Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  1. Pentesting
  2. NET-Pen
  3. Active Directory Pentesting
  4. Initial Attack Vectors

Printer Hacking

Passback Attacks

What is an MFP and MFP Hacking?

Multi-Function Peripherals (MFPs) are devices that offer several functions like printing, copying, scanning, and faxing. Despite their widespread use in offices. However, a successful breach of an MFP can lead to significant security findings, including:

  • Credential Disclosure

  • File System Access

  • Memory Access

MFPs, often found in corporate settings, come with network ports, USB drives, and iPad-like control panels. They integrate with corporate networks for functions like scanning to email or printing from network shares. These integrations expose valuable data and create potential vulnerabilities.

What Information is at Risk with an MFP?

MFPs are often linked to LDAP (Lightweight Directory Access Protocol), SMTP (Simple Mail Transfer Protocol), and network shares. These integrations provide:

  • Access control for print, copy, and scan functions.

  • Email lookup when using scan-to-email features.

  • Access to user home directories stored on the network.

MFP-LDAP Integration

  • LDAP helps MFPs look up email addresses or allow access to files on the network.

  • The MFP needs to have login credentials to access LDAP.

  • If someone can access the MFP settings, they can change the LDAP server to a malicious server and capture usernames and passwords.

The Pass-Back Attack

This is a method where an attacker changes the MFP settings in the Embedded Web Service (EWS) interface. By modifying the LDAP server configuration to point to a malicious LDAP server. instead of logging into the real system, the MFP sends the login info to the attacker.

Steps to Perform the Attack:

Access the EWS: Most MFPs come with default administrative credentials. You can find these in the Administrator Guide or use common defaults (e.g., admin/blank for HP printers, admin/admin for Ricoh).

  • https://github.com/RUB-NDS/PRET

  • https://github.com/percx/Praeda

  • http://www.hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet

Change the LDAP Server Address: Once authenticated, modify the LDAP server settings in the MFP configuration to point to a malicious server (e.g., your own machine running a Netcat listener on port 389).

Capture Credentials: The next time a user authenticates through the MFP (e.g., for scan-to-email), their LDAP credentials will be sent to the malicious server.

Attacking Other MFP Configurations

SMTP Server Attacks

MFPs (Multifunction Printers) are commonly configured to send emails directly from the device, such as or sending alerts. To perform this function, the MFP stores SMTP credentials (username and password) for authentication with an SMTP server.

If an attacker gains access to the MFP's settings, they can modify the SMTP server configuration to point to a malicious SMTP server they control. As a result, when the MFP attempts to send emails (such as scanning documents), the SMTP credentials used by the printer will be sent to the attacker’s server, allowing the attacker to capture these credentials.

Windows Sign-In Attack on MFPs

Many MFPs allow users to authenticate using Windows sign-in via an integrated domain controller (e.g., Active Directory). This method can be used to restrict access to the MFP based on the user's Windows credentials.

If an attacker is able to modify the domain controller settings within the MFP configuration, they can point the device to an attacker-controlled domain server. Once this change is made, the next time a legitimate user tries to log in to the MFP, their credentials (username and password) will be sent to the attacker's domain controller instead of the legitimate one.

resources

  • Printer Exploitation Toolkit (PRET): GitHub Repository

  • Praeda: GitHub Repository

  • Printer Security Testing Cheat Sheet: Hacking-Printers Wiki

PreviousIPv6 Attacks ( IPv6 DNS Takeover )NextMethodology

Last updated 6 months ago