AD information in printers
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
There are several blogs in the Internet which highlight the dangers of leaving printers configured with LDAP with default/weak logon credentials.
This is because an attacker could trick the printer to authenticate against a rouge LDAP server (typically a nc -vv -l -p 444
is enough) and to capture the printer credentials on clear-text.
Also, several printers will contains logs with usernames or could even be able to download all usernames from the Domain Controller.
All this sensitive information and the common lack of security makes printers very interesting for attackers.
Some blogs about the topic:
Location: The LDAP server list is found at: Network > LDAP Setting > Setting Up LDAP
.
Behavior: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
Exploit: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.
For more detailed steps, refer to the original .
A simple netcat listener might suffice:
However, this method's success varies.
A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.
Key Steps:
Install OpenLDAP.
Configure admin password.
Import basic schemas.
Set domain name on LDAP DB.
Configure LDAP TLS.
LDAP Service Execution: Once set up, the LDAP service can be run using:
LDAP Server Setup: The guide follows steps from .
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.