Auditing Networked Printers 16

8/8/2019 Auditing Networked Printers 16

1/60

Security Beyond the ChecklistThis paper is from the SANS IT Audit site. Reposting is not permited without express written permission.

Copyright SANS Institute

Author Retains Full Rights

Interested in learning more?Check out the list of upcoming events offering

"SANS IT Security Audit and Control Essentials (Audit 410)"

at http://audit.sans.org/events/
http://www.sans.org/http://www.sans.org/http://it-audit.sans.org/events/http://it-audit.sans.org/events/http://it-audit.sans.org/events/http://it-audit.sans.org/events/http://it-audit.sans.org/events/http://www.sans.org/http://it-audit.sans.org/


2/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46


SANS Institute 2000 - 2005 Author retains full rights

Auditing Networked Printers

Greg JohnsonAugust 15, 2001 SANS GIAC GSNA1.0

ABSTRACT

Printer security requires more than protecting paper. Printers have revealedconfidential information via the network connection. Networked printers haveeven been exploited for denial of service attacks. Unfortunately, a thoroughsearch of security auditing standards reveals only superficial consideration ofthese devices. Networked printers offer several audit challenges. Beyondevaluating configuration, objectively evaluating a network device requiresexternal, black box tests. Tests may face a dozen or more ports andcorresponding services and undocumented protocols. This paper presentspractical research and scanning techniques to help auditors test for likelyvulnerabilities in networked printers and internet appliances in general. Thesecond part of this paper applies these techniques to an audit of fourteen printermodels in the authors university department. That assessment surmounts bothdefeatist presumptions of Printers? Whats to audit? and Printers? Impossibleto audit! The resulting recommendations will sound familiar: Set appropriatepasswords. Disable unneeded services. Filter network access. Regularly verifythese settings by automated audits.

CONTENTS

PART 1 BACKGROUNDAuditing Network AppliancesCurrent State of Practice

Subjective Questions The Risk ListExisting Audit Procedures Governing Networked PrintersNeeds for ImprovementTen Resources for Auditing Black Boxes

Networked Printer Audit ProcedureR: Risk Assessment (Subjective Measures)I1: Basic Inventory (Subjective Measures)I2: Technical Inventory (Objective Measures)I3: Research Diligence (Customizing Subjective and Objective

Measures)S1: Common Standards (Objective Measures)S2: Specific Needs (Objective Measures)P: Procedures (Subjective Measures)Interpretation

PART 2 APPLICATIONAudit EnvironmentAudit Narrative


3/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Administrative SummaryAudit EvaluationDirections for Future WorkREFERENCES

PART 1 BACKGROUND

Auditing Network Appliances

The Center for Internet Security has resolved to test networked devices besidesthe usual general-purpose systems:

Appliances such as copiers, fax machines, printers, and even householdappliances are being connected to the Internet in rapidly increasing numbers.Unless these devices are properly secured, they can be used as agents indistributed denial of service attacks against other users. Planning is currentlyunderway for the CIS Appliance Testing Laboratory, where Internetappliances will be tested and certified. [8]

In the authors experience, practically all Internet appliances are insecure, asutterly insecure as their functionality allows!

Though relatively simple in basic function, networked appliances tend tobotch basic protocols, exposing devices to indiscriminate or targeteddenial of service attacks and ordinary OS fingerprinting scans utilizingmalformed IP packets.

Vulnerability in IP implementation of HP JetDirect printer card Firmwarex.08.20 and earlier allows remote attackers to cause a denial of service(printer crash) via a malformed packet. [12]

Primitive duplicate IP exploitation can shut down a nearby infrastructuredatabase, e-mail server, or router.

Three of our networked HP printers were remotely configured, by personsunknown, to use the IP addresses of two of our Unix servers (one databaseserver and our web server). This effectively blocked access to those serversfor users on the same subnet. [1]

We experienced a similar break in just over a year ago - only the hacker used

the IP address of our campus Internet router to take down our internetconnection. To help convince your reluctant departments about the need toset passwords: our hacker set the password when they broken in - it waslucky for us that they used a password that we had found on another systemthey broke in to. No passwords is a quick way to lose control of yourprinter.... [34]


4/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Tektronix PhaserLink 850 does not require authentication for access toconfiguration pages such as _ncl_subjects.shtml and _ncl_items.shtml, whichallows remote attackers to modify configuration information and cause adenial of service by accessing the pages. [13]

Devices can expose confidential data in transit, storage, or output. Fewnetworked printers support encrypted network communication or otherforms of VPN. Web control interfaces have allowed access tounprotected data, or unauthorized reprinting of previously spooled files.

Despite ROM rebuffs to foreign programs, configuration choices affectingsecurity can often be altered through the network. Configurations easilyfail to utilize password protection, connection limiting, and other securitybest practicesor these choices may be lost through power failure orfront console tampering.

Access to the QMS 2060 printer is controlled by the passwd.ftp file. Thisfile contains simply a list of usernames and passwords. However, even

with this file in place, root can still logon without a password entered. Thiswould allow the attacker to alter the passwd.ftp file, as well as the hosts

file which lists the machines authorized to print to the QMS. [6]

Objectively auditing Internet appliances poses challenges:

Internal tests as conducted on general-purpose computers are typicallyimpossible for ROM-based systems and bare device controllers.Controller capabilities will open upfor better and for worseas Linux-based and Java-based appliances develop.

