AD information in printers
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
There are several blogs in the Internet which highlight the dangers of leaving printers configured with LDAP with default/weak logon credentials.
This is because an attacker could trick the printer to authenticate against a rouge LDAP server (typically a nc -vv -l -p 444
is enough) and to capture the printer credentials on clear-text.
Also, several printers will contains logs with usernames or could even be able to download all usernames from the Domain Controller.
All this sensitive information and the common lack of security makes printers very interesting for attackers.
Some blogs about the topic:
Printer Configuration
Location: The LDAP server list is found at:
Network > LDAP Setting > Setting Up LDAP
.Behavior: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
Exploit: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.
Capturing Credentials
For more detailed steps, refer to the original source.
Method 1: Netcat Listener
A simple netcat listener might suffice:
However, this method's success varies.
Method 2: Full LDAP Server with Slapd
A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.
LDAP Server Setup: The guide follows steps from this source.
Key Steps:
Install OpenLDAP.
Configure admin password.
Import basic schemas.
Set domain name on LDAP DB.
Configure LDAP TLS.
LDAP Service Execution: Once set up, the LDAP service can be run using:
References
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated