Skip to main content

Passback Attacks (Internal/External)

What's the Flaw?

Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usually used on these devices to do account lookups or emailing scans to users.

How is it Exploited?

If the attacker has access to a devices embedded web server (EWS), they may be able to discover cleartext LDAP or SMTP credentials, which could be passed around.

Or, even if the credentials are masked, the attacker can change the LDAP/SMTP server IP address in the EWS and forward a request to a netcat listener. Upon doing so, the client device will send cleartext credentials to the attackers listener.

The Attack

  1. Log into the embedded web server (EWS) of a target device (eg. a printer or scanner)
  2. Start a netcat listener on the required port on Kali, could also use a tool like slapd
    • responder can be used to capture LDAP requests, but you'll only get the NetNTLM hash
  3. Change the configuration on the target device so that the server IP address points to the listener
  4. Run a test call from the EWS (eg. LDAP/SMTP connection test)
  5. Check for cleartext credentials