The black box capabilities of devices of the same class vary widely. Anetworked printer often supports proprietary variations of some of theprotocols Lpd, Telnet, FTP, HTTP, SNMP, Syslog, and even SMTP.Printers support entirely proprietary protocols. Data streams such asPostscript and PCL often support proprietary printer control functionssuch as tray selection. Theres little to prevent a vendor from letting datastream escape sequences alter security configuration settings or revealsystem passwords or other stored data. Such capabilities and theirvulnerabilities are rarely apparent from the front panel or even fromvendor literature.

Networked appliances promise plenty of fodder for GIAC practicals! This GIACpractical will focus on the most common of networked appliances, thenetworked printer, and more on the network issues than on issues common toall printers or issues of host-attached printers.

For host-attached printers, security issues of the host dominate. The authorsexperience yields two unscientific cynicisms for host-attached printers:

Did the printer vendor also sell you the dedicated host controller? Thenthe host controller will be grotesquely behind on security patches; willhave default insecure configurations; for the vendors benefit will haveinsecure remote access enabled with default passwords or no


5/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




passwords; and cannot be upgraded to the latest NT, Solaris, or whateverwithout breaking the proprietary print applications.

The more a printer outweighs its dedicated host, the more insecure thehost.

The hybrid situation of a networked printer that functions only through acontrolling host should be audited as a networked printer.

Current State of Practice

The Risk List

Before reviewing networked printer audit standardssuch as they arehow willwe know when an audit will be productive? In an enterprise with many auditingneeds, do printers deserve auditing? Audit costs should not exceed maximumaudit benefits! Risk analysis, a subjective process, should precede audit, for itestimates the relative importance to the enterprise of proposed audit efforts.

Minimizing audit effort and costs without losing audit quality will gain applausefrom all who have endured unproductive bean counting.

Damages can be estimated without reference to how they might occur. Onecan quickly make rough qualitative risk estimates. Not much more time isneeded to estimate the extremes of financial risks. Such quantitative estimateshave value later in prioritizing security response. [19] The risk assessment asksquestions that focus on the value of lost resources:

1. How much would it cost to replace this device? (The printer cost $200.)Network attacks that can severely damage a wax-based printer areconsidered in [28].

2. How much would abused supplies cost? (Those cartridges cost $30each.)

3. What would unavailability of the device cost? (Hmm, we couldnt shipgoods without invoices, and only one other printer handles thoseforms)

4. If information transmitted, stored, or output via this device was disclosedphysically or through the network, what would such breach ofconfidentiality cost? (Not much. Wait, does that include our draftearnings reports, our client list, our salary reports?)

5. If somebody could print unauthorized extra copies, would that hurt? (Well

we dont print money here, or NSync tickets, but the occasional customerrefund voucher should only be printed once.)

6. If the device is exploited to take down a company infrastructure server,what would that cost? (How is that possible? It would cost hundredsor thousands of dollars per hour of outage!)

The audit will often uncover new factors that require revision of the risk list.


6/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




The audit may discover risk from overlooked business functions: Wedont want patient medical records getting out! We really do printNSync tickets!

The audit may discover new categories of abuse or waste.

The audit may discover device capabilities that increase external risks inunexpected ways (Why is my e-mail full of print finished messages?)

For each of the potential damages, one must estimate the likelihood ofoccurrence based on external factors. By external we mean outside the auditdomain. If we are auditing a networked printer, then external includes threatsfrom within an enterprise firewall such as abuse by employees. Be sure topartition the overall audit so that nothing is omitted. The external environmenthas three dimensions:

Means of communication: physical versus network: memory sticks, infrared,wireless.

Threats.

External mitigating measures such as locks, guards, security cameras,authentication systems, firewalls, and intrusion detection systems, andbusiness controls. The defense in depth strategy requires that the auditconsider risks both with and without these other defenses.

Not all attacks benefit an attacker. Random, indiscriminate probes and attacksare a minute-to-minute reality on the Internet and increasing. The author haswitnessed printers locked up every hour until router filters were installed. Theprinters were receiving attacks that were intended to overflow buffers onWindows or Unix host services. The author has found paper trays depleted byFTP uploads of binary files (Porn? Messages from the stars?)

Physicians must daily weigh the likelihood that additional testsauditsare


7/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




worthwhile. Although Alzheimers Syndrome can be positively diagnosed bysampling brain tissue, since there is now no cure for Alzheimers, why dig into abrain? Similarly, investigating vulnerabilities of undocumented services on anetworked appliance may be unprofitable compared to simply blocking thesewith a router filter or firewall. However, if the enterprise has several hundredsuch networked appliances, then research may be worthwhile. The CISAppliance Testing Laboratory cited proposes appropriate global effort to tacklewhat might often be uneconomic on an enterprise scale.

Existing Audit Procedures Governing Networked Printers

The author reviewed many public IT auditing procedures including the six listedat [7]: RFC2196, COBIT, FISCAM, GASSP, NIST, and SysTrust. This revealedat best very general, high-level guidelines, such as Systrusts:

S1.4 Responsibility and accountability for system security have beenassigned. [3]

The emerging SANS/CIS audit rulers have not yet developed host-based printsubsystem issues that could be adapted to networked printers. The preliminaryNT ruler offers just three points about the printer subsystem:

Windows NT Ruler Draft 0.6 April 09, 2001

Action S2.28 Set up file, RAS, printer and registry auditing as your site policyrequires.Action S3.5 Add the following registry value ... Print Operators should not

have access to the printer driver files. These files run in kernel mode and aPrint Operator that cannot be trusted could gain administrative access to thesystem by installing a Trojan Horse driver. Therefore, make Administratorsthe owners of those drivers and set appropriate ACL's on them.Action S3.11 Do not install a printer on the IIS machine. Computers in theDMZ should not be used for printing. If you MUST install a printer, apply allrelevant patches for the spooler service. [31]

The Solaris ruler [8] has similar brief instructions to disable printer facilities orrestrict access to them.

Such operating system checklists do suggest points that easily apply to other

technologies. Here are points of the above draft NT Ruler converted tonetworked printer concerns. Although the tests that prompt these actions oftendont apply outside NT, the action items are generalizable. These retain originalitem numbers.

FIGURE 2: Draft Printer Action Items Modeled from NT

Ruler

S1 Action Items. A list of security actions needed for all network


8/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




connected systems, both inside and outside a firewall.

Action S1.2 Utilize printer room climate controls.Action S1.3 Install UPS.Action S1.4 Secure if possible any external disk boot sequence.Action S1.9 Create/update any boot or recovery disks.

Action S1.10 Establish boot/recovery disk storage.Action S1.11 Disable unneeded servicesAction S1.20 Ensure all accounts have non-default passwords.Action S1.33 Establish procedure for log/accounting file collection andremoval.Action S1.48 Install the latest software and firmware updates.Action S1.55 Remove employee account upon employee termination.Action S1.59 Maintain a support and operator contact list.Action S1.60 Create/test/maintain recovery procedures.

S2 Action Items. A consensus list of additional actions that are required

for certain configurations of hardware, software, and network design, butwhich are not suitable for deployment on all machines.

(The few S2 items that adapted to printers were found then to be redundant.)

S3 Action Items. A collection of sets of additional security actions tailored

for specific needs.

Action S3.1 Provide advanced printer room access controls.Action S3.2 Provide advanced printer room surveillance.Action S3.4 Install FTP logon messages and warning banners.Action S3.17 Disable unnecessary services on production IIS printers.

Action S3.23 Utilize IP address restrictions.Action S3.34 Consider using VPN technologies for data transmission.Action S3.38 Disable user accounts for employees leaving company.

P Action Items 'Procedural' entries are actions and procedures that

need to be taken, but which are NOT automatically verifiable. However,

they are things that do need to be done as part of securing a machine. A

systems administrator should do these things, and check them off. Auditors

should check that the systems administrator has in fact taken action.

Action P.1 Enforce the least privilege principle.Action P.6 Restrict modem access.

Action P.7 Limit access to console.

These reincarnate in the audit checklist displayed later.

Needs for Improvement

The author could not locate a ready-made security audit procedure or checklistfor networked printers. Web queries with Google, Hotbot, Northern Light, andAsk Jeeves revealed no procedures or checklists for combinations of keywords


9/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




including: printer security audit vulnerability. Similar keyword searches onsecurity sites including SecurityFocus.com, SANS, Information SecurityMagazine, and Neohapsis and its archives revealed reports of specificvulnerabilities, but no audit lists. Networked printers were also below the radarof newer security texts such as The CERT Guide To System and Network

Security Practices, 2001 Addison-Wesley, nor in older books.Kevin Smiths GIAC submission, Do You Copy? Security Issues With DigitalCopiers [33] offers several practical guidelines that apply to a wide range ofnetworked appliances.

The following ten-step research procedure is the basis for the checklist thispaper developed. The main idea is to gather vulnerabilities and best practices.

Ten Resources for Auditing Black Boxes

1. Get technical manuals on paper. Get technical manuals, updates, FAQs,etc. from the vendor website. Security related admonitions and tips will

provide audit points.

Example of HP printer online documentation:http://www.hp.com/cposupport/prodhome/hplaserjet7856.html

FAQ regarding complex procedure to set SNMP access:http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xaaab53921f1ad5118fef0090279cd0f9,00.html

Making HP Jetdirect Print Servers Secure on the Networkhttp://www.hp.com/cposupport/networking/support_doc/bpj05999.html

2. Determine model family for device, and any predecessors andsuccessors. Note any promoted security improvements. Are anyfirmware upgrades or similar change histories recorded? These maysuggest vulnerabilities.

3. Locate other productsincluding those from other vendorsthat sharethe same components, especially the network interface hardware andsoftware.

4. Search vulnerability discussions. Check for specific model number,kindred model numbers, device type, and network-related hardware andsoftware components. Search forms for some such vulnerability

discussions include:

Bugtraq and others: http://www.securityfocus.com/

CVE: http://cve.mitre.org/cve/

ICAT: http://icat.nist.gov/icat.cfm -http://www.securitywatch.com/fr_icat1.html

CERT: http://search.cert.org/


10/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




ISS: http://xforce.iss.net/search.php (Note sort by platformsaffected)

InfoSysSec: http://www.infosyssec.org/infosyssec/

Packet Storm: packetstorm.securify.com (In transition)

Example:HP JetDirect issues: http://xforce.iss.net/alerts/advise15.php

5. Check user group archives. Solicit advice from user group discussions.Examples:

Usenet comp.periphs.printers: http://groups.google.com/groups?group=comp.periphs.printers

Usenet comp.sys.hp.hardware: http://groups.google.com/groups?group=comp.sys.hp.hardware

6. Solicit maintainers and users of device for stories of odd behaviorthedevices, not the users. Seek signs of vulnerabilities: system lockups,garbage output.

