Skip to main content

Intercepting Credentials from HP Officejet Multifunction Printers

August 02, 2013

On a recent engagement, I encountered a multifunction printer/scanner/copier, an HP Officejet Pro, without password protection. It was possible to gain a foothold into the Windows domain starting with the printer. This printer lacked an administrative password, which would have prevented the attack. When deploying printers into the environment, it is important to set administrative credentials that are in compliance with your organization’s standard for password complexity.

This attack exploits a simple logic flaw in the web interface for the printer. When entering a new destination directory for scanned documents, the printer should prompt for new administrative credentials. Since it does not, it is possible to redirect existing credentials to a malicious SMB listener.

The web interface for the multifunction printer is shown below. In my case, the web user interface is available at

In order to exploit this vulnerability, browse to the web interface and click on the Scan tab, then click Network Folder Setup. If the user has a folder set up for scanning, you will see something like this:

HP Printers 1

Figure 1: Network Folder Setup for Officejet Pro 8600

We will start by editing the share and replacing it with what will be our malicious SMB listener.

HP Printers 2

Figure 2: After clicking Edit, we are presented with the form above.

HP Printers 3

Figure 3: By changing the IP, we will redirect the credentials to our target machine in NetNTLM format.

HP Printers 4

Figure 4:  Note that the pin is optional, and you do NOT have to enter it to continue.

HP Printers 5

Figure 5:  Step 3 of 4: Scan Settings. No need change anything here. Just click Next.

HP Printers 6

Figure 6:  We set up our malicious SMB listener.

HP Printers 7

Figure 7: Click Save and Test.

HP Printers 8

Figure 8: NetNTLM hashed password received from the test of the network credentials.

HP Printers 9

Figure 9: Password cracked using John the Ripper.

It would also be possible here to use the SMB relay module within Metasploit, without cracking the password, to gain access to the share itself and access potentially sensitive scanned documents there or gain access to other machines on the network if the user had sufficient rights to do so.

The above technique underscores the importance of using strong passwords on any network assets, including seemingly innocuous ones such as printers.

In this case, a simple logic flaw was used in addition to the lack of an administrative password to redirect the hashed credentials to a malicious SMB listener. In addition to the recommendation that administrators password protect their multifunction printers, HP should require that a user re-enter any previously saved credentials when changing the destination of scanned documents. This is an easy fix and would prevent this type of attack in its entirety.

Related Blogs

June 10, 2013

Jboss crucial Methods for Application Security

While performing a penetration test, it’s quite common to encounter JBoss and Tomcat application servers. These servers are generally attractive targe...

See Details

October 15, 2015

Accessible Threat Intelligence

Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. According to Gartner, threat in...

See Details

March 25, 2010

Could Smartphones be the Unsuspected Entry Point for a Network Attack?

Last year, during the 2009 Black Hat event in Las Vegas, two security professionals presented research about the possibility of SMS attacks across a G...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.