How to lose your information system on a print server

Hi everyone,

A short time ago, one of my friends passionate into pentesting told me an anecdote. I want to make it clear that it is 100% truth and it happened in a medium-sized IT services company based in the US. Here we go !

Introduction

Last week, I was given access to a network that seemed at first sight quite secure.

As I am a little curious, the first thing I did when I settled was to run a network scan to see how many hosts were active and to have a vague idea of ​​the IS (Information System) of the company. All I had as information at this point was my IP address which informed me the address range of the floor. It was a tasty /24 as we like at a maximum of 254 hosts for the floor.

So I let nmap do his job with the information I had and when it finished, almost all devices were directly visible. I launched nmap a second time on a random host to see if something change. I compared then the second result with the first and I found something interesting. As the port 445 was open on almost all machines, I tried to launch an EternalBlue attack against a few hosts, but the connection failed every time I tried. Probably a firewall might block the connection but while trying to figure out what happened, I noticed another clue: a previously targeted device was named “PRINT-PC”.

Definitely curious about this strange device pretending to be a printer, I launched a third scan on it and I noted in addition to the Samba port (445) that the RDP port (3389) was also open. Naturally, I went to brute force the RDP (Remote Desktop Protocol) password by taking care to use the username, I previously collected from the Eternalblue first try. After an “Eternal” minute, the software got stuck and repeats 1234 giving an error on each attempt. I open my RDP client to see what’s wrong and …

OMG
The password was really 1234! 😱

I walked a little on the account I successfully broke in and, after digging a little, I found informations to say at least sensitive. About 2 GB of data in all. Afterwards, I didn’t miss to report the issue to the technical team.

It was at this exact moment, I had the worse idea that will, in less than 10 minutes, lead to a total chaos in the whole building. The idea was quite simple, if on a random floor, there is a device called “PRINT-PC”, it would probably mean that, there is a device called “PRINT-PC” on all other floors. No sooner said than done, I tried to connect to the same address by changing only the floor number with the same login. It worked once, twice, thrice and then I realized it would work with all other floors.

After that, I ran a well-known script to retrieve the NTMLv2 hashes to attempt a privilege escalation (the logical next step). Luckily I got almost all the hashes of all users in the building. The less glamorous thing though, was I made some noise in the network: the script broadcasted my IP on the PBX used by the staff directly from their machines and not from an external Cisco phone and that’s how after 5 minutes, I heard everyone complaining that “nothing was working”, not even the phones!

OMG

Despite all the panic, I still managed to do my little privilege escalation and open on a station near me a command prompt with the administrator rights! And although it’s true that just after, I had a hard time with the IT team, this story anecdote did my week!

Conclusion

Unfortunately, a poorly protected Windows printer server is enough to break all the security of an Information System. Add to the recipe a bit of luck (or bad luck) and you will an unseen chaos which can turn any normal day of a lambda employee into a remake of World War Z !!

Voilà ! I hope you enjoyed this short anecdote. Feel free to share it with your friends or colleagues! I’ll see you soon for a new article and why not a new story 🤠

In the meantime, be brave (why not ?), be kind with lamas and see you soon!