Re: Using a Stand-Alone Network Printer as a network attack entry point?

From: Security News (sec-news@xsec.net)
Date: 08/16/02


Date: Fri, 16 Aug 2002 13:26:27 -0400
To: "Nick Jacobsen" <nick@ethicsdesign.com>, <pen-test@securityfocus.com>
From: Security News <sec-news@xsec.net>

As for really modifying the ROM , it seems possible but also seems like a
LOT of work for something that might not even allow you to connect thru the
firewall.

My first question is Do you have physical access to start with? And if so
why not drop in a small hub/proxy based hardware device (or even 802.11
which works quite nicely).

If you were able to drop a *NIX based smallbox in place behind the printer
you could actually use some of the current firewall tunneling software like
fwtun without any further configuration and end up with a real box you
could launch the attack from.

What about modifying a small ARM based processor board to have 2 NIC's and
act as a tiny pass-thru that could be placed behind the device? This
device could be the size of a pack of cards and would allow you to connect
to an ARM Linux OS.

At 09:20 PM 8/15/2002 -0700, Nick Jacobsen wrote:
>Hi all...
> I came up with an idea, one that I've never heard discussed, of possibly
>modifying a stand-alone network printer (like most of the high-end office
>printers, hereafter referred to as a "SNP") to act as a full point to point
>proxy, or at least a simple pass through to the port and IP you specify in
>some sort of configuration. The idea here would be to take a SNP and modify
>a ROM image for the specific printer to include the proxy functionality. I
>realize this could turn out to be quite difficult, but at the same time, it
>would provide a way into the internal network when no others are available.
>Any comments are most DEFINITELY welcome, flames less so, but if it's a
>stupid idea, let me know...
>
>Nick Jacobsen
>nick@ethicsdesign.com
>ethics@netzero.net
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: pen test help please asap
    ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: CFM SQL injection
    ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: ettercap help
    ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)