.

thoughts on unsecured network printers

<<

LSOChris

Post Thu May 24, 2007 1:27 pm

thoughts on unsecured network printers

All,
just wanted to get some thoughts on the amount of risk and damage that can be done with networked printers.  many of them are left with default usernames and passwords or have small password length maxiums that can be bruteforced.

so my point is that its fairly easy to find unsecured printers but my question is what do you think about the impact this can have.

things you can do:

-upload and download and store files via ftp
-most run a webserver that you can store and retrieve files on
-most run open SMTP relays or can become open SMTP relays
-the attacker can change settings that can lead to denial of service or wasted resource usage
-if the printer stores the jobs an attacker can potentially view all the stored jobs and can view private info
-if the printer is LDAP enabled the attacker can harvest emails or send emails on behalf of the printer

things it doesnt appear to be able to do

-bounce thru the printer as a proxy
-port scan or launch attacks on the network  via the printer

i'm not saying the above stuff is ok to have on your network but its not a command prompt either.  so thoughts on how bad a threat this is?
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Thu May 24, 2007 2:19 pm

Re: thoughts on unsecured network printers

I think that this is quite critical. If anyone has doubt about this, then I recommend reading chapter 4 of Stealing the Network - How to Own the Box, called "h3X’s Adventures in Networkland" by FX.

Even though this is fiction, it is based on fact, and should bring home to everyone the extent of the damage that can be done by gaining access to a printer.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Thu May 24, 2007 2:43 pm

Re: thoughts on unsecured network printers

Afterthought: If you're actually planning on reading that book, I recommend borrowing it from the library, and not buying it. Syngress Publishing are a bunch of liars, and don't deserve the advertisement they've received here till now. At least not until they come clean on their promises to Don and regain the good will of our community.  >:(
Last edited by Negrita on Thu May 24, 2007 2:44 pm, edited 1 time in total.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu May 24, 2007 2:51 pm

Re: thoughts on unsecured network printers

I think in the grand scheme of things, securing printers are not where most of your security resources should be put. If a printer gets infected or hacked, while thats bad, the primary focus should still be on protecting data and critical infrastructure. So yes I agree, that there should be some kind of hardening or best practices guide for deployment and also they should be scanned just like every other device, but in a IT world where idiots are still deploying unsecured windows servers or really bad web applications, its not in the top 20 things I would suggest a company focus on. Also, since there are so many different printer vendors and there's not a monoculture of Microsoft/Cisco/Oracle present, it might be difficult creating a useful and detailed hardening guideline that covers all printers.
<<

LSOChris

Post Thu May 24, 2007 3:40 pm

Re: thoughts on unsecured network printers

good post oleDB.  that's kinda what i am getting at.  but for this thread, i am worried less about priority of locking down the printers and more on "ok the attacker is on my printer" what can he do.

i would agree that maybe printer security is not as important as keeping up with your windows patches but most printers can be mostly configured and forgotten about if you do it the right way when you deploy it (ie turning off telnet/ftp/web/smtp/jetdirect/etc and setting an admin password)  i'm still curious on thoughts to a network now that the attacker has control of the printer.
<<

spyhunter

Newbie
Newbie

Posts: 11

Joined: Tue May 15, 2007 10:20 pm

Location: Vancouver, BC, Canada, eh.

Post Thu May 24, 2007 11:44 pm

Re: thoughts on unsecured network printers

Personally,  i feel that some focus on securing printers should be made. They may not be as critical as windows servers, but any compromise on your network could lead to other attacks. Also if for some unknown reason they can serve up files via ftp or http to the the outside, you could get the into the same sort of liability (or perhaps negative publicity) issues as if you left an ftp or http site unsecured. One may argue that the fact they have hard drives,  are running ftp servers and http servers they should be treated as servers... If it qucks like a duck..

Multifunction printers  that plug into your phone line and the network should be a major concern.  The HP line obviously use a modem PCMICA card. The vendor claims that callers can't establish a modem connection via the phone line and then access your LAN. However i  have seen securelogix (voice firewall/IDS) reports that show modem energy on fax lines attached to MFPs. The SecureLogix application is technically smart enough to tell the deference between modem "energy" and fax calls.. Sure these cases may be false positives.. BUT the possibility of LAN access via the fax modem cards does exist, at least in my paranoid mind.
Spyhunter, CEH, Security+, Linux+, A+, CNE(Expired),  MCSE(Expired), CCA(Expired)
<<

LegioX

Newbie
Newbie

Posts: 25

Joined: Sun Sep 24, 2006 5:27 am

Post Fri May 25, 2007 2:05 am

Re: thoughts on unsecured network printers

Or what about a more traditional attack? (seems crude, I know!)

The attacker has gotten into the printer he can disable protocols, services, change the ports it operates on, hostname, etc...
Then you've either got a DOS scenario (imagine this printer is the only printer in a branch office, with no on-site IT staff - far from impossible to resolve remotely but could be a headache and will definitely result in 'downtime').
Maybe if the attacker changes the IP address of printer to that of a server or the router, we've got an IP conflict that could potentially result in a much more serious DOS attack...
MCSE & MCSA : Security (2003), A+, Network+, Security+, CEH, CCNA, JNCIA-FMW
<<

jimbob

Post Fri May 25, 2007 7:46 am

Re: thoughts on unsecured network printers

I've seen may printers, particularly high-end multi-function devices that contain practically a whole PC under the covers. If an intruder can get shell access on the PC then they've potentially owned a fully fledged machine.

It's not just printer but everything black box device that gets a network hookup that needs proper scrutiny before being attached to the network. There's no doubt a lot of legacy kit like printers, NAS servers, networking gear, printing presses, coffee machines etc. that are vulnerable and exploitable.

Jim
<<

LSOChris

Post Fri May 25, 2007 8:48 am

Re: thoughts on unsecured network printers

i also forgot to mention that it doesnt seem that they log incoming connections on telnet, ftp, 80.

now if you make system changes it may log that and if syslog is configured someone may notice... at least that is what h3x worries about  ;D

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software