7. Find service bureaus using this technology. Check their promotionalliterature for assurances of security. An outstanding example:

As a Banknote Corporation of America client, you can be confident that thetoughest security measures are taken to protect your valuable documents.Our printing plant is guarded around the clock by our own armed police force.Electronic surveillance is in use throughout the facility, and all production,

shipping and receiving areas have restricted access and are completelyfenced. Printing plates and finished documents are stored in secure vaults. ...Reconciliation of all printed material is achieved through the use of a printedalpha-numeric identification unique to each cylinder repeat. Such identificationis available for all printing formats.... Database management permits detailedtracking of the product at each manufacturing step.... The accountabilitysystem allows for prompt destruction of unwanted material if so required. Allaccountability records (hardcopy and electronic) are archived for futurereference. [4]

8. Competitive claims of better security features suggest audit points:

Auto-Reprint Disable - When a paper jam occurs, or if someone opens theprinter cover during printing, a standard HP LaserJet printer will automaticallyreprint the page after recovery.... When the printer is in MICR mode theprinter destroys the page image in memory when a paper jam occurs.No Multi-Copy - When the printer is in MICR mode Liaison's securityDIMM prevents a user from duplicating checks by requesting more than onecopy from the control panel. The security DIMM systematically sets the multi-


11/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




copy to one and filters front panel and PCL escape sequence multi-copyrequests. [27]The Xerox DocuPrint 4517, starting at a "street price" of about $1,850, is a17 page-per-minute (ppm) network laser printer that is the first to offer anoptional mailbox unit that delivers sensitive documents to bins that can only be

opened when a user enters the proper security code. It allows office workersto access a high-speed, high-quality network printer, but with the security of aprinter on the desktop. [35]

9. Comb operating system security checklists for configuration issues withthe network interface, passwords, services such as web and FTP access,logging, spool overflow precautions. General points often apply tosimpler networked devices.

10.Inventory the devices ports and protocols via nmap [16] or aggressivetools such as Nessus [14]. Identify ports or protocols requiring furtherresearch, perhaps with network sniffing tools. Kevin Smiths GIAC

practical offers a model of such research:

NMap showed ports 21(ftp), 23(telnet), 129(pwdgen) and 515(printer)listening on the copier. Telnet revealed something interesting. Instead ofthe expected login prompt, the line "HTTP 1.1/1.0 ROMPager by Allegro"briefly flashed by and telnet locked up. A search on the web revealed thatROMPager by AllegroSoft is a common package used to embed managementservices into network devices. Besides Sharp, 3Com has used it in theirswitches and Xerox has used it in their DocuCentre lines [2]. The web searchalso showed that certain versions of ROMPager are subject to denial ofservice attacks on FTP [8].

The ROMPager features page cleared up what PWDGEN was doing [3].During HTTP management it looks like ROMPager sets a session cookieusing a password from pwdgen and the system time for whenever the systemadministration password is used. However, this process doesn't make muchsense. The administration password is sent as cleartext with the prefix http-pwd when the management web page is posted. There is vulnerability six.[33]

NETWORKED PRINTER AUDIT PROCEDURE VERSION 2001-08-06

Subjective inquiries in the following procedure are labeled simply Questions.In this audit procedure are three phases of Questions. Objective measures arelabeled Tests, and also fall into three phases. How do we know when asystem is out of spec? That requires Auditor Interpretation. As in acomputer program, if, then interpretation occurs throughout the audit process.

These phases can proceed independently, even simultaneously. However, thebasic flow and dependencies are resolved by following the order listed. Some


12/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




auditor responses might be offered during the process, but most should wait forcompletion of all phases.

The preliminary R, I1, I2, and I3 mainly gather information. Thesubsequent S1, S2, S3 and P phases correspond to the SANS / CIS NTand Solaris rulers previously mentioned. Note that the S3 phase intended for

special issues by virtue of the diversity of equipment, is open to customizationper device.

R: Risk Assessment (Subjective Measures)

Auditor Preparation:

1. Any preliminary inventory from phase I1.1 or I2.1 will help in countingresources in a particularly large audit domain. The enterprises businessoffice or an informal survey may provide sufficiently accurate informationfor the audits purposes.

2. Similarly, the auditor should identify important networked equipment thatcould be affected by a duplicate IP address attack, that is equipmentsharing the same router/gateway as the audited device. Its usually nothard to find a file server, database, web server, or (grin) administrators inthe printers subnet. The router itself may vulnerable to its own IPaddress or broadcast address duplication.

3. Stealing confidential printouts is low tech but requires physical presence.Stealing the same data by network is less risky. That high-tech theft canuse wiretap or sniffing, or might exploit demonstrated flaws in someprinters web or FTP controller using ../ paths to read data that is waitingfor print.

4. Be prepared to help fill blanks with representative costs: printers, paper,toner, federal fines, privacy lawsuits, and staff effort in incident responseor down time can make risk estimation a matter of one meeting.

5. Meetings with management should also review: audit domain; writtenpermission for testing; change management policies if any configurationimprovements will be tested during the audit; announcements to users.

Questions for Management:

1. How much would it cost to replace these devices?

2. How much would abused supplies cost?3. What would unavailability of the device cost?

4. If information transmitted, stored, or output via this device was disclosedphysically or through the network, what would such breach ofconfidentiality cost?

5. If somebody could print unauthorized extra copies, would that hurt?


13/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




6. If duplication takes down a local connection, what could that cost?

Auditor Interpretation:

The immediate value of this exercise is to convince the enterprise that

vulnerability in mundane equipment like a single printer can easily lead tomajor losses for other equipment and to major exploitations ofconfidential information.

I1: Basic Inventory (Subjective Measures)

To be completed by printer owners or operators, supplemented with interviewsand observation.

Questions:

1. Identify print devices by network address, model, physical location, and

primary contacts.2. Identify for each device any confidential business or organizational data

that might typically be printed. Consider anything containing credit cardnumbers, social security numbers, patient medical records, studenteducational records, client lists, bids, personnel action reports, earningsreports, etc.

