Nytro Posted November 1, 2011 Report Posted November 1, 2011 Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction PrintersBy Deral (PercX) Heiland and Michael (omi) BeltonAt Defcon 19 during my presentation we discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text. We refer to this attack as a Pass-Back-Attack . So its been awhile, but we wanted to release a short tutorial discussing how this attack is performed.Over the past year, one focus of the Foofus.NET team involves developing and testing attacksagainst a number of Multifunction Printer (MFP) devices. A primary goal of this research is to demonstrate the effect of trust relationships between devices that are generally considered benign, and critical systems such as Microsoft Windows Domains. One of the most interesting attacks developed during this project is what we refer to as a Pass-Back Attack.A Pass-Back Attack is an attack where we direct an MFP device into authenticating (LDAP or SMB authentication) against a rogue system rather than the expected server. In the following sections we will step through the entire process of a Pass-Back-Attack using a Ricoh Aficio MP 5001 as our target device. This attack has been found to work on a number of Ricoh or rebranded Ricoh systems. Additionally, this attack works against a large number of MFP devicesmanufactured by Sharp. We expect there are many other devices that this attack will work against.This attack will be performed using a web browser, Netcat and a web proxy. First, we need to create a rogue listener that will be used to capture the authentication process initiated from the MFP. This is a relatively easy problem to solve; we can simply setup a listener using Netcat.$ nc -l 1389In this attack we will use port 1389. If you’re reading this, you’re probably well aware that binding to a privileged port requires some form of administrative account such as “root.” Weprefer non-privileged ports for this attack because they allow us to demonstrate how unprivileged access on one system can be used to gain privileged access to another system. Ademonstration of this involves a scenario where you have remote (user-level) access to a device on a filtered subnet and are looking to gain more privileged access to a wider set of systems.Additionally, this approach highlights the fact that LDAP can be configured to authenticate against any software listening on any port.Download:http://www.foofus.net/~percX/praeda/pass-back-attack.pdfSursa: http://www.foofus.net/?p=468 Quote
