hacktricks/windows-hardening/active-directory-methodology/ad-information-in-printers.md

htARTE (HackTricks AWS Red Team Expert) ! qaStaHvIS AWS hacking ghItlhvam

HackTricks poH support ways:

• HackTricks advertised company see want SUBSCRIPTION PLANS Check HackTricks download PDF
• PEASS & HackTricks swag official Get
• PEASS Family The Discover NFTs exclusive collection our
• Join 💬 group Discord The group telegram or us follow 🐦 Twitter @carlospolopm.
• hacking tricks Share submitting by tricks hacking your Share repos github and HackTricks Cloud HackTricks PRs the to by submitting tricks hacking your Share github and HackTricks Cloud HackTricks

There are several blogs in the Internet which highlight the dangers of leaving printers configured with LDAP with default/weak logon credentials.
This is because an attacker could trick the printer to authenticate against a rouge LDAP server (typically a nc -vv -l -p 444 is enough) and to capture the printer credentials on clear-text.

Also, several printers will contains logs with usernames or could even be able to download all usernames from the Domain Controller.

All this sensitive information and the common lack of security makes printers very interesting for attackers.

Some blogs about the topic:

• https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/
• https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856

Printer Configuration

• Location: The LDAP server list is found at: Network > LDAP Setting > Setting Up LDAP.
• Behavior: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
• Exploit: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.

Capturing Credentials

For more detailed steps, refer to the original source.

Method 1: Netcat Listener

A simple netcat listener might suffice:

sudo nc -k -v -l -p 386

Method 2: Full LDAP Server with Slapd

A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.

1. LDAP Server Setup: The guide follows steps from this source.
2. Key Steps:

• Install OpenLDAP.
• Configure admin password.
• Import basic schemas.
• Set domain name on LDAP DB.
• Configure LDAP TLS.

3. LDAP Service Execution: Once set up, the LDAP service can be run using:

Method 2: Slapd jIHDaq LDAP Server

ghItlhlaHbe'chugh, 'ej printer null bind followed by a query before attempting credential binding.

1. LDAP Server Setup: This source laH follow steps.
2. Key Steps:

• OpenLDAP qay'be'.
• admin password configure.
• basic schemas Import.
• LDAP DB domain name set.
• LDAP TLS configure.

3. LDAP Service Execution: ghItlhlaHbe'chugh, LDAP service run can be.

slapd -d 2

References

• https://grimhacker.com/2018/03/09/just-a-printer/

htARTE (HackTricks AWS Red Team Expert) ! qaStaHvIS AWS hacking vItlhutlh

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.