3. Identify any other sensitive business printing, such as checks oremployee ID cards.

4. Describe controls for access to ordinary paper and to any special forms.Controls for this and the following items address theft or other

unauthorized use. Controls include locked rooms, ID keys, someone withguard responsibility (please specify name or position), surveillancecameras, shredders, employee vigilance (EV), and none.

5. Describe controls for supplies such ink or toner cartridges.

6. Describe controls for output retrieval.

7. Describe controls for output disposal.

8. Describe controls for console access.

9. Does the printer area display any acceptable use warning?

10.How are users informed of any handling and disposal requirements for

confidential or sensitive output?

11.Are procedures observed to regularly change controller passwords orchange them after employee exit?

12.Describe any unusual events that might signal a security problem or atleast a reliability problem with printing. Examples: a printer that neededfrequent restarting; unaccounted or garbage output; excessive personaluse; and missing output.


14/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




13.Be prepared to provide available technical manuals to the auditor.

The enterprise may want to add reliability, capacity, and function issues to thesesecurity inquiries.


Encourage appropriate physical security measures already in place,particularly those individuals showing exemplary effort.

Identify any discrepancies between this list of printers and network-gathered list.

After at least sample verification that employees understand theirassignments as contacts, operators, or guards, identify anymiscommunication or needs for training.

Recommend changes in physical controls as appropriate.

Recommend any needed authorized use only banners

Recommend any needed user indoctrination for handling confidential orsensitive data.

I2: Technical Inventory (Objective Measures)

These are mostly objective, automated inventories.

To be completed by auditor.

Tests:

Note: For this and subsequent testing, the auditor must work within the localchange management process. Notify all affected parties of possibility ofdisruption. Nmap and Nessus have killed printers and other devices. Wait fordevice to quiesce. If possible, have someone observe device during test. Aftertesting, verify continued function, physically if necessary. Someone should beavailable to restart service.

If inventorying systems via scanning, later retry unavailable systems. They mayhave died from scanning! OS fingerprint techniques are not perfectly accurate.Compare in Part 2, table Printers to be audited column Actual Model withsubsequent nmap listings. The HP JetDirect card is a common networkconnection and fingerprint serving a variety of HP and non-HP devices, such as

the $8,000 Canon copier/printer listed in Part 2. This confirms anotherunscientific dictum for auditing: the rarer the device, the less accurate itsfingerprint, the less likely it has been auditedand therefore the more insecure.

1. Via automated means such as nmap http://www.insecure.org [16] verifynetwork addresses and device types for printers.

2. Identify any other communication channels such as modems, infra red orwireless.


15/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




3. Dump configuration information for device, physically and via net.

4. Identify open network ports, at least for each representative device, andfor each device if higher security is required.

5. If possible, verify service or protocol running on each port using Nessus

http://www.nessus.org [14], telnet, ftp, web browsers, SNMP tools, etc.See HP JetDirect Port Numbers for TCP/IP (UDP) Connectionshttp://www.hp.com/cposupport/networking/support_doc/bpj01014.html.[20] You can supplement your copy of nmap-services with suchinformation.

6. If possible back up a representative device, reset it to factory defaults,and check open ports and services again. Restore device.


Report if stress testing from such tools as nmap and Nessus produce

locked machines or other symptoms of device vulnerability. Summarize discovered vulnerabilities and recommended

countermeasures.

Report new vulnerabilities to vendor then to vulnerability tracking groups.

I3: Research Diligence (Customizing Subjective and ObjectiveMeasures)

Activities:

1. From vendor literature or experimentation guided by configuration dump,identify additional ports or services that might become enabled.

2. From research (see attachment) identify known security vulnerabilities forthis device.

3. From research identify any low-level best practices for this device.

4. In situations requiring higher security, determine if transmission of data issniffable. Use of switches as opposed to routers for both ends of localtransmissions makes sniffing harder.

5. Determine which device open ports are filtered at the Internet gateway orother point upstream from the device, by authorized test from external

source.


Supplement the subsequent general questions and tests with informationgleaned from research.

Share unto others. Summarize your research to an appropriatediscussion group or security project!


16/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Summarize to customer findings that might better inform futurepurchases, such as this vendor has a history of response/non-responseto security issues.

S1: Verify Common Standards (Objective Measures)

To be completed by auditor

Tests:

1. Does device utilize appropriate climate controls?

2. Does device utilized appropriate power conditioning or UPS?

3. For high reliability or high security devices, is status of device externallymonitored?

4. Does device allow booting from external media? If so, can booting from

external media be password protected?5. Is all configuration access via non-default, non-null passwords? Check

for console and each form of remote control. If SNMP is enabled, includepublic and private SNMP community names. List any non-passwordaccess.

6. Is accounting information logged through the network, as opposed to inthe devices own storage?

7. Are any status reports sent to just a specific point, rather than for examplee-mail addresses specified in the data stream?

8. If device does not have latest software or firmware updates, are these

reputed to provide better security or reliability, or worse?


Note: Audit may be permitted to try immediate security improvements as ispractical. Follow local change management rules! Try to experiment with less-used representative system. Notify affected users. Have local technical supportperson push all the buttons. Backup or save dump of configurationdont throwthis away. Verify desired effect such as closed service. Verify continuedfunctionality of device.

Recommend reliability improvements as appropriate. When systems fail,

people take security shortcuts. Security measures may be lost inrestoring a system. Therefore, reliability supports security.

Network-based monitoring facilities such as Big Brother [5] focus onservice availability. They serve security by quickly identifying at least theeffects of attacks on critical systems.

Secure non-default boot process if necessary.

Disable unneeded services. List disabled services and remaining


17/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




services. Verify by port scan.

Secure access with non-default, non-null passwords. Identify anyunprotectable control to be addressed by external measures. Of courseunsecured passwords let intruders reconfigure or abuse the device evenfor denial of service attacks. For further injury, an intruder could set an

unsecured password to one of his choosing. Correcting this could requireanything from a console reset that clears all settings, to a visit fromvendor technical service.

If possible, gather accounting logs via off-device syslog and disable anyinternal accounting that can fill storage.

Recommend software or firmware upgrades as appropriate. An upgradeshould be followed by this same set of tests.

S3: Actions for Specific Needs (Objective Measures)

The specific needs for printers tend to be higher levels of security and reliability.This phase focuses information gathered from the other phases in the form offull spectrum attacks and informed attacks on the device. Thus, this is the mostcustomizable of the audit phases.

Tests:

1. Are FTP, Telnet, Web and other control logon messages and warningbanners possible?

2. Does device restrict access to an appropriate set of network addresses?

3. For highly confidential or sensitive data, does device utilize encryption

technology such VPN cards?4. Using Nessus or other vulnerability scanners, launch active intrusion and

broad-spectrum denial of service attacks against the device. Do anyattacks succeed?

5. Verify known vulnerabilities or family vulnerabilities by specially craftedattacks. Do attacks succeed?

6. Test mitigating effects of filtering or firewall protection for thesevulnerabilities. Do attacks still succeed?

Auditor response:

Recommend authorized use only banners.

Recommend and if possible test IP range restriction if such facility exists.

Where VPN is required, replacing the devices network card with a $250IPSec card may be feasible, but computers transmitting secure data musthave a compatible card. Currently, this technology is not compatibleacross vendors. The most flexible and functional remedy is to convert the


18/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




printer to host-attached mode. A second network card can be added tothe host or other ports may suffice. This arrangement can also protectthe printer from poison packets via host-based firewalls or NATs.

Recommend filtering or firewalling protection as appropriate. This mustconsider whether a firewall specifically for this device and maybe a few

other connections is necessary to protect from local attack.

P: Procedures (Subjective Measures)

Questions:

1. Are boot media secured but accessible by appropriate staff?

2. In event of a long outage, are alternative resources identified? Are theyas secure as the normal ones? Has an outage been tested?

3. If accounting/logging to the local storage is required, are sufficiently

frequent collect and purge cycles observed?


Recommend, train, and verify system recovery procedure and systemoutage procedure with both the primary and backup personnel. Remindthe customer to integrate IT priorities in overall disaster recovery planning.

Identify recovery measures to deal with devices with full storage, whetherthrough spooling or accounting data. This should include negotiating withusers to delete print jobs.

Concluding InterpretationThe preceding process should produce a list of observations and correspondingactions. In all but the smallest of real environments, the security expert will beasked to recommend priorities and a change process that itself does not disruptsecurity.

PART 2 APPLICATION

Audit Environment

The author applied the auditing standards developed in Part 1 to the universityinformation technology office where he works. This department employs nearly200 full time staff and 35 part-time student employees. One area is open to theuniversity public. Nothing prevents public access to most printers in thebuilding, though these areas are locked down outside of business hours.

Most of the equipment in this department connects through two /23 (512-address) subnets using 100-base T Ethernet. Combined physical inventory and


19/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




network scanning located nineteen networked printers, mostly HP LaserJets.

Audit Narrative

Questions for Management:

1. How much would it cost to replace these devices?

$500 for low-end laserjets to $4500 for color laser Tektronix

2. How much would abused supplies cost?

Figure at copy center rates; $.03/page for black and white, $.40/page forcolor

3. What would unavailability of the device cost?

Since no special forms are used in this department, substituting anotherdevice for a downed one will suffice. Staff time to reset a deviceconfiguration costs $75/hour per incident., probably $100 per incident.

4. If information transmitted, stored, or output via this device was disclosedphysically or through the network, what would such breach of confidentialitycost?

No HIPAA, CIPA, Credit Card concerns Some FERPA and plagiarismconcerns for staff who teach.

5. If somebody could print unauthorized extra copies, would that hurt?

Wasted paper

6. If IP duplication takes down a local connection, what could that cost?

No campus servers or production domain controllers. There are servers forUnix system images, and Novell file servers for departmental file sharing, andaround a dozen switches supporting the two main domains. There arearound 100 experimental/test systems ranging from wireless access points toLinux clusters. Altogether there are about 250 desktop systems for 200employees in two network domains.Say we lost some system for two hours until we could notice, trace, and

correct the problem. For either servers or clients, the employees using thedevice wouldnt waste the first hour , so figure $50 per head for the nexthour. Probably the worst case would be a key switch knocked out. I dontknow if these reject something else using their IP address. Say 50 of the ITstaff were offline for two hours. So maybe call it $2500 per incident for aworst case., $50 for staff time for desktop systems. Plus the time fornetworking or someone to fix the printer, another $100 or so. So the range is


20/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




$150 to $2500, with the median being closer to $150. So like you said, if justputting on passwords will prevent incidents, thats a good idea.


Major supplies like toner cartridges are controlled by just a few people.

Security of output depends upon employee vigilance.

I1: Basic Inventory

To be completed by printer owners or operators, supplemented with interviewsand observation.

