From Default Printer Credentials to Domain Administrator

27. Jul 2023

Devices like printers are implemented into nearly every organisation’s corporate infrastructure, yet often little thought is put into considering the security risks devices like these can introduce. Often installed with default configurations, these devices can act as a foothold into a corporate environment. Forfend consultants recently conducted a penetration test where the use of default credentials for the printer’s management console allowed for them to start their path of exploitation all the way to domain administrator.

The engagement started with the only level of access provided being purely network, with no user credentials. The client’s particular concern was the risk associated with a malicious actor gaining access to their network. The consultants started the engagement like every other, mapping out the network and identifying the systems and protocols visible from the network access they were provided. Initially, the environment seemed to be fairly locked down, however they soon discovered a Kyocera printer with its management interface running over HTTPS on TCP port 443.

A quick Google revealed that the default administrative username and password for this portal was the classic ‘admin’ and ‘admin’. Using this, they were able to log in to the printer’s management console. But so what? Well, after a bit of rummaging around the printer’s configuration, they noticed that a ‘scan to file share’ function was configured, with a domain account being used to authenticate. Attempts were made to extract the password by modifying the HTML elements within the browser, however Kyocera had protected the panel against this kind of attack. The consultants then had an idea, what if they changed the IP address of the share configured, and setup a listener to capture the incoming authentication attempt? Even better, what if they changed the protocol in the configuration from SMB, which would provide a hashed version of the password, to the FTP service? As you guessed, the result was the printer authenticating to the Forfend consultant’s system with the plaintext password for the user account.

Armed with a domain account, the consultants were now free to enumerate the many features of Active Directory, and were able to identify a vulnerability within Active Directory Certificate Services (a detailed whitepaper on this from the team at SpecterOps can be found here https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf), which once exploited, granted full domain administrator access.

Whilst the organisation was found to have implemented a large number of security controls, they forgot to securely configure their printers, which acted as an initial point for compromising the rest of their network. Securing all the devices brought into your environment is crucial, as one overlooked device can impact the security of the whole environment.