A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Plunder, Pillage and Print - The art of leverage multifunction printers during penetration testing - Deral Heiland Bsides Cleveland 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

Plunder, Pillage and Print - The art of leverage multifunction printers during penetration testing
Deral Heiland

In this presentation I will go beyond the common printer issues and focus around penetration testing of internal networks by focusing on embedded devices such as multifunction printer (MFP). Discussing methods and techniques regularly used to plunder and pillage these devices for user credentials. Methods including authentication bypass, information leakage flaws, firmware attacks, and poorly designed security. By leveraging these methods and techniques I will discuss how we have successfully gained access into core systems including email servers, file servers and Active directory domains on multiple occasions. Besides the manual methods and techniques a pentester can use to gather user credentials, I will also be discussing the current open source automated MFP data harvesting tool Praeda, and the current project to migrate it into Metasploit. In conclusion I will also be discussing best practices for reducing risk while still effectively leveraging MFP devices within a business environment.

This research started in 2010 and was initially released at Shmoocon in 2011. This project has been on-going and a couple technical white papers were released as part of this research project:

http://foofus.net/goons/percx/Xerox_hack.pdf

http://foofus.net/goons/percx/praeda/pass-back-attack.pdf

We continue to develop this research and use it on a day-to-day basis as part of our jobs as pentesters. One of the most fascinating aspects of this ongoing research project is, in 2011 on average about 10-15% of the time we were successful in extracting Active Directory credential from MFP devices. By 2013 the success rate had risen to 40-45%. This shows that this vector is target rich area for pentesters, but is often overlooked. Currently we use the automated harvesting tool Praeda https://github.com/percx/Praeda during pentest. We are currently beginning the migration of Praeda over to Metasploit and expect it to be completed by end of year. We plan to release several of the AD credentials extract modules this summer within Metasploit.

Deral Heiland CISSP, GWAPT Senior Security Consultant for Rapid7 where he is responsible for security assessments, and consulting for corporations and government agencies. Deral is also founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous national and international security conferences including Blackhat, ShmooCon, Defcon, Derbycon, Securitybyte India, and Hackcon Olso Norway. Deral has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC, PCworld and SC Magazine. Deral has over 20 years of experience in the Information Technology field.


Back to Bsides Cleveland 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast