Intercepting Credentials from HP Officejet Multifunction Printers
On a recent engagement, I encountered a multifunction printer/scanner/copier, an HP Officejet Pro, without password protection. It was possible to gain a foothold into the Windows domain starting with the printer. This printer lacked an administrative password, which would have prevented the attack. When deploying printers into the environment, it is important to set administrative credentials that are in compliance with your organization’s standard for password complexity.
This attack exploits a simple logic flaw in the web interface for the printer. When entering a new destination directory for scanned documents, the printer should prompt for new administrative credentials. Since it does not, it is possible to redirect existing credentials to a malicious SMB listener.
The web interface for the multifunction printer is shown below. In my case, the web user interface is available at http://192.168.200.137/.
In order to exploit this vulnerability, browse to the web interface and click on the Scan tab, then click Network Folder Setup. If the user has a folder set up for scanning, you will see something like this:
Figure 1: Network Folder Setup for Officejet Pro 8600
We will start by editing the share and replacing it with what will be our malicious SMB listener.
Figure 2: After clicking Edit, we are presented with the form above.
Figure 3: By changing the IP, we will redirect the credentials to our target machine in NetNTLM format.
Figure 4: Note that the pin is optional, and you do NOT have to enter it to continue.
Figure 5: Step 3 of 4: Scan Settings. No need change anything here. Just click Next.
Figure 6: We set up our malicious SMB listener.
Figure 7: Click Save and Test.
Figure 8: NetNTLM hashed password received from the test of the network credentials.
Figure 9: Password cracked using John the Ripper.
It would also be possible here to use the SMB relay module within Metasploit, without cracking the password, to gain access to the share itself and access potentially sensitive scanned documents there or gain access to other machines on the network if the user had sufficient rights to do so.
The above technique underscores the importance of using strong passwords on any network assets, including seemingly innocuous ones such as printers.
In this case, a simple logic flaw was used in addition to the lack of an administrative password to redirect the hashed credentials to a malicious SMB listener. In addition to the recommendation that administrators password protect their multifunction printers, HP should require that a user re-enter any previously saved credentials when changing the destination of scanned documents. This is an easy fix and would prevent this type of attack in its entirety.