Penetration Testing
Printer Attacks Nov 07 2011 08:53PM
doc tarrow (doc tarrow gmail com) (1 replies)
Re: Printer Attacks Nov 08 2011 05:47PM
The Doctor (drwho virtadpt net) (1 replies)
Hash: SHA1

On 11/07/2011 03:53 PM, doc tarrow wrote:

> The primary goal as I understand things currently, is to gather
> valid user credentials. Naturally, compromised credentials
> represent serious

If those are the terms of engagement of the penetration test, then
yes, that seems like a reasonable primary goal. If the terms of
engagement are more detailed or broad then that, then gathering user
credentials may be only a means to an end.

> Now the hard part. I have to relate this risk to our risk
> management and net ops people. In some respects, it seems that
> simply applying common sense to our printer hardening practice is
> all that's required to reduce (eliminate?) risk. That said, it
> seems forceful browsing is

What if the firmware of the devices in question does not allow for
doing so, but mitigation would contradict a business requirement?

> At the risk of receiving replies telling me to just do my job, I'm
> curious. Do any of you actively attack printer systems? If so, how
> are

If networked multifunction printers are not specifically excluded from
the target set, yes, I do go after them. Not as primary targets, mind
you, but they have their uses. In the fairly recent past I used a
couple of older networked printers for FTP bounce attacks that were
used to go after other targets. I also came across a few networked
printers that I was able to FTP into and peruse the print queues on
the hard drives. While it was not a traditional compromise in any
sense, I did download and later present to my client a DVD-ROM full of
documents (some three or four years old) that they considered
sensitive that had been sitting on the unit's hard drive, accessible
to anyone who spent thirty seconds guessing passwords.

Networked devices can also be a useful cover for hiding equipment
smuggled into the target site and hidden in plain view. For example,
attaching a wireless access point between the printer and the rest of
the LAN often went unnoticed (perfect for sneaking right into the core
of the client's network); in a pinch, the excuse "The cable wasn't
long enough, so I put in an Ethernet switch and a three foot CAT-6
until we get a longer one," worked. I rather doubt that tucking a
netbook behind a networked printer or fax machine with a sticy that
reads "PRINT SERVER: DO NOT TOUCH" would still work these days, though.

- --

The Doctor [412/724/301/703]

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1

"The spice must flow."

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -



This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]
Re: Printer Attacks Nov 09 2011 12:35PM
Marco Ivaldi (raptor mediaservice net)


Privacy Statement
Copyright 2010, SecurityFocus