Questions:

1. Identify print devices by network address, model, physical location, andprimary contacts.

FIGURE 3: QIP Inventory 8/8/2001 Printers in 207.160.42.0 207.160.45.255IP Address Object Name Object Class Network Status207.160.44.89 otsp-tek740 Printer In DNS;Reachable207.160.44.123 static-044123 Printer In DNS;Reachable207.160.44.128 static-044128 Printer In DNS;Reachable207.160.44.151 static-044151 Printer In DNS;Reachable207.160.44.198 static-044198 Printer In DNS;Reachable207.160.44.239 laserwriter Printer In DNS;Reachable207.160.45.25 static-045025 Printer In DNS;Reachable207.160.45.26 static-045026 Printer In DNS;Reachable207.160.45.27 static-045027 Printer In DNS;Reachable207.160.45.36 hplj3si-e204b Printer In DNS;Reachable

207.160.45.37 hpbasement Printer In DNS;Reachable207.160.45.40 ibm4332-e304b Printer In DNS;Reachable207.160.45.64 hplj4si-e004 Printer In DNS;Reachable207.160.45.104 static-045104 Printer In DNS;Reachable207.160.45.137 hplj4si-e304e Printer In DNS;Reachable207.160.45.142 hdpr1 Printer In DNS;Reachable207.160.45.173 static-045173 Printer In DNS;Reachable207.160.45.232 static-045232 Printer In DNS;Reachable

207.160.44.79 static-044079 Printer In DNS;Unreachable207.160.44.93 static-044093 Printer In DNS;Unreachable207.160.44.185 trn1-lsb Printer In DNS;Unreachable207.160.44.215 static-044215 Printer In DNS;Unreachable

207.160.44.224 static-044224 Printer In DNS;Unreachable207.160.45.28 static-045028 Printer In DNS;Unreachable207.160.45.136 static-045136 Printer In DNS;Unreachable

The map is not the territory. - Alfred Korzybski, Science and Sanity

The above database, and another inventory database, a tech support cheatsheet, and nmap each failed to identify all the printers and sometimes listed


21/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




addresses that were not printers. Combining all these with manualverification resulted in the master inventory of printers in TABLE 1 below.Throughout this report, identifications of devices are disguised. Otherreporting situations might include Netbios name, host name, etc.

FIGURE 4: AUDIT INVENTORY

NetworkAddress

Actual Model Location Contacts

207.160.42.124 HP LaserJet 2100

207.160.42.185 HP LaserJet 2100TN E104D

207.160.43.93 HP LaserJet 2100

207.160.44.89 Tektronix Phaser 740 Research Bryan

207.160.44.123 Canon Multi-PDL 300-405 E104 NE

207.160.44.128 HP LaserJet 4si W111 ?207.160.44.198 HP DeskJet 930C 204-31 BPIC

207.160.45.25 Lexmark Optra R+ E104 Front ?

207.160.45.26 HP Color LaserJet 4500N W006

207.160.45.27 IBM 4322 304-21

207.160.45.36 HP LaserJet 3si 8000DN 204 Mail

207.160.45.37 HP LaserJet 8100DN W006

207.160.45.40 IBM 4322 304B UCS

207.160.45.64 Canon Image Runner 400S E004 NE

207.160.45.104 HP LaserJet 4000 E104 LADS

207.160.45.137 HP LaserJet 4si 304B ?

207.160.45.142 HP LaserJet 4MV W109

207.160.45.173 HP LaserJet 4000 W107 Sherry

207.160.45.232 EFI Fiery XJ/XJ+ Color 200 Jen

2. Identify for each device any confidential business or organizational data that

might typically be printed. Consider anything containing credit cardnumbers, social security numbers, patient medical records, studenteducational records, client lists, bids, personnel action reports, earningsreports, etc.

No HIPAA, CIPA, Credit Card concerns Some FERPA and plagiarismconcerns for staff who teach.

3. Identify any other sensitive business printing, such as checks or employee IDcards.


22/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




None

4. Describe controls for access to ordinary paper and to any special forms.Controls for this and the following items address theft or other unauthorizeduse. Controls include locked rooms, ID keys, someone with guard

responsibility (please specify name or position), surveillance cameras,shredders, employee vigilance (EV), and none.

Plain paper is available next to the printers.

5. Describe controls for supplies such ink or toner cartridges.

Toner cartridges are locked away and accessible only by a few adminassistants.

6. Describe controls for output retrieval.

EV

7. Describe controls for output disposal.

EV

8. Describe controls for console access.

EV

9. Does the printer area display any acceptable use warning?

No. There are some instructions about recycling on the 1st

floor.10.How are users informed of any handling and disposal requirements for

confidential or sensitive output?

EV

11.Are procedures observed to regularly change controller passwords or changethem after employee exit?

Not so far.

12.Describe any unusual events that might signal a security problem or at least

a reliability problem with printing. Examples: a printer that needed frequentrestarting; unaccounted or garbage output; excessive personal use; andmissing output.

We saw a few garbage sheets of paper sometimes. Dont know whether thisis an application problem or what.

13.Be prepared to provide available technical manuals to the auditor.


23/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




The enterprise may want to add reliability, capacity, and function issues to thesesecurity inquiries.


The instructors should normally be on hand to pick up their sensitive printoutsimmediately. Instructors should shred discarded draft exams & gradedhomework mainly for cheating issues, also for FERPA.Create and post applicable AUP Authorized Use Only banners nearprinters.Identification of location and technical support staff for several devices wasobsolete in physical inventory records, in IP/hostname registration, andindeed in network accessible configuration stored on devices.

I2: Technical Inventory

These are mostly objective, automated inventories.

To be completed by auditor.

Tests:

1. Via automated means such as nmap [16] verify network addresses anddevice types for printers.

(1) Network mapping used nmap 2.54beta28 on Red Hat Linux 7.1.

