From 431f25c0fc62c90d263010ade9da7bcb483e4b82 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 15 Jul 2025 08:28:01 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/windows-hardening/active-direc... --- ...nexmon-monitor-and-injection-on-android.md | 4 +- .../ios-pentesting-without-jailbreak.md | 2 +- .../pentesting-telnet.md | 2 +- .../ad-information-in-printers.md | 108 +++++++++++++----- 4 files changed, 82 insertions(+), 34 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md index 2ee072b12..9c74b3b41 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md @@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p * NexMon Magisk ZIP or self-compiled patch providing: * `/system/lib*/libnexmon.so` * `/system/xbin/nexutil` -* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker +* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker) * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools --- @@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2- * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon) * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 791da2761..1f226fae0 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md index 31ca7a6ae..5eb9580d6 100644 --- a/src/network-services-pentesting/pentesting-telnet.md +++ b/src/network-services-pentesting/pentesting-telnet.md @@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with -{{#include /banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md index f29bcfdb4..2e22f3c46 100644 --- a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md +++ b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md @@ -2,60 +2,108 @@ {{#include ../../banners/hacktricks-training.md}} -There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\ -This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** (typically a `nc -vv -l -p 444` is enough) and to capture the printer **credentials on clear-text**. +There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials. \ +This is because an attacker could **trick the printer to authenticate against a rogue LDAP server** (typically a `nc -vv -l -p 389` or `slapd -d 2` is enough) and capture the printer **credentials in clear-text**. -Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller. +Also, several printers will contain **logs with usernames** or could even be able to **download all usernames** from the Domain Controller. All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers. -Some blogs about the topic: +Some introductory blogs about the topic: - [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/) - [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856) +--- ## Printer Configuration -- **Location**: The LDAP server list is found at: `Network > LDAP Setting > Setting Up LDAP`. -- **Behavior**: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks. -- **Exploit**: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials. +- **Location**: The LDAP server list is usually found in the web interface (e.g. *Network ➜ LDAP Setting ➜ Setting Up LDAP*). +- **Behavior**: Many embedded web servers allow LDAP server modifications **without re-entering credentials** (usability feature → security risk). +- **Exploit**: Redirect the LDAP server address to an attacker-controlled host and use the *Test Connection* / *Address Book Sync* button to force the printer to bind to you. +--- ## Capturing Credentials -**For more detailed steps, refer to the original [source](https://grimhacker.com/2018/03/09/just-a-printer/).** - -### Method 1: Netcat Listener - -A simple netcat listener might suffice: +### Method 1 – Netcat Listener ```bash -sudo nc -k -v -l -p 386 +sudo nc -k -v -l -p 389 # LDAPS → 636 (or 3269) ``` -However, this method's success varies. +Small/old MFPs may send a simple *simple-bind* in clear-text that netcat can capture. Modern devices usually perform an anonymous query first and then attempt the bind, so results vary. -### Method 2: Full LDAP Server with Slapd +### Method 2 – Full Rogue LDAP server (recommended) -A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding. - -1. **LDAP Server Setup**: The guide follows steps from [this source](https://www.server-world.info/en/note?os=Fedora_26&p=openldap). -2. **Key Steps**: - - Install OpenLDAP. - - Configure admin password. - - Import basic schemas. - - Set domain name on LDAP DB. - - Configure LDAP TLS. -3. **LDAP Service Execution**: Once set up, the LDAP service can be run using: +Because many devices will issue an anonymous search *before* authenticating, standing up a real LDAP daemon yields much more reliable results: ```bash -slapd -d 2 +# Debian/Ubuntu example +sudo apt install slapd ldap-utils +sudo dpkg-reconfigure slapd # set any base-DN – it will not be validated + +# run slapd in foreground / debug 2 +slapd -d 2 -h "ldap:///" # only LDAP, no LDAPS ``` +When the printer performs its lookup you will see the clear-text credentials in the debug output. + +> 💡 You can also use `impacket/examples/ldapd.py` (Python rogue LDAP) or `Responder -w -r -f` to harvest NTLMv2 hashes over LDAP/SMB. + +--- +## Recent Pass-Back Vulnerabilities (2024-2025) + +Pass-back is *not* a theoretical issue – vendors keep publishing advisories in 2024/2025 that exactly describe this attack class. + +### Xerox VersaLink – CVE-2024-12510 & CVE-2024-12511 + +Firmware ≤ 57.69.91 of Xerox VersaLink C70xx MFPs allowed an authenticated admin (or anyone when default creds remain) to: + +* **CVE-2024-12510 – LDAP pass-back**: change the LDAP server address and trigger a lookup, causing the device to leak the configured Windows credentials to the attacker-controlled host. +* **CVE-2024-12511 – SMB/FTP pass-back**: identical issue via *scan-to-folder* destinations, leaking NetNTLMv2 or FTP clear-text creds. + +A simple listener such as: + +```bash +sudo nc -k -v -l -p 389 # capture LDAP bind +``` + +or a rogue SMB server (`impacket-smbserver`) is enough to harvest the credentials. + +### Canon imageRUNNER / imageCLASS – Advisory 20 May 2025 + +Canon confirmed a **SMTP/LDAP pass-back** weakness in dozens of Laser & MFP product lines. An attacker with admin access can modify the server configuration and retrieve the stored credentials for LDAP **or** SMTP (many orgs use a privileged account to allow scan-to-mail). + +The vendor guidance explicitly recommends: + +1. Updating to patched firmware as soon as available. +2. Using strong, unique admin passwords. +3. Avoiding privileged AD accounts for printer integration. + +--- +## Automated Enumeration / Exploitation Tools + +| Tool | Purpose | Example | +|------|---------|---------| +| **PRET** (Printer Exploitation Toolkit) | PostScript/PJL/PCL abuse, file-system access, default-creds check, *SNMP discovery* | `python pret.py 192.168.1.50 pjl` | +| **Praeda** | Harvest configuration (including address books & LDAP creds) via HTTP/HTTPS | `perl praeda.pl -t 192.168.1.50` | +| **Responder / ntlmrelayx** | Capture & relay NetNTLM hashes from SMB/FTP pass-back | `responder -I eth0 -wrf` | +| **impacket-ldapd.py** | Lightweight rogue LDAP service to receive clear-text binds | `python ldapd.py -debug` | + +--- +## Hardening & Detection + +1. **Patch / firmware-update** MFPs promptly (check vendor PSIRT bulletins). +2. **Least-Privilege Service Accounts** – never use Domain Admin for LDAP/SMB/SMTP; restrict to *read-only* OU scopes. +3. **Restrict Management Access** – place printer web/IPP/SNMP interfaces in a management VLAN or behind an ACL/VPN. +4. **Disable Unused Protocols** – FTP, Telnet, raw-9100, older SSL ciphers. +5. **Enable Audit Logging** – some devices can syslog LDAP/SMTP failures; correlate unexpected binds. +6. **Monitor for Clear-Text LDAP binds** on unusual sources (printers should normally talk only to DCs). +7. **SNMPv3 or disable SNMP** – community `public` often leaks device & LDAP config. + +--- ## References -- [https://grimhacker.com/2018/03/09/just-a-printer/](https://grimhacker.com/2018/03/09/just-a-printer/) +- Rapid7. “Xerox VersaLink C7025 MFP Pass-Back Attack Vulnerabilities.” February 2025. +- Canon PSIRT. “Vulnerability Mitigation Against SMTP/LDAP Passback for Laser Printers and Small Office Multifunction Printers.” May 2025. {{#include ../../banners/hacktricks-training.md}} - - -