plunder pillage print
play

Plunder Pillage & Print THE ART OF LEVERAGING - PowerPoint PPT Presentation

Aug 15, 2023 •105 likes •750 views

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS DURING PENETRATION TESTING Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

  1. Plunder Pillage & Print THE ¡ART ¡OF ¡LEVERAGING ¡MULTIFUNCTION ¡PRINTERS ¡DURING ¡PENETRATION ¡TESTING ¡ Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

  2. Introduction • Deral ¡Heiland ¡“@Percent_X” ¡ • Senior ¡Security ¡Consultant ¡Rapid7 ¡ • Dayton, ¡Ohio ¡ • 20+ ¡years ¡IT ¡ • 6+ ¡years ¡consultant/pentester ¡ ¡ • Pete ¡Arzamendi ¡“@thebokojan” ¡ • Senior ¡Security ¡Consultant ¡Rapid7 ¡ • AusMn, ¡TX ¡ • 14+ ¡year ¡IT ¡ • 5+ ¡years ¡consultant/pentester ¡ ¡

  3. Agenda • MulMfuncMon ¡Printers ¡(MFP) ¡aVack ¡vector ¡ • AVack ¡Examples ¡ • AutomaMng ¡the ¡aVacks ¡ • Reducing ¡the ¡risk ¡

  4. So Why Multi-Function Printer

  5. So Why Multi-Function Printer What is it that all pentesters want USERNAMES PASSWORDS Which leads to shell

  6. So Why Multi-Function Printer • Since ¡becoming ¡the ¡printer ¡security ¡evangelist ¡ • 2010 ¡printer ¡hacking ¡success ¡during ¡pentesMng ¡ ▪ Gain ¡access ¡to ¡Windows ¡acMve ¡directory ¡user ¡account ¡less ¡then ¡10-­‑15% ¡ ▪ Gained ¡domain ¡admin ¡creds ¡rarely ¡ • 2014 ¡printer ¡hacking ¡success ¡during ¡pentesMng ¡ ▪ Gain ¡access ¡to ¡Windows ¡acMve ¡directory ¡user ¡account ¡45-­‑50%+ ¡ – Which ¡leads ¡to ¡gaining ¡Domain ¡Admin ¡access ¡25-­‑30% ¡ ▪ Gain ¡direct ¡domain ¡admin ¡creds ¡ ¡> ¡5% ¡

  7. So Why Multi-Function Printer • How is this possible ▪ Usage tracking ▪ Scan to email ▪ Scan to file ▪ LDAP authentication ▪ Remote firmware upgrades • Printer need access to credentials for these features to work correctly • So let us Plunder Pillage & Print our way to SHELL

  8. Plunder

  9. Plunder plun · der [pluhn-der] 1. To rob of goods or valuables by open force, as in war, hostile raids, brigandage, etc.: to plunder a town. 2. To rob, despoil, or fleece: to plunder the public treasury.

  10. Plunder • Pulling user data • What kind of data can we get that will help with the assessment? ● Usernames ● Applications ● Hostnames

  11. Plunder Examples: Dell Gives up usernames, applications, and client hostname Xerox Gives up usernames and applications HP Gives up usernames and applications

  12. Dell Exposing Usernames, Applications, and Hostnames

  13. Xerox Exposing Usernames and Applications

  14. HP Exposing Usernames and Applications

  15. Pillage

  16. Pillage pil · lage verb (used with object), pil · laged, pil · lag · ing. 1. To strip ruthlessly of money or goods by open violence, as in war; plunder: The barbarians pillaged every conquered city. 2. To take as booty. verb (used without object), pil · laged, pil · lag · ing. 3. To rob with open violence; take booty: Soldiers roamed the countryside, pillaging.

  17. - Pillage - Address Book Extraction Attacks

  18. Pillage • Address books • User name • Email Addresses • Passwords • Konica Minolta • Canon IR-ADV

  19. Pillage Canon ImageRunner Advanced • Canon IR-ADV • Exported address books can contain password ▪ Requires special setting • Passwords by default are encrypted during export ▪ Encryption settings are controlled on end user side ▪ So encryption can be turned off (FAIL)

  20. Pillage Canon ImageRunner Advanced • Canon IR-ADV enable password export

  21. Pillage Canon ImageRunner Advanced • Canon IR-ADV encrypt output password

  22. Pillage Canon ImageRunner Advanced • Canon IR-ADV address book export results

  23. Pillage Canon ImageRunner Advanced • Canon IR-ADV captured address book post request

  24. Pillage Canon ImageRunner Advanced • Canon IR-ADV captured address book request with web proxy

  25. Pillage Canon ImageRunner Advanced • Canon IR-ADV address book export results PWNED ¡

  26. Pillage Konica Minolta • Konica Minolta • Exported address books can contain passwords ▪ Not accessible via web console ▪ Managed via Konica Management application ▪ Soap message transactions ▪ TCP Ports 50001 50003

