Recently I was asked by a CIO to think of and execute a simple attack at a manufacturing facility as part of an ongoing initiative to enhance cyber security awareness. I’m not at all a penetration tester or ethical hacker, but there are a few very simple “attacks” that almost anyone can execute.
In this instance I will describe how you can discover and takeover network devices, specifically printers, to execute common schemes such as phishing and malware installation.
Discover and Take Over Network Devices and Printers:
1. Search for discoverable devices on the network.
Once on the company’s network it is probably possible to use windows to explore the network for discoverble printers and devices. This is built-in windows feature (just try to “add a device” and see what is freely available. For the purposes of this exercise any of those will do.
2. Identify high potential target devices.
Once you have a list of network devices search for those devices that are more likely to store valuable data or have the abiliy to send email. Copy and printer devices like Cannon and Ricoh are good targets.
3. Login to the the administrative consol to printers and devices.
Any device on the network probably has an adminiatrative consol that you can logon if you have the devices IP address. The IP addres can be obtained under the properties of the device. You can typically access this by right clicking on the devices name when you discover the device as discussed above. Simply type the IP address in your web browser to logon to a website-like interface.
If logon is required it is highly likely that the default credentials are used to logon. You can find the devices default logon credentials via a simple Google search and try that.
Once you have logged into the device simply browse through the administrative panel to see what options and data are available. Tyipcally you can find device logs, email addresses, and stored documentation.
You should stop here as you have proof of concept to present as evidence a vulnerability exists; however, it is important to understand the type of attacks that could be executed from here and the risk of those attacks. NEVER PROCEED WITH EXECUTION OF THESE ATTACKS.
1. Download information stored on the device such as stored documents and email addresses.
Many devices and printers store copies of scanned and printed documenation. This is easy information to steal. Configuration files including to and from information (i.e., email) is also easy information for a passive attacker to gather.
2. Send emails through the device spoofed as authentic email addresses to launch phishing or malware attacks.
A more active attacker can utilize printers to send email disguised as an authentic sender. For example, if your CIO’s email is stored as a sender in the printer’s directory an attacker could send an urgent email containing a malicious link to everyone in the company.
3. Utilize the devices resources to as part of a larger botnet to launch DDoS attacks, for example.
An attacker may not be interested in your company, but find your information technology resources valuable in launching attacks on their preferred targets. Because printers can send email or even dial in to other IP addresses it is possible for an attacker to utilize a captured printer or network device to launch DDoS attacks or phishing scams to individuals outside the company.
The danger with this tactic is that because a passive takover is less intrusive, it is less likely that anyone would ever notice anything suspicious; thus, your printer could be taken over for months or years before anyone notices.
There are a variety of ways to mitigate the risk of network device tampering, but here are a couple of the easiest to implement.
1. Disable or otherwise protect remote logon to the administrative consol for all network devices and printers.
Network administrators should password protect and otherwise disable the ability to connect remotely to the administrative console to printers and devices. To further limit risks, the ability discover devices should be limited to an indiviuals local network. There is no good reason a person in Atlanta should be able to discover and logon to devices in Shanghai (or visa versa).
2. Do not store information on network printers and devices including scanned or printed documentation and email addresses.
Network device and printers are notoriously easy targets so it is best practice to avoid storing anything of value. Most printers have options to prevent users from storing data. In addition, it is recommended to avoid using pre-configured address books as well.
3. Protect access to your network, especially those areas that are easily accessible to attackers such as guest WiFi or remote connection to the network.
It may be arguably impossible to protect yourself from an internal attacker (rogue employee); however, robust perimeter defense can prevent external entities from accessing network devices. The use of firewalls, network micro-segmentation, well protected wireless access points, and well controlled remote access connections should be considered.