Re: Printer Attacks

[The Doctor <drwho () virtadpt net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2011 03:53 PM, doc tarrow wrote:

> The primary goal as I understand things currently, is to gather
> valid user credentials. Naturally, compromised credentials
> represent serious

If those are the terms of engagement of the penetration test, then
yes, that seems like a reasonable primary goal.  If the terms of
engagement are more detailed or broad then that, then gathering user
credentials may be only a means to an end.

> Now the hard part. I have to relate this risk to our risk
> management and net ops people. In some respects, it seems that
> simply applying common sense to our printer hardening practice is
> all that's required to reduce (eliminate?) risk. That said, it
> seems forceful browsing is

What if the firmware of the devices in question does not allow for
doing so, but mitigation would contradict a business requirement?

> At the risk of receiving replies telling me to just do my job, I'm 
> curious. Do any of you actively attack printer systems? If so, how
> are

If networked multifunction printers are not specifically excluded from
the target set, yes, I do go after them.  Not as primary targets, mind
you, but they have their uses.  In the fairly recent past I used a
couple of older networked printers for FTP bounce attacks that were
used to go after other targets.  I also came across a few networked
printers that I was able to FTP into and peruse the print queues on
the hard drives.  While it was not a traditional compromise in any
sense, I did download and later present to my client a DVD-ROM full of
documents (some three or four years old) that they considered
sensitive that had been sitting on the unit's hard drive, accessible
to anyone who spent thirty seconds guessing passwords.

Networked devices can also be a useful cover for hiding equipment
smuggled into the target site and hidden in plain view.  For example,
attaching a wireless access point between the printer and the rest of
the LAN often went unnoticed (perfect for sneaking right into the core
of the client's network); in a pinch, the excuse "The cable wasn't
long enough, so I put in an Ethernet switch and a three foot CAT-6
until we get a longer one," worked.  I rather doubt that tucking a
netbook behind a networked printer or fax machine with a sticy that
reads "PRINT SERVER: DO NOT TOUCH" would still work these days, though.

- -- 

The Doctor [412/724/301/703]

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"The spice must flow."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk65ayAACgkQO9j/K4B7F8EJZACg4PZsq5i8raDISqnzO+nXDUMK
q8cAnR3uzQk1W+5FxxS1fUcla+xPw+K1
=l63m
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------