www.mindpointgroup.com
Open in
urlscan Pro
34.251.201.224
Public Scan
URL:
https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack
Submission: On August 31 via manual from US — Scanned from DE
Submission: On August 31 via manual from US — Scanned from DE
Form analysis
2 forms found in the DOM/search
<form action="/search" class="modal-search-form w-form" data-hs-cf-bound="true"><img src="https://assets-global.website-files.com/601959b76833363126385b0d/601959b8cde20cb5f909c896_icon-search.svg" alt="" class="form-input-icon"><input type="search"
class="form-input form-input-naked w-input" autofocus="true" maxlength="256" name="query" placeholder="Type your search" id="search-2" required=""><input type="submit" value="Search" class="button form-search-button w-button"></form>
Name: wf-form-Cookie-Preferences — GET
<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs_form" aria-label="Cookie Preferences" data-hs-cf-bound="true">
<div fs-cc="close" class="fs-cc-prefs_close" role="button" tabindex="0">
<div class="fs-cc-prefs_close-icon w-embed"><svg fill="currentColor" aria-hidden="true" focusable="false" viewBox="0 0 16 24">
<path d="M9.414 8l4.293-4.293-1.414-1.414L8 6.586 3.707 2.293 2.293 3.707 6.586 8l-4.293 4.293 1.414 1.414L8 9.414l4.293 4.293 1.414-1.414L9.414 8z"></path>
</svg></div>
</div>
<div class="fs-cc-prefs_content">
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title">Privacy Preference Center</div>
</div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_text">When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website. The storage may be used for marketing, analytics, and
personalization of the site, such as storing your preferences. Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories
may impact your experience on the website.</div>
</div>
<div class="fs-cc-prefs_space-medium">
<a fs-cc="deny" href="#" class="fs-cc-prefs_button fs-cc-button-alt w-button" role="button" tabindex="0">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs_button w-button" role="button" tabindex="0">Allow all cookies</a></div>
<div class="fs-cc-prefs_space-small">
<div class="fs-cc-prefs_title">Manage Consent Preferences by Category</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label">Essential</div>
<div class="fs-cc-prefs_text"><strong>Always Active</strong></div>
</div>
<div class="fs-cc-prefs_text">These items are required to enable basic website functionality.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label">Marketing</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="marketing-2" name="marketing-2" data-name="Marketing 2" fs-cc-checkbox="marketing"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="marketing-2" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising
campaigns. Advertising networks usually place them with the website operator’s permission.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label">Personalization</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="personalization-2" name="personalization-2" data-name="Personalization 2" fs-cc-checkbox="personalization"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="personalization-2" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with
local weather reports or traffic news by storing data about your current location.</div>
</div>
<div class="fs-cc-prefs_option">
<div class="fs-cc-prefs_toggle-wrapper">
<div class="fs-cc-prefs_label">Analytics</div><label class="w-checkbox fs-cc-prefs_checkbox-field"><input type="checkbox" id="analytics-2" name="analytics-2" data-name="Analytics 2" fs-cc-checkbox="analytics"
class="w-checkbox-input fs-cc-prefs_checkbox"><span for="analytics-2" class="fs-cc-prefs_checkbox-label w-form-label">Essential</span>
<div class="fs-cc-prefs_toggle"></div>
</label>
</div>
<div class="fs-cc-prefs_text">These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that
identifies a visitor.</div>
</div>
<div class="fs-cc-prefs_buttons-wrapper"><a fs-cc="submit" href="#" class="fs-cc-prefs_button w-button" role="button" tabindex="0">Confirm my preferences and close</a></div><input type="submit" value="Submit" data-wait="Please wait..."