  27. Pillage Konica Minolta Step 1: Authenticate and retrieve session key

  28. Pillage Konica Minolta Reply: Valid authentication Responds with AuthKey

  29. Pillage Konica Minolta Step 2: Post request with Authkey Set and proper version

  30. Pillage Konica Minolta If all the pieces are correct the Konica will deliver data in plain text including : • PASSWORDS Effective in retrieving password for: • SMTP • SMB PWNED ¡ • FTP

  31. - Pillage - The Pass-back Attack

  32. Pillage • Pass-back-attacks ¡ ¡ ¡ ¡ ¡Target ¡the ¡printers ¡authenMcaMon ¡services ¡ ¡ ¡ ¡ ¡ ● LDAP ¡ ¡ ● FTP ¡ ● SMB ¡(Windows ¡file ¡sharing) ¡ ● SMTP ¡

  33. Lets ¡focus ¡on ¡ ¡the ¡LDAP ¡Pass-­‑Back-­‑AVack ¡ PWNED Change IP Address LDAP Auth Trigger LDAP lookup LDAP Reply Capture Plain Text Password

  34. Xerox LDAP Pass-Back-Attack Example: Executing a pass-back-attack against a Xerox ColorQube 9303 1. Login as admin user (Most Xerox’s are configured with an admin password … We’ll show you how to get this later...) 2. Access the ldap setting under Properties -> Connectivity -> Protocols 3. Change IP address to point to your system 4. Set up netcat listener on your system 5. Issue a search under User Mappings

  35. Xerox LDAP Setup Screen

  36. Xerox User Mappings

  37. Xerox Passing the Credentials PWNED ¡

  38. Sharp LDAP Pass-Back-Attack Example: Executing a LDAP pass-back-attack against a Sharp MX-4101N 1. Login as admin user (Most Sharp’s are configured with an admin password of admin) 2. Access the LDAP setting under Network Settings 3. Change IP address to point to your system 4. Set up netcat listener on your system 5. Issue a test connection

  39. Sharp LDAP Setup Screen

  40. Sharp LDAP Setup Screen

  41. Sharp Passing the Credentials

  42. Print

  43. Print print verb (used with object). 1. To produce (a text, picture, etc.) by applying inked types, plates, blocks, or the like, to paper or other material either by direct pressure or indirectly by offsetting an image onto an intermediate roller. 2. To reproduce (a design or pattern) by engraving on a plate or block. print verb (used with object). 1. The evil take over of a printer for the purpose of pillaging and plundering, accomplished using a print job over port 9100

  44. - Print - Xerox Workcentre Firmware Attack

  45. Print • Firmware attacks attack against Xerox • Xerox firmware files “.dlm” are simple Tar file with XRX job ticketing header

  46. Print • Extract a Xerox workcentra firmware you can find some interesting files • opt/nc/dlm_toolkit • dlm_tookit is used to build DLM firmware packages and sign them

  47. Print • dlm_maker application

  48. Print Demo Video Print Job to Remote Root Shell

  49. Print • Detail white paper on Xerox firmware attack • http://h.foofus.net/goons/percx/Xerox_hack.pdf Vulnerable Xerox Models WorkCentre Pro 232/238/245/255/265/275 WorkCentre 232/238/245/255/265/275 WorkCentre Pro C2128/C2636/C3545 WorkCentre Pro 165/175 WorkCentre Pro M165/M175 WorkCentre Pro 32/40 Color WorkCentre Pro 65/75/90 WorkCentre Pro 35/45/55 WorkCentre M35/M45/M55 WorkCentre 5030 WorkCentre 5632/5635/5645/5655/5665/5675 WorkCentre 5735/5740/5745 WorkCentre 6400 WorkCentre 7655/7665/7675 WorkCentre 7755/7765/7775 ColorQube 9201/9202/9203 ColorQube 9301/9302/9303

  50. Praeda+ Metasploit= Praedasploit

  51. Praeda Praeda ¡(LaMn ¡for ¡ plunder, ¡booty, ¡spoils ¡of ¡war) ¡ Current ¡Praeda ¡version ¡(WriVen ¡in ¡Perl) ¡ ¡ Embedded ¡device ¡informaMon ¡harvesMng ¡tool ¡ • Enumerate ¡103 ¡devices/models ¡ • Fingerprints ¡devices ¡using: ¡ 1. Title ¡page ¡& ¡server ¡type ¡ 2. SNMP ¡ ¡

