You are here

LDAP Passback Attacks: How to Secure Your Printers

Author: Joseph Sarkisian, GWAPT

When compiling an effective cybersecurity management program, companies often overlook the need to secure their printers or Internet of Things (IoT) devices—giving hackers an easy entry point for malicious attacks. Printers are rarely hardened, and even when a client’s asset management process is strong, organizations often see printer vendors arrive unannounced to work on the device, then often hard-reset it back to the default administrator password.

During many of our engagements, penetration testers have been able to easily compromise networks and enter systems through printers or IoT devices using default credentials, or by simply taking advantage of the weak security protocols present. Although these devices seem harmless, companies must be aware of the consequences of ignoring these assets in their cybersecurity programs.

I recently worked with a client that was confident in the security of their printers, cameras, and IoT devices, but fell prey to our use of a Lightweight Directory Access Protocol (LDAP) Passback Attack.

During a penetration test engagement, we often run port scans relatively early. Unhardened printers are extremely common, so I usually begin scanning a few ports that are often open (like 50001 and 9100). If I see these ports open in combination with 445 (Server Message Block), 80, or 443, I know I’ll be able to infiltrate their systems easily. I quickly found a Xerox WorkCentre printer live on the network:

After some quick research, I found that this printer, when not properly hardened with a strong administrator password, allowed for an LDAP Passback Attack. Sure enough, this printer had a default local administrator password set, allowing access.

Once I had admin access, I could re-route where this printer looked for LDAP queries, which would normally be done by a domain controller. However, as long as I had a listener set for port 389, I could get the printer to send its queries to me instead. Here’s the original IP address for network LDAP queries:

And here’s the re-routing of that IP address to my attack machine listening on port 389:

I then triggered an LDAP query from the printer. Luckily for me, this model printer had an actual user mapping lookup function that allowed an administrator to search for a network user for print jobs. I used it to search for a user that I knew didn’t exist, named “Wolf,” simply to trigger a search to my attacking host:

After I set up my listener, I clicked on the “Search” button above, which allowed me to capture the LDAP query from the printer using its “svc_scans” service account and plaintext password (the redacted portion at the end):

This was a valid domain account that I used to enumerate other users, groups, group memberships, and trust relationships. This account became a location from which I could perform other domain attacks that eventually led me to the domain administrator.

How to Prevent LDAP Attacks

  • Ensure you’re adequately preventing  printer vulnerabilities by implementing robust security protocols
  • Develop a process in which vendors must get written consent to perform routine maintenance on your devices; nobody should be touching these hosts without your team being aware of the date and time of their arrival and departure from the building or network
  • When the maintenance is complete, make sure your devices are hardened again with a strong administrator password
  • Ensure service accounts (in this case the svc_scans acct) are given only their minimum required privileges for operation

Conclusion

All devices must be locked down—no matter how harmless they seem. If it has an IP address on your network, then it belongs in your asset inventory and should be held to the same strong asset management processes that your Windows, Linux, ATMs, and all other hosts are held. In-depth defense is the key to network security, and should be distributed among printers and internet of things devices.