Skip to main content

Intercepting Credentials from HP Officejet Multifunction Printers

August 02, 2013

On a recent engagement, I encountered a multifunction printer/scanner/copier, an HP Officejet Pro, without password protection. It was possible to gain a foothold into the Windows domain starting with the printer. This printer lacked an administrative password, which would have prevented the attack. When deploying printers into the environment, it is important to set administrative credentials that are in compliance with your organization’s standard for password complexity.

This attack exploits a simple logic flaw in the web interface for the printer. When entering a new destination directory for scanned documents, the printer should prompt for new administrative credentials. Since it does not, it is possible to redirect existing credentials to a malicious SMB listener.

The web interface for the multifunction printer is shown below. In my case, the web user interface is available at

In order to exploit this vulnerability, browse to the web interface and click on the Scan tab, then click Network Folder Setup. If the user has a folder set up for scanning, you will see something like this:

HP Printers 1

Figure 1: Network Folder Setup for Officejet Pro 8600

We will start by editing the share and replacing it with what will be our malicious SMB listener.

HP Printers 2

Figure 2: After clicking Edit, we are presented with the form above.

HP Printers 3

Figure 3: By changing the IP, we will redirect the credentials to our target machine in NetNTLM format.

HP Printers 4

Figure 4:  Note that the pin is optional, and you do NOT have to enter it to continue.

HP Printers 5

Figure 5:  Step 3 of 4: Scan Settings. No need change anything here. Just click Next.

HP Printers 6

Figure 6:  We set up our malicious SMB listener.

HP Printers 7

Figure 7: Click Save and Test.

HP Printers 8

Figure 8: NetNTLM hashed password received from the test of the network credentials.

HP Printers 9

Figure 9: Password cracked using John the Ripper.

It would also be possible here to use the SMB relay module within Metasploit, without cracking the password, to gain access to the share itself and access potentially sensitive scanned documents there or gain access to other machines on the network if the user had sufficient rights to do so.

The above technique underscores the importance of using strong passwords on any network assets, including seemingly innocuous ones such as printers.

In this case, a simple logic flaw was used in addition to the lack of an administrative password to redirect the hashed credentials to a malicious SMB listener. In addition to the recommendation that administrators password protect their multifunction printers, HP should require that a user re-enter any previously saved credentials when changing the destination of scanned documents. This is an easy fix and would prevent this type of attack in its entirety.

Related Blogs

June 10, 2013

Jboss crucial Methods for Application Security

While performing a penetration test, it’s quite common to encounter JBoss and Tomcat application servers. These servers are generally attractive targe...

See Details

April 10, 2014

Understanding, Preventing and Detecting Retail Breaches

Recently, there have been a number of high-profile cyber-attacks in the retail industry. These security breaches are becoming more and more commonplac...

See Details

February 19, 2010

Mitigate Risk, Prevent Attacks | Optiv

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.