Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Shmoocon

Shmoocon 2011: Printer to Pwnd


Printer to PWND: Leveraging Multifunction Printers During Penetration Testing

(Deral Heiland “PercX” and Pete Arzamendi “Bokojan”)

History of printers

1969 – Xerox creates the first printer
March 1991 – HP LaserJet IIISi, the worlds first networked printer
1987 – Xerox Printer 100, the first multifunction printer
MFP functions and features
Looking for features that can be exploited to assist in penetration testing
  • Email
    • Server Settings
    • Address Book
  • Fax
    • Inbound/Outbound
  • Scanning
    • SMB Authentication
      • System
      • Users
    • FTP
  • LDAP
    • Access credentials
  • Logging
    • Usernames
  • Remote retrieval of print/fax/scan
Systems looked at in this presentation .:
  • Example system: Toshiba
Various settings when accessing the HTTP interface, including access to view credentials and system/network settings
  • Example system: Canon imageRUNNER
Ability to configure things like LDAP, as well as exporting settings to make things easier to rollout across systems!
  • Example system: HP Colour LaserJet CP4005
Tracks individual usernames of people printing
Uses LDAP for validation and to fill in address books etc…
Ability to clone device for ease of creating multiple printers. Export for settings!

MFP flaws and vulnerabilities

Security Bypass
Despite a large number of systems being configured to use default accounts.
If the password isn’t default you can bypass the system by insert an addition / into the URL at which point you can directly call Administrative functions.
HP Offiejet has a similar issue where directly calling a page=faxaddr results in a username/password prompt. Changing the URL to add an additional page=xxx to the URL (e.g. page=xxx&page=faxaddr the username/password prompt is avoided and access is granted.
Canon imageRUNNER. Altering the ACL=1 parameter grants a bypass on several models depending on firmware.
A lot of system seem to have these kind (forced browsing) type flaws.
Xerox supports a clone device function. http://target:8080/cloning.dlm
If a clone has been made of this machine, you can directly access the clone copy without requiring username/password.
The format is encrypted in most cases. Currently under investigation.
Extracting settings
The Canon supports exporting of settings. As you’d expect this shows usernames and settings. However (depending on configuration) these exports also include clear-text passwords.
Information Leaks
Many printers within the administrative console, hide passwords using *****, however the password is present in clear text within the HTML source!

Leveraging MFP during penetration testing

Example 1
Leveraging HP to gain domain access
  • HP Colour LaserJet CP4025
  • Extract users’ names from colour job log
  • User with weak password
  • Access to workstation
  • Domain Admin token
Total compromise of the environment through information disclosure on an MFP device
Example 2
Leveraging Toshiba to get payroll data
  • Toshiba e-Studio
  • Extract password from scan-to-file function
  • Gain access to AD domain
  • Gain access to a number of folders/shares/files
  • Access to one special file share “Payroll Backup”

Access to scanned records and payroll backups (SQL DB dumps)

Further access was possible through password re-use (ended in total Domain Admin access)

Example 3
Leveraging Canon to gain domain controller access
  • Canon imageRUNNER
  • Extract LDAP settings
  • Enumerate domain user info
  • Remote Desktop access to all server
Leveraging fax to pwn the network
  • OfficeBridge – Fax System
  • First device we found credentials stored on
  • Extract password from LDAP (Base64 encoded)
  • Account was Domain Admin account

Workflow for attacking/testing printers

Development of an auto-harvesting tool ‘PRAEDA’

Designed to automate some of the information gathering from network appliances through web-management interfaces
  • printers
  • network appliances
Written in PERL (currently in BETA)
Goal was to create a simplistic tool that was modular
Has modules for the examples discussed and others.
Currently enumerated about a dozen different models of printers using Title page and Server type responses from the printer management page.
Currently researching encryption methods used by some vendors for backup and clone processes (HP / Xerox)
Looking to migrate code to Ruby – early stages are already in progress
Currently not multi-threaded, but it will be!


This tool has already been used in active penetration tests, but needs community support to implement new modules.
There is a mailing-list to discuss this and the Foofus.net tools (http://lists.foofus.net)
Currently looking for feedback on DELL printers!


  • Change password from default
  • Isolate printers on a VLAN
  • Patch printers when new software is available
  • Use accounts with limited access (write only)


Shmoocon 2011

Well it’s that time of year again, only a week till the yearly Shmoocon conference kicks off. After fighting my way through the ticket buying process, a friend of mine helped me to secure a couple of tickets. So once again, I’ll be headed over the pond to DC.

Just taking a look at the schedule for this years conference shows that Shmoocon is no ordinary conference. There’s a great mix of new talks, and more than the fair share of new faces. I, for one, think this is a great thing. I spoke a few years back about the pattern of the same speakers, covering the same topics over and over again. It’s nice to see conferences like BSides, Shmoocon and others (DerbyCon ???) really reaching out an awarding talks based on the topics and research, instead of the name behind the talk!

Anyway, I’m rambling… as usual. So here’s a few talks I’m looking forward to at Shmoocon.

I’m also looking forward to hearing something from Johnny Long. He’s been out in the world doing good as best he can for a long time now, which is more than I can say for most of us (myself included). Lets hope this trip renews some of the well needed support for the hackers for charity project!

Hope to see you in DC…

Eurotrash Microcasts – Shmoocon

Nothing in life goes completely to plan, and the Microcasts (affectionately called MicroTrash, by me at least) were nothing different. I had planned to collect a microphone I’d ordered and grab a few quiet moments at Shmoocon to chat to people and get some quick interviews. With that plan in my head, I firmly forgot my mic at the hotel, and when I did retrieve it, I had no time to talk to anybody. Still all was not lost. Since I got back from Washington I’ve taken the time to record a few interviews that I should have done while at Shmoocon. I’ve learnt a lot, about one-on-one interviewing, about editing, about iTunes and it’s tickled XML feed format… most of all, I’ve learnt that I say ahhhh and ummmm way too much!

Anyway, for those interested, here are direct links to the 3 Shmoocon Eurotrash Microcasts.

  • Microcast 1: An interview with Robin Wood – MP3
    • In this interview I chat to Robin Wood about his Social Zombies talk at Shmoocon, his current projects and what the future holds
  • Microcast 2: An interview with Dan Crowley – MP3
    • Dan was nice enough to run through his “Windows File Pseudonyms” talk and give some great technical content
  • Microcast 3: An interview with Doug Wilson – MP3
    • In the last of this series, I talked to Doug Wilson from Mandiant about the OWASP Broken Web Application project (http://owaspbwa.org)

Hopefully I’ll be a little more prepared for Blackhat Europe. Here’s hoping that I manage to record something.

Please let me know what you think of the Microtrash format –> feedback [AT] eurotrashsecurity [DOT] eu

If you want to subscribe to the Eurotrash Security Podcast, you can find it in iTunes, or just at the easy to find XML file to your favourite Podcast grabber

Shnooowcon – What the Washington snow teaches us about InfoSec

Jayson was no bikini model, but he did his best

Jayson was no bikini model, but he did his best

Unlike the snow in Washington, Shmoocon has come and gone. What an experience… People always said it was a one of the best conferences to attend, and now I know why. Everybody there was friendly, knowledgable and certainly up for a party. Just the right kind of environment to learn something new, meet new faces and catchup with others. Still, as I sit on a plane winging its way back to Austria, I can’t help but think about the total chaos caused by the Washington snow.

If you were anywhere near Washington the last few days you can’t fail but to have been effected by the snow storms and the resulting aftermath. As you can imagine, it was a source of much discussion at Shmoocon, especially for me and Benny (@security4all), as we were booked into a hotel 10 minutes walk from the conference. That’s 10 minutes without the snow 😉

In among these discussions, an idea came up that intrigued me. If you think about it, the snow wasn’t the real problem. After all, lots of countries get this kind of snowfall on a regular basis. Personally, I deal with this kind of thing for ~4 months of the year back home in Austria. So what was the problem? what caused all this disruption? The problem was that Washington wasn’t prepared to deal with the issues that came up as a result of the snow. There was nobody to clear the streets, the airports couldn’t clear the runways, and the metro lines were blocked. This is all normal stuff, and if it snows regularly, you’ve got response plans in place. Everybody knows their roles, and does them well. In Washington, this kind of snow is such a rare occurence, that nobody knew what to do. At least that’s how it appeared from the point of view of an onlooker. There just wasn’t enough people ready to deal with things in a timely manner. Those that were ready didn’t have the resources or experience to deal with things quickly and well.

Gotta love regedit

Gotta love regedit

You can’t fail but see the connection to many of issues we face in information security. Some companies have a incident handling plan in place, others don’t. Everybody gets hit by a security breach sooner of later. How fast your company recovers is all about doing the work now, and not hoping that you can just work it out when it hits. If you’re left scrambling around at 3am, like we saw in Washington, then you’ve already lost the battle. Without planning your resources are going to waste. I saw people on the streets of Washington at 3am, shoveling snow off the pathways. Normally I’d applaud that. After all it was a quick response and it was pro-active. Clear the streets before the morning. However, it was still snowing as hard as before, so for every inch that was cleared, another 2 inches of snow were still to come. Add to that the fact that 10 or even 20 people with shovels aren’t going to make a dent in the amount of snow. A typical case of having  the right tool for the right job… or in this case, not having the right tool.

This is typical knee-jerk reaction to an issue. Get out there as quick as you can and clear it up. Still, what can you achieve if the cause of the problem (in this case snow) still isn’t resolved. If an attacker got into your servers, you wouldn’t start rebuilding them before you’d plugged the hole used to exploit them. It’s a vicious circle, that won’t stop until you plan for what could, and eventually will happen. Worse still, in Washington, they knew it was coming before hand, an advantage you won’t often get when it comes to attacks. I could draw analogies here to an IDS warning you of attack attempts, but I think you get my point here. I don’t know who first said it, but “If you fail to plan, you plan to fail”.