  52. Praeda How it works: • Scan network for embedded systems • Fingerprint embedded systems • Run Preada modules based on fingerprint • Gather data and log it

  53. Praeda • How we use it: • One of the first tools we run on an assessment • Use data harvested to gain foothold in environment • Success rate is pretty darn good. :)

  54. Metasploit • Easier to maintain and less decency issues • Captured data can be stored within Metasploit’s database for later use (ex: psexec and brute force modules) • Large community base. Easier for users to contribute their own printer pwning modules

  55. Praedasploit Beta Modules • Modules we have created: • Xerox LDAP pass-back module • Konica address book extract module • Dell and HP username extract module

  56. Praedasploit module example ExtracMng ¡usernames ¡from ¡a ¡HP ¡Color ¡LaserJet ¡CP3505 ¡ ¡

  57. Praedasploit module example ExtracMng ¡Address ¡books ¡from ¡Canon ¡IR-­‑ADV ¡ ¡

Recommend

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e

Plunder of India India India no now is w is witnessing not witnessing not mer mere cor e corruption, uption, but na but national tional plunder plunder. Brahma Challeny, The Hindu, Dec 6, 2010 ESTIMATE OF DEPOSITS IN SAFE HAVENS

697 views • 56 slides
Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS)

Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS)

Welcome to Welcome Managed Print Anytime. Managed Print Print Print Anywhere. Services (MPS) Print Anything. Services Print Smart. Study Findings Campus Print Total of 3,453 Printers on Campus

510 views • 18 slides
Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR

Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR

Wildlife trafficking as the Crime of Pillage LINDA A. MALONE MARSHALL-WYTHE FOUNDATION PROFESSOR OF LAW WILLIAM AND MARY LAW SCHOOL WILDLIFE TRAFFICKING IS THE THIRD MOST LUCRATIVE ILLEGAL ENTERPRISE, BEHIND TRAFFICKING OF GUNS AND DRUGS

260 views • 14 slides
Three ways to print

Three ways to print

Three ways to print in Microsoft Office File/Print menu item Print toolbar button

196 views • 6 slides
Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The

Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The

Dont Fixate on the Gap Focus on the Plunder and the Root of Racial Wealth Inequality The typical White household has $150,000 nearly more in wealth than the typical Black and Latinx household Behind the Curtain: The Creation of

233 views • 21 slides
For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail

For ad hoc print and mail consolidation Receive, print and mail in one click! On average, mail volume has declined by 20% worldwide , over a period of 5 years.* *Source: PwC, 2013 Print facilities are There has been a decrease in print

269 views • 22 slides
web design print print print e grid system is an aid, not a guarantee. It permits a number

web design print print print e grid system is an aid, not a guarantee. It permits a number

web design print print print e grid system is an aid, not a guarantee. It permits a number of possible uses and each designer can look for a solution appropriate to his personal style. But one must learn how to use the grid; it is an art

357 views • 32 slides
PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE

PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE

PRINT JOURNALS CURRENT PRACTICES AND EFFECTIVENESS SYSTEMS IN PLACE FOR COLLATING PRINT USAGE STATISTICS Helen Monagle - Senior Assistant Librarian @HelenMonagle MY LIBRARY * Collection includes: -over 1,500 print journal titles, -over

422 views • 8 slides
An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson,

An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson,

An Introduction to XHTM L Print Presented to the W 3C Print Symposium 2006 Dean Anderson, Hewlett-Packard Company October 17, 2006 dean.anderson@ hp.com XHTML -Print So why does the world need another print language? W e already have:

428 views • 29 slides
Tim Berners-Lee Long Live the Web print print print System + Grid The Page order

Tim Berners-Lee Long Live the Web print print print System + Grid The Page order

T e primary design principle underlying the Webs usefulness and growth is universality . T e Web should be usable by people with disabilities. It must work with any form of information, be it a document or a point of data, and information

713 views • 60 slides
Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of

Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of

Renaissance Religion and Cartography: Exploring The Role of Print 21H.343 J / CC.120J Spring 2016 1 The Role of Print in an Age of Religious Reformation Th e s e image s are in the public domain. Erasmus, Novum Instrumentum , 1516 edition,

374 views • 21 slides
SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print

SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print

SELF-PUBLISHING, THE INDIE BOOKSTORE & ME 1. The Death of Print: An Exaggeration? 2. Print & Distribution: CreateSpace, Ingram Spark and the Espresso Book Machine 3. Selling Your Book at Indies: How Consignment Works 4. Formatuing Your

548 views • 53 slides
Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A

Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A

Functions Review: WWPD print(print(one) and 2 and print(tHrE3)) Call Expressions A call expression calls a function on its arguments. 1. 2. 3. wears_jacket(100, True) operator operands Call Expressions A call expression calls

657 views • 43 slides
Avera CE Portal How to print presentations Presentations are available to view and/or print before

Avera CE Portal How to print presentations Presentations are available to view and/or print before

Avera CE Portal How to print presentations Presentations are available to view and/or print before an education activity that you are registered for by going to the Syllabus. Login by clicking the following link: http://avera.cloud-cme.com. Click

368 views • 3 slides
Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print.

Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print.

Bradbury, Ray. Fahrenheit 451 . The 50 th Anniversary Edition. New York: Ballantine Books, 1953. Print. Winters, Charlene R. Lifting Mali. BYU Magazine Fall 2010: 36-41. Print. Concentration Camps 1933 - 1939. Holocaust Encyclopedia .

597 views • 20 slides
A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b ina r will sta rt a t 11:00a m PT / 2:00 pm E T . T he a udio will stre a m thro ug h yo ur c o mpute r spe a ke rs yo u sho uld b e he a

710 views • 24 slides
J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new

J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new

Problem Statement J ob Monitoring MIB Need for monitoring print jobs in devices and servers Proposal for a new standards track status of print jobs project progress of print jobs Developed by Printer MIB participants accounting

187 views • 4 slides
Graphics! def f(p, q): def main(): print(2 * q + p) i = 10 j = 3 f(i, j) def g(c, d): f(j,

Graphics! def f(p, q): def main(): print(2 * q + p) i = 10 j = 3 f(i, j) def g(c, d): f(j,

Graphics! def f(p, q): def main(): print(2 * q + p) i = 10 j = 3 f(i, j) def g(c, d): f(j, i) if c > d: g(i * 2, j) print(c - d) g(i, i) else: print(d - c) # What is the output # of this program? Using graphics in Python Many

659 views • 6 slides
Datafun Michael Arntzenius 1 Neel Krishnaswami 2 1 University of Birmingham 2 University of

Datafun Michael Arntzenius 1 Neel Krishnaswami 2 1 University of Birmingham 2 University of

Datafun Michael Arntzenius 1 Neel Krishnaswami 2 1 University of Birmingham 2 University of Cambridge ICFP 2016 1 2 3 4 # can be replaced by print 0 print c 5 # but this cant print x 6 1 x = 0 x := 0 2 3 4 print c 5 print x 6

859 views • 43 slides
Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes

Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes

Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes m2 printed (M) Source: IT Strategies WF Ink Jet Graphics Summary 2015 Turn-around times shorter than ever 24 48 hours 21% What percentage

492 views • 37 slides
Cooperative Print Management in North America A Proposal January 15, 2010 ALA Midwinter

Cooperative Print Management in North America A Proposal January 15, 2010 ALA Midwinter

Cooperative Print Management in North America A Proposal January 15, 2010 ALA Midwinter Boston, MA [The] library community should aggregate the work of existing mechanisms for print storage, de-duplication, and preservation, so that print

402 views • 15 slides
Emma Tuddenham FESPA Associations Manager Thank you Innovations in Print Europes first

Emma Tuddenham FESPA Associations Manager Thank you Innovations in Print Europes first

Emma Tuddenham FESPA Associations Manager Thank you Innovations in Print Europes first 3D printed building Its in Denmark! Innovations in Print Pop up recyclable posters which grow seeds Innovations in Print High speed single pass

890 views • 50 slides
Metro Print A full in-store portal providing access to all styles or print materials, from shelf

Metro Print A full in-store portal providing access to all styles or print materials, from shelf

Metro Print A full in-store portal providing access to all styles or print materials, from shelf edge labels, stickers, barkers, talkers and signage. Integration with ERP, price and product information ensuring accuracy and adherence to

605 views • 22 slides
C R E A T I V E A D V E R T I S I N G A G E N C Y & P R I N T I

C R E A T I V E A D V E R T I S I N G A G E N C Y & P R I N T I

C R E A T I V E A D V E R T I S I N G A G E N C Y & P R I N T I N G H O U S E OFFSET & DIGITAL PRINT, ECOPRINT, PRINT ON DEMAND Products and services we offer: - Layout and graphic design - Book

338 views • 5 slides

More recommend