P0ned by Copier, Again

At DEFCON, Deral Heiland spoke on leveraging multifunction printers during pentesting.  I’d previously seen him speak on this at Shmoocon 2011.  Multifunction copiers are barely managed in most companies.   They have default passwords, and don’t get patched.   Passwords are saved on the device to access network shares or LDAP.  In some cases these passwords are exposed by the copier.   

Praeda is an information harvesting tool written in PERL to gather exposed data on major copiers/printers.   It can be downloaded from foofus.net.

A couple of things were particularly of interest.
1.  passback attack.   Deral found that the TEST button used to validate credentials could be spoofed so the copier sends the credentials in clear text to the attacker.
2.  The configuration backup can expose data.   If you can log into the admin website, in some cases you’ll be able to view credentials in the backup that were otherwise protected.

I’m looking forward to trying out Praeda when I get back to the office.  It is important to change the password from the default and apply all security updates.