Attack carriers - Revision history

92.228.38.179 at 09:58, 8 February 2017

2017-02-08T09:58:30Z

84.153.135.37 at 08:00, 31 January 2017

2017-01-31T08:00:26Z

Admin: Created page with "Overview of channels to deploy a (malicious) print job Various channels like USB, LPD, IPP, SMB, or raw port 9100 p..."

2017-01-28T18:04:49Z

Created page with "Overview of channels to deploy a (malicious) print job Various channels like USB, LPD, IPP, SMB, or raw port 9100 p..."

New page

[[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]]

Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''.

[[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]]

This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below.

{| class="wikitable" style="text-align:center"
|+ Malicious print job deployment channels
|-
! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB
|-
| style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || ||
|-
| style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || ||
|-
| style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔
|-
| style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔
|-
| style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔
|-
| style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔
|-
| style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔
|-
|}

It must be noted these this are not the only possible attack scenarios. For example using social engineering, to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing.

== Attacker Models ==

A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]].

→ ''Related aricles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]]

@@ Line 58: / Line 58: @@
 |}
-It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing.
+It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like [https://en.wikipedia.org/wiki/Cloud_printing cloud printing] or [https://webbluetoothcg.github.io/web-bluetooth/ Web Bluetooth].
 == Attacker Models ==

@@ Line 58: / Line 58: @@
 |}
-It must be noted these this are not the only possible attack scenarios. For example using social engineering, to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing.
+It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like cloud-based printing.
 == Attacker Models ==
@@ Line 64: / Line 64: @@
 A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]].
-→ ''Related aricles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]]
+→ ''Related articles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]]