From Default Printer Credentials to Domain Admin

Default credentials on critical systems such as public facing portals (ERP Systems, VPN Gateways, Firewall Consoles, etc.) is something that you would take seriously and action on them immediately, right? What if this was the same case for your printers? A lot of people would consider default printer credentials as something trivial that won’t cause any harm. Well, I also thought of the same until my buddy Seth introduced to me earlier last year how I could use this to gain foothold on a network. And interestingly enough, this is something we come across in almost every Pentest engagement we are involved in.

First of all, locating default credentials is as easy as typing “printer name and model” + “default password” in Google.

This will grant you access to the printer’s web administration portal.

A lot of organizations integrate printers with their domain for authentication purposes. Locate the LDAP configuration page of the printer. If you are lucky enough, you might find an account with domain admin privileges on the LDAP config page.

Change the Host Name IP address to your Kali Linux IP address and Click on the Test button. This will initiate a connection to the “authentication server” which is now the attacker’s machine. This will pass the NTLM hash of the account configured in the LDAP configuration page to the attacker’s machine. You however some form of an “authentication server” to capture the hash passed from the printer.

You can set up a netcat listener and capture the hash.

netcat -l -vv -p 445

Or use this Metasploit auxiliary module

use auxiliary/scanner/smb/capture
run

Having gotten the Admin hash, you can either use the old-fashioned way of cracking the hash or use the Pass-The-Hash technique. My go-to tool for Pass-The-Hash and SMB Relaying stuff is Responder. Fire up Responder.

And relay the received hash to a host with SMB Singing Disabled using multirelay.py which is the same as Impacket’s ntlmrelayx.py

python multirelay.py -t <IP Address> -u administrator

And just like that you’ve got a shell!

Here is a visual representation of the attack.

4 thoughts on “From Default Printer Credentials to Domain Admin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s