17 slides
Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * , Abdulmajeed Alameer * , Phil McMinn + , William G. J. Halfond * * University of Southern California, USA + University of Sheffield, UK Work supported

989 views • 62 slides
XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James

XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James

Infrastructure Technology Product of the Year XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James Bulpin, XenSource Inc. james@xensource.com Xen Summit 8/Sep/2006 www.xensource.com What i is XenRT?

665 views • 31 slides
Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics

Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics

Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics Systems Center, Engineering and Integration Division Montgomery Information Technology Summit (MITS) Steve Wright Chief, ESC/ENI 25 May 2011 1

446 views • 11 slides
Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational

Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational

Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational Biophysics Group Beckman Institute for Advanced Science and Technology University of Illinois at Urbana-Champaign http://www.ks.uiuc.edu/~dhardy/

572 views • 33 slides
Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS,

Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS,

Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS, Universit di Bologna Italy SISAP 2009 August 29-30 2009, Prague I nform ation Filtering The IF problem: Deliver to users only the

236 views • 21 slides
New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina

New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina

New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina Krsti Marinkovi First Workshop of the Muon g 2 Theory Initiative Fermilab, 2017, June 3-6 a HV P Proposals

368 views • 7 slides

More recommend