304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Stealing Hashes from Printers to Compromise Systems

I was on an engagement earlier this year where I was actually stealing hashes from printers to get access to a system.

Stealing Hashes from Printers – Introduction

During an internal penetration test, I was only able to discover one non-domain related computer in another subnet.

I was unable to run Responder or ARP spoof it, since it was in a different network. I couldn’t enumerate any users, and the system was fully patched.

But Wait, There’s a Printer…

After going back through my scans and notes, there was a printer on the network that seemed interesting.

Stealing Hashes from Printers - Scan to Network

The ‘Scan to Network Folder’ seemed interesting, and it was pointing to my target system.

This printer was configured to scan and save documents to the single WORKGROUP computer on the network. Additionally, the configuration settings were editable without any further authentication.

Stealing Hashes from Printers - Network Folder

Testing the Printer

First, I created a new configuration option pointing to my attacking system, and Responder was able to capture my fake hash.

Next, I made sure that changing the network location didn’t remove the saved username or password (so that I could revert my changes when I finished).

Stealing Hashes from Printers - User Credentials

Modifying the Settings

Once I was sure that my changes wouldn’t break anything, I changed the saved configuration to point to my attacking system.

Stealing Hashes from Printers - Modified Location

When I hit “Next”, the printer displayed the Summary page with my new network path.

Stealing Hashes from Printers - New Settings

Capturing a Hash

With everything in place, I hit the “Save and Test” button and waited…

In just a few seconds, I had captured a hash from the printer for my target host!

[13:53:47][root]@[kali:~]# python /pentest/Responder/ -I wlan0 -Prfvw


[+] Listening for events...
[*] [LLMNR]  Poisoned answer sent to 192.168.10.xx for name MANAGERxxxx
[SMB] NTLMv2-SSP Client   : 192.168.10.xx
[SMB] NTLMv2-SSP Username : Managerxxxx
[SMB] NTLMv2-SSP Hash     : User::Managerxxx::Managerxxx::7177xxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxx

Stealing Hashes from Printers – Conclusion

Once I captured the hash, I was able to crack it and access the machine. I wasn’t able to escalate privileges on the box, but the user account that I compromised had plenty of access to sensitive information.

I thought that this was a really cool compromise, and I definitely had to share it.

Let me know if you have any other ideas for things to try, or cool internal hacks!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.