Penetration Testing mailing list archives
Re: Printer Attacks
From: The Doctor <drwho () virtadpt net>
Date: Tue, 08 Nov 2011 12:47:13 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/07/2011 03:53 PM, doc tarrow wrote:
The primary goal as I understand things currently, is to gather valid user credentials. Naturally, compromised credentials represent serious
If those are the terms of engagement of the penetration test, then yes, that seems like a reasonable primary goal. If the terms of engagement are more detailed or broad then that, then gathering user credentials may be only a means to an end.
Now the hard part. I have to relate this risk to our risk management and net ops people. In some respects, it seems that simply applying common sense to our printer hardening practice is all that's required to reduce (eliminate?) risk. That said, it seems forceful browsing is
What if the firmware of the devices in question does not allow for doing so, but mitigation would contradict a business requirement?
At the risk of receiving replies telling me to just do my job, I'm curious. Do any of you actively attack printer systems? If so, how are
If networked multifunction printers are not specifically excluded from the target set, yes, I do go after them. Not as primary targets, mind you, but they have their uses. In the fairly recent past I used a couple of older networked printers for FTP bounce attacks that were used to go after other targets. I also came across a few networked printers that I was able to FTP into and peruse the print queues on the hard drives. While it was not a traditional compromise in any sense, I did download and later present to my client a DVD-ROM full of documents (some three or four years old) that they considered sensitive that had been sitting on the unit's hard drive, accessible to anyone who spent thirty seconds guessing passwords. Networked devices can also be a useful cover for hiding equipment smuggled into the target site and hidden in plain view. For example, attaching a wireless access point between the printer and the rest of the LAN often went unnoticed (perfect for sneaking right into the core of the client's network); in a pinch, the excuse "The cable wasn't long enough, so I put in an Ethernet switch and a three foot CAT-6 until we get a longer one," worked. I rather doubt that tucking a netbook behind a networked printer or fax machine with a sticy that reads "PRINT SERVER: DO NOT TOUCH" would still work these days, though. - -- The Doctor [412/724/301/703] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "The spice must flow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk65ayAACgkQO9j/K4B7F8EJZACg4PZsq5i8raDISqnzO+nXDUMK q8cAnR3uzQk1W+5FxxS1fUcla+xPw+K1 =l63m -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Printer Attacks doc tarrow (Nov 07)
- Re: Printer Attacks The Doctor (Nov 08)
- Re: Printer Attacks Marco Ivaldi (Nov 09)
- Re: Printer Attacks The Doctor (Nov 08)