Stealing Hashes from Printers to Compromise Systems

I was on an engagement earlier this year where I was actually stealing hashes from printers to get access to a system.

Stealing Hashes from Printers – Introduction

During an internal penetration test, I was only able to discover one non-domain related computer in another subnet.

I was unable to run Responder or ARP spoof it, since it was in a different network. I couldn’t enumerate any users, and the system was fully patched.

But Wait, There’s a Printer…

After going back through my scans and notes, there was a printer on the network that seemed interesting.

The ‘Scan to Network Folder’ seemed interesting, and it was pointing to my target system.

This printer was configured to scan and save documents to the single WORKGROUP computer on the network. Additionally, the configuration settings were editable without any further authentication.

Testing the Printer

First, I created a new configuration option pointing to my attacking system, and Responder was able to capture my fake hash.

Next, I made sure that changing the network location didn’t remove the saved username or password (so that I could revert my changes when I finished).

Modifying the Settings

Once I was sure that my changes wouldn’t break anything, I changed the saved configuration to point to my attacking system.

When I hit “Next”, the printer displayed the Summary page with my new network path.

Capturing a Hash

With everything in place, I hit the “Save and Test” button and waited…

In just a few seconds, I had captured a hash from the printer for my target host!

[13:53:47][root]@[kali:~]# python /pentest/Responder/Responder.py -I wlan0 -Prfvw

...

[+] Listening for events...
[*] [LLMNR]  Poisoned answer sent to 192.168.10.xx for name MANAGERxxxx
[SMB] NTLMv2-SSP Client   : 192.168.10.xx
[SMB] NTLMv2-SSP Username : Managerxxxx
[SMB] NTLMv2-SSP Hash     : User::Managerxxx::Managerxxx::7177xxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxx

Stealing Hashes from Printers – Conclusion

Once I captured the hash, I was able to crack it and access the machine. I wasn’t able to escalate privileges on the box, but the user account that I compromised had plenty of access to sensitive information.

I thought that this was a really cool compromise, and I definitely had to share it.

Let me know if you have any other ideas for things to try, or cool internal hacks!

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.