Stealing Hashes from Printers to Compromise Systems

I was on an engagement earlier this year where I was actually stealing hashes from printers to get access to a system.

Stealing Hashes from Printers – Introduction

During an internal penetration test, I was only able to discover one non-domain related computer in another subnet.

I was unable to run Responder or ARP spoof it, since it was in a different network. I couldn’t enumerate any users, and the system was fully patched.

But Wait, There’s a Printer…

After going back through my scans and notes, there was a printer on the network that seemed interesting.

Stealing Hashes from Printers - Scan to Network

The ‘Scan to Network Folder’ seemed interesting, and it was pointing to my target system.

This printer was configured to scan and save documents to the single WORKGROUP computer on the network. Additionally, the configuration settings were editable without any further authentication.

Stealing Hashes from Printers - Network Folder

Testing the Printer

First, I created a new configuration option pointing to my attacking system, and Responder was able to capture my fake hash.

Next, I made sure that changing the network location didn’t remove the saved username or password (so that I could revert my changes when I finished).

Stealing Hashes from Printers - User Credentials

Modifying the Settings

Once I was sure that my changes wouldn’t break anything, I changed the saved configuration to point to my attacking system.

Stealing Hashes from Printers - Modified Location

When I hit “Next”, the printer displayed the Summary page with my new network path.

Stealing Hashes from Printers - New Settings

Capturing a Hash

With everything in place, I hit the “Save and Test” button and waited…

In just a few seconds, I had captured a hash from the printer for my target host!

[13:53:47][root]@[kali:~]# python /pentest/Responder/ -I wlan0 -Prfvw


[+] Listening for events...
[*] [LLMNR]  Poisoned answer sent to 192.168.10.xx for name MANAGERxxxx
[SMB] NTLMv2-SSP Client   : 192.168.10.xx
[SMB] NTLMv2-SSP Username : Managerxxxx
[SMB] NTLMv2-SSP Hash     : User::Managerxxx::Managerxxx::7177xxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxx

Stealing Hashes from Printers – Conclusion

Once I captured the hash, I was able to crack it and access the machine. I wasn’t able to escalate privileges on the box, but the user account that I compromised had plenty of access to sensitive information.

I thought that this was a really cool compromise, and I definitely had to share it.

Let me know if you have any other ideas for things to try, or cool internal hacks!

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.


Filed under Security Not Included

3 Responses to Stealing Hashes from Printers to Compromise Systems

  1. Pingback: Pingback

  2. Good info. Lucky me I recently found your blog by chance (stumbleupon).
    I’ve saved it for later!

Leave a Reply

Your email address will not be published. Required fields are marked *