FIGURE 5: NMAP MODIFICATIONS

After initial surveys, the author modified nmap 2.54beta28 nmap-services file toaccount for unknown services on HP printers per HP documentation [20]REPLACE:

ipp 631/tcp # Internet Printing Protocol / CUPS

ADD:

Ipp 631/udp # Internet Printing Protocol jetsend 1782/tcp # HP Jetsendhp-hcip 1782/udp # HP HCIPipx_port 5120/tcp # IPX

ipx_port 5121/tcp # IPXipx_port 5122/tcp # IPXjetdirect 9100/udp # HP JetDirect cardjetdirect 9101/tcp # HP JetDirect port 2jetdirect 9101/udp # HP JetDirect port 2jetdirect 9102/tcp # HP JetDirect port 3jetdirect 9102/udp # HP JetDirect port 3hp-ieee1284 9220/tcp # HP IEEE 1284.4 scanninghp-ieee1284 9221/tcp # HP IEEE 1284.4 port 2hp-ieee1284 9222/tcp # HP IEEE 1284.4 port 3hp-http 9280/tcp # HP Embedded Web Server

hp-http 9281/tcp # HP Embedded Web Server port 2hp-http 9282/tcp # HP Embedded Web Server port 3


24/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




if (! $host) {$host = $ip;}$os =~ s/^\*\s*//; # Remove leading * and trailing info:$os =~ s/Seq Index:.*//;print $host\t$os\n;

}

(3) Piping nmap output through this script yielded a list of uniqe OSs:

nmap2os locust.nmap | awk -F\t {print $2} | sort u

Inspection of this list identified possible printers:

HP JetDirect HP LaserJet PrinterHP printer w/JetDirect cardLexmark Optra R+

Router/Switch/Printer Tektronix Phaser 360 Extended

(4) Returning to the nmap port report,

egrep i jetdirect|printer|Lexmark|tektronix locust.nmap

yielded a list of 19 possible printers.

egrep 515/open/tcp|9100/open/tcp locust.nmap

yielded a list of 60 hosts running print services. Manual consolidation of theselists resulted in the list of 14 printers previously shown.

2. Identify any other communication channels such as modems, infra red orwireless.

None

3. Dump configuration information for device, physically and via net.

FIGURE 6: SAMPLE TELNET SESSION

HP JetDirect

Please type "?" for HELP, or "/" for current settings>

===JetDirect Parameters Configured===

IP Address : 207.160.42.124Subnet Mask : 255.255.252.0Default Gateway: 207.160.45.254


25/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : NPIAE3E53

DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : Enabled

Note five security issues: no accounting and access logs are collected, the

standard SNMP community name/password defaults, the remote control

password is disabled, and probably unnecessary protocols DLC/LLC and

Ethertalk are enabled. A sixth security issue appears in continuing the

session:

> ?To Change/Configure Parameters Enter:Parameter-name: value

Parameter-name Type of valueip: IP-address in dotted notationsubnet-mask: address in dotted notation (enter 0 for default)default-gw: address in dotted notation (enter 0 for default)

syslog-svr: address in dotted notation (enter 0 for default)idle-timeout: seconds in integersset-cmnty-name: alpha-numeric string (32 chars max)host-name: alpha-numeric string (upper case only, 32 chars max)dhcp-config: 0 to disable, 1 to enableallow: [mask] (0 to clear, list to display, 10 max)

addrawport: ( 3000-9000)deleterawport: listrawport: (No parameter required)

addstring: contents - For non-printable characters use

\xx for two digit hex numberdeletestring: liststring: (No parameter required)addq: [prepend] [append] [processing]

prepend - The prepend string nameappend - The append string name


26/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Use NULL for no stringprocessing - RAW, TEXT, or AUTO

deleteq: listq: (No parameter required)defaultq:

ipx/spx: 0 to disable, 1 to enabledlc/llc: 0 to disable, 1 to enableethertalk: 0 to disable, 1 to enablebanner: 0 to disable, 1 to enable

Type passwd to change the password.

Type "?" for HELP, "/" for current settings or "quit" to save-and-exit.Or type "exit" to exit without saving configuration parameter entries

> Allow: list

Access Control List:Not in use.

>


27/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




FIGURE 7: HP PRINTER CONFIGURATION WEB

INTERFACE

4. Identify open network ports, at least for each representative device, and foreach device if higher security is required.

Having identified the printers, for this research-oriented audit we scanned allports:nmap iL printers.ips sT sU sR p 1-65535 v v O oM printers3.nmapScanning all ports took about 10 minutes per printer. One printer stoppedresponding.

Using a slightly modified nlog [29] to tabularize the nmap results, we obtaineda complete port dump of the printers, with a few items manually dittoed inthe following listing.

FIGURE 8: ALL OPEN PORTS ON AUDITED DEVICESip address port protostate service os matches

207.160.42.124 21 tcp open ftp HP LaserJet Printer


28/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




207.160.42.124 23 tcp open telnet HP LaserJetPrinter207.160.42.124 68 udp open bootpc HP LaserJetPrinter207.160.42.124 80 tcp open http HP LaserJet Printer 207.160.42.124 137 udp open netbios-ns HP LaserJetPrinter207.160.42.124 161 udp open snmp HP LaserJetPrinter207.160.42.124 280 tcp open http-mgmt HP LaserJetPrinter207.160.42.124 427 udp open svrloc HP LaserJetPrinter207.160.42.124 515 tcp open printer HP LaserJetPrinter207.160.42.124 631 tcp open ipp HP LaserJet Printer 207.160.42.124 1782 udp open hp-hcip HP LaserