top of page

LDAP Passback and Why We Harp on Passwords

Hackers are like anyone else in that they would rather work smarter, not harder – picking the low-hanging fruit first. Oftentimes, we find companies who put it in front of them without even knowing it.


When compiling an effective cybersecurity management program, companies often overlook the need to secure their printers or Internet of Things (IoT) devices—giving hackers an easy entry point for malicious attacks. Printers are rarely hardened, and even when a client’s asset management process is strong, organizations often see printer vendors arrive unannounced to work on the device, then often hard-reset it back to the default administrator password.


During many of our engagements, penetration testers have been able to easily compromise networks and enter systems through printers or IoT devices using default credentials, or by simply taking advantage of the weak security protocols present. Although these devices seem harmless, companies must be aware of the consequences of ignoring these assets in their cybersecurity programs.


We recently worked with a client that was confident in the security of their printers, cameras, and IoT devices, but fell prey to our use of a Lightweight Directory Access Protocol (LDAP) Passback Attack.


During a penetration test engagement, we often run port scans relatively early. Unhardened printers are extremely common, so we usually begin scanning a few ports that are often open (like 50001 and 9100). If we see these ports open in combination with 445 (Server Message Block), 80, or 443, we know we will be able to infiltrate their systems easily. We quickly found a Xerox WorkCentre printer live on the network:



After some quick research, we found that this printer, when not properly hardened with a strong administrator password, allowed for an LDAP Passback Attack. Sure enough, this printer had a default local administrator password set, allowing access.


Once we had admin access, we could re-route where this printer looked for LDAP queries, which would normally be done by a domain controller. However, as long as I had a listener set for port 389, we could get the printer to send its queries to us instead. Here’s the original IP address for network LDAP queries:




And here’s the re-routing of that IP address to our attack machine listening on port 389:



We then triggered an LDAP query from the printer. Luckily for us, this model printer had an actual user mapping lookup function that allowed an administrator to search for a network user for print jobs. We used it to search for a user that we knew didn’t exist, named “,” simply to trigger a search to my attacking host:


After we set up my listener, I clicked on the “Search” button above, which allowed me to capture the LDAP query from the printer using its “svc_scans” service account and plaintext password (the redacted portion at the end):



This was a valid domain account that I used to enumerate other users, groups, group memberships, and trust relationships. This account became a location from which I could perform other domain attacks that eventually led me to the domain administrator.


How to Prevent LDAP Attacks

  • Ensure you’re adequately preventing printer vulnerabilities by implementing robust security protocols

  • Develop a process in which vendors must get written consent to perform routine maintenance on your devices; nobody should be touching these hosts without your team being aware of the date and time of their arrival and departure from the building or network

  • When the maintenance is complete, make sure your devices are hardened again with a strong administrator password

  • Ensure service accounts (in this case the svc_scans acct) are given only their minimum required privileges for operation

Conclusion


All devices must be locked down—no matter how harmless they seem. If it has an IP address on your network, then it belongs in your asset inventory and should be held to the same strong asset management processes that your Windows, Linux, ATMs, and all other hosts are held. In-depth defense is the key to network security and should be distributed among printers and internet of things devices.


If you are interested in discussing this or any other security concern, please feel to Contact Us!

75 views0 comments

Recent Posts

See All

Cybersecurity attacks are on the rise, especially since the onset of the COVID-19 pandemic. Cybercriminals are attacking all businesses, including critical infrastructure and members of the global sup

Microsoft warns about the recently patched Windows MSHTML remote code execution vulnerability tracked (CVE-2021-40444) that has been under active exploitation by multiple threat actors including ranso

The fourth industrial revolution, dubbed Industry 4.0, introduces the use of Cyber Physical Systems (CPSs) in production processes, where the industrial internet of things (IIoT), machine learning, an

bottom of page