class="fs-cc-prefs_submit-hide w-button">
<div class="w-embed">
<style>
/* smooth scrolling on iOS devices */
.fs-cc-prefs_content {
-webkit-overflow-scrolling: touch
}
</style>
</div>
</div>
</form>
Text Content
Solutions By IndustryCloud ServicesFinancial ServicesGovernmentHealthcare By RoleCIO and CISODevSecOpsIT OperationsSecurity By NeedCybersecurity TransformationCybersecurity HygieneData Security and PrivacyFedRAMPGovernance, Risk, and ComplianceICAMIncident ResponsePenetration TestingSecurity AutomationManaged SOCVulnerability Management Services AssessAssessmentsCyber Hygiene Health CheckCMMC and C3PAOFramework and PolicyFedRAMP and 3PAOThird-Party Risk Management ProtectCyber HuntingRed TeamingPenetration TestingPhishing and Social EngineeringVulnerability ManagementZero Trust RespondIncident ResponseManaged SOC TransformGRC AdvisorySecurity ArchitectureSOC Optimization AutomateATO AutomationBaseline ModernizationSecurity Optimization Products ANSIBLE COUNSELOR Accelerate your automation journey LOCKDOWN ENTERPRISE STIG and CIS compliance automation using Ansible POLICY AND PROCEDURE TEMPLATES FOR FEDRAMP Guided support to help you achieve FedRAMP authorization Resources BlogAutomationPenetration TestingRisk ManagementVulnerability ManagementFedRAMPNews DATASHEETS AND WHITEPAPERS Downloadables about our Solutions, Products, and Solutions Company Why MPGCareersCustomersTeamPartneringContract VehiclesCommunityContact UsCapability Statement We're Hiring BlogProtect Protect HOW TO HACK THROUGH A PASS-BACK ATTACK: MFP HACKING GUIDE by Elwood Buck A PEN TESTER'S GUIDE TO PRINTER HACKING WHAT IS AN MFP AND MFP HACKING ANYWAY? Multi-Function Peripherals (MFPs) are an underutilized target in the realm of pen testing. When compared against other high-value targets, MFP hacking appears to be the low man on the totem pole. Penetration testers frequently attack other targets like web applications, file servers, and domain controllers. Too often, the thought is: Why waste your time on printers when you can attack things like systems potentially resulting in: * Credential Disclosure * File System Access * Memory Access However, as illustrated by a recent and surprisingly interesting printer penetration test engagement, it turns out that a successful MFP breach can result in discovering all of the above findings, plus more. The best part is that MFP security and maintenance is often forgotten, potentially resulting in a quick win for someone looking to gain entry or escalate their privileges in a compromised network. MFPs are the clunky pile of plastic typically located in your corporate closet. They’re equipped with network ports, USB drives, and an iPad looking control panel with its own set of specialized applications. These intelligent devices are capable of much more than the standard copy, print, and fax. Don’t forget the occasional paper jam too. These industrial ink bleeders are loaded with plenty of functionality, like the ability to integrate with the corporate network to allow for convenient scan/email. This functionality necessitates: * Lightweight Directory Access Protocols (LDAP) integration * Simple Mail Transfer Protocol (SMTP) integration * Network Shares What kind of information is at risk with an MFP? How can you, as a penetration tester, successfully hack into an MFP? DID YOU SAY LDAP? MFP-LDAP integration can be a control mechanism to prevent unauthorized users from printing, copying, scanning, etc. It can also be used for email address lookups when leveraging the scan/copy to email functionality, as well as giving authenticated users access to their home folder located on the network. Most MFP vendors (HP, Xerox, Ricoh, Canon, etc.) have their version of an LDAP implementation for their specific MFP, but they are generally the same concept. If you input a few attributes here, an IP address there, add a username/password, then you sit back and watch the “magic” happen. WHY MFP HACKING MATTERS For the MFP to conduct queries on the LDAP server, the MFP must be configured with the appropriate credentials to access the LDAP server, or set with the ability to pass user credentials to the LDAP server. These credentials should be stored somewhere on the MFP and, if we can capture these credentials, then we may have an entryway into the network, and possibly more. INTRODUCING THE PASS-BACK ATTACK The stored LDAP credentials are usually located on the network settings tab in the online configuration of the MFP and can typically be accessed via the Embedded Web Service (EWS). If you can reach the EWS and modify the LDAP server field by replacing the legitimate LDAP server with your malicious LDAP server, then the next time an LDAP query is conducted from the MFP, it will attempt to authenticate to your LDAP server using the configured credentials or the user-supplied credentials. ACCESSING THE EWS Most MFPs ship with a set of default administrative credentials to access the EWS. These credentials are usually located in the Administrator Guide of the MFP in question and are a good place to start for initial access: VendorUsernamePasswordRicohadminblankHPadminadmin or blankCanonADMINcanonEpsonEPSONWEBadmin Another way to potentially access the EWS is through the Printer Exploitation Toolkit (PRET) and Praeda. Both tools are capable of Information Disclosure and Code Execution. If you are looking to utilize the tools for the first time, here are a few resources to help you get started: * • https://github.com/RUB-NDS/PRET * • https://github.com/percx/Praeda * • http://www.hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet REPLACE LDAP ATTRIBUTES Once you are authenticated to the EWS, locate the LDAP settings. During our test on an HP Color LaserJet MFP M477fdn, these settings were in the access control portion of the networking tab. Next, we removed the existing LDAP Server Address, 192.168.1.100, and replaced it with our IP Address. Next, we saved the settings. Then, we created a Netcat listener on port 389, which was the existing port in the LDAP settings of the MFP. CAPTURE CREDENTIALS The configuration of this MFP requires users to authenticate before using the available resources like the scan-to-email ability. The next time an unsuspecting user inputs their credentials at the control panel, the MFP will send their information to the LDAP server under our control. If the MFP supports and is configured to store LDAP credentials for email lookup (the model we tested did not), then these credentials can also be passed back to the LDAP server under our control. ATTACKING SMTP AND WINDOWS SIGN-IN This attack can also be conducted against other settings on the MFP that support authentication. Like LDAP, the Windows sign-in can be an alternative method to control access to the MFP resources. We substitute the existing domain with our own domain, and the next time a domain user signs in at the control panel, the credentials are sent to our domain controller. Conducting attacks on the SMTP configuration can also produce fruitful results. The existing SMTP configuration for this MFP has stored credentials for SMTP authentication that can be passed back to us, after replacing the existing SMTP server with our own SMTP server. BIG PAYOUT WITH LOW RISK MFPs do not get the attention they deserve when it comes to security. They are usually physically accessible, poorly managed, and shipped with default credentials. All of this, coupled with their payout potential, should make them a prime target for your next engagement. GET STARTED WITH MFP HACKING AND PEN TESTING For over a decade, we have helped organizations of every size, complexity, and sophistication design, implement, manage, and advance their cybersecurity defensive capabilities and operations—all to protect and support their missions and businesses. Learn more about our pen testing services and cybersecurity consulting. Already have a background in pen testing? Check out our job openings. Tags: Pentest Security Operations MORE FROM OUR CYBERSECURITY EXPERTS ANSWERS WITH ANSIBLE: AUTOMATION IN THE AGE OF COVID-19 Automate by Justin Nemmers ANSWERS WITH ANSIBLE: AUTOMATION IN THE AGE OF COVID-19 Automate by Justin Nemmers OPEN SOURCE SECURITY APPLIANCE REVIEWS (POST 1 IN SERIES) Protect by Thanh Vu OPEN SOURCE SECURITY APPLIANCE REVIEWS (POST 1 IN SERIES) Protect by Thanh Vu UNDERSTAND THE ROLE FOURTH-PARTY VENDORS PLAY IN YOUR RISK PROFILE Assess by MPG Blog UNDERSTAND THE ROLE FOURTH-PARTY VENDORS PLAY IN YOUR RISK PROFILE Assess by MPG Blog Next READY TO TALK ALL THINGS CYBERSECURITY? Contact Us Dynamic Cybersecurity Consulting for Evolving Threats * * * SOLUTIONS * Government * Healthcare * Financial Services * CISO and CIOs * DevSecOps * Penetration Testing * Security Automation * View All SERVICES * Assess * Protect * Respond * Transform * Automate * View All PRODUCTS * Ansible Counselor * FedRAMP Policy and Procedure Templates * Lockdown Remediate COMPANY * About * Careers * Capability Statement * Blog * Our Team * Privacy Statement * EEO Statement © 2022 MindPoint Group By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. PreferencesDenyAccept Privacy Preference Center When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website. The storage may be used for marketing, analytics, and personalization of the site, such as storing your preferences. Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. Reject all cookiesAllow all cookies Manage Consent Preferences by Category Essential Always Active These items are required to enable basic website functionality. Marketing Essential These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission. Personalization Essential These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your current location. Analytics Essential These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor. Confirm my preferences and close