1

Scenario:

Network printer "Scan To Shared Folder" feature.
Network printer IP address: 192.168.0.10

Network printer "Scan To Shared Folder" details:
Network path: \\192.168.0.155\Folder\Subfolder 
Login username: aficio
Password:****** Retype Password:******

Based on what stated above, my guessing is that on the 192.168.0.155 host there's certailny an account called aficio

Further details:

Attacker can access the network printer admin web panel

Attacker cannot access host 192.168.0.155

Attacker wants to get aficio's password

Questions:

Would it be possible to retrieve the user aficio's password through PRET (Printer Exploitation Toolkit) or any other software able to interact with the network printer?

I mean, am I right in saying that aficio's password is actually somewhere on the network printer filesystem?

Is network sniffing a valid alternative in order to get the password? I don't think so, since I believe aficio'credentials will reach the endpoint (192.168.0.155) through SSL Is that correct?

Any help will be highly appreciated

t5j
  • 39
  • 5

1 Answers1

1

You didn't provide details about the physical security, the network infrastructure, the printer itself, printer connectivity, the network share... It is hard to say.

PRET can be used if there is exploitable vulnerability on the printer and you have a direct network access to it. And you are correct, the password will be there, that is for sure. Maybe encrypted, maybe not, it can take some time to find it there, but yes, it is there.

MITM would not probably work if the share is not unprotected FTP. I suppose it is windows (or SMB) share.

What about another attack scenario? It presumes you have physical access to the printer and to its cabling. But you must be lucky with so many things in this case...

What about unplugging the printer from the network it is connected to (if it is well configured wifi with VLANs you are lost, if there is ethernet with properly configured 802.1x without fallback allowed on printer side, you are lost, if there is mutual authentication or share server certificate validation you are lost, if the printer is loading configuration, contacts or something else from netwokr server, you are lost), connect it to "attacker network" and make it think the host on 192.168.0.155 is the one he is really looking for while it will be a machine controlled by you with your software installed so once it tries to authenticate you can capture the authentication protocol packets unencrypted directly on that machine. If you will be lucky the clear text password will be sent (what I would not hope for). You will probably get some kind of maybe salted, maybe not salted hash you can use to authenticate somewhere else in the network or you can try to bruteforce a password against it using rainbow tables.

Fis
  • 1,200
  • 7
  • 10
  • thanks for your reply my goal is to get aficio's password I can reach the printer I can access it which means I know the admin pass..the endpoint 192.168.0.155 is windows server so if I can get aficio's password that means I have a domain user account and that might help me to perform kerberoasting...or whatever You say aficio's password is on the network printer filesystem ...the thing is where is it? I used PRET in order to get some information it works well but I'm unable to perform a search in order to look for items like: "password ", "aficio"...or another keyword – t5j May 23 '20 at 20:51
  • what kind of printer is it? – Fis May 23 '20 at 20:57
  • it's a OKI printer – t5j May 23 '20 at 21:23
  • No idea, try to search :) – Fis May 24 '20 at 08:17