Written by: Joseph Sarkisian, GWAPT
Printer vulnerabilities are often minimized or disregarded, either because they’re too hard to fix or because the risks associated with them aren’t apparent. Sometimes our clients ask us to exclude them from scope entirely. But recent experiences in our penetration tests demonstrate why it’s critical to secure all assets, including Multi-Function Printers (MFP) and other Internet of Things (IoT) devices.
Real-Life Attack: Hacking an MFP
I was recently on an internal network penetration test where I was placed on a subnet with very little action—no typical user credentials floating around for me to intercept for a quick win, no weak devices, and very few hosts within my immediate grasp.
In situations like this, penetration testers are forced to the more traditional, oftentimes harder, workflow of enumerating the environment, scanning for open ports, running services across the network, and leveraging an exploit or escalation.
At this point, I started port scanning other subnets. What came back were the usual suspects like web servers, FTP servers, SSH, and a host of Windows services that were running. I like to visit web servers specifically, because oftentimes they’ll be hosting services that were never hardened before deployment, and therefore are configured to allow administrator access via default credentials. Printers and IoT devices are notorious for this.
Sure enough, I found several MFP devices that were never adequately hardened, allowing me to log in to their administrative interfaces via web browser:
These specific MFPs had a robust set of configuration options and features, which got me thinking that there must be a write-up or other research detailing ways to manipulate the device for malicious intent.
In short order, I came across a module in the Metasploit Framework (a ubiquitous penetration testing toolkit) that had been designed to retrieve plain text credentials from this specific device’s make and model via the management port, 50001, which hadn’t caught my attention during my initial port scan.
At this point, all I had to do was set the printer IP addresses and the administrator default credentials:
And after running the module across several of these MFPs, I was greeted with numerous sets of domain user credentials in plaintext. This was possible because of how the MFP stores address books that users can set on the device for frequently visited destinations internally via SMB, FTP, email, etc. The module uses this functionality to extract these stored account credentials that I could leverage during further testing, as in the image below.
I then accessed additional resources in the domain like any other basic user, since I was a domain user now.
It took no more than 30 minutes to go from my location after leveraging a misconfigured printer to becoming a domain administrator. And this was all because a printer’s password hadn’t been hardened before deployment.
Secure Your Systems, Prevent Attacks
So, how can you prevent these types of attacks?
- Have a robust process that administrators must execute to harden devices like IP cameras, scanners, smart productivity devices (such as Amazon Echo), and even smart appliances such as refrigerators that connect to your network before deployment
- Maintain a test environment that’s completely removed from the production network in order to test deployment configurations for adequate device security hardening
- Do your homework on any device you plan to purchase for known security issues (including how robust their user support offerings are, etc.)
- Practice Defense in Depth by ensuring that every layer of your network has adequate controls in place to prevent escalation by an attacker when another control malfunctions; there should be no single point of failure
- Make sure you’re properly segmenting your network so any known vulnerable or legacy devices can only be accessed by those hosts with explicit rights to do so
While I leveraged one kind of MFP, there are hundreds of these devices of varying makes and models that are vulnerable to similar kinds of attacks—along with their very own exploits for all to use. When broadening this issue to the larger category of IoT devices in general, the attack surface is exponential. It may be easy to overlook the risks associated with these machines, but adequate preparation and security procedures must be implemented to prevent hackers from penetrating these seemingly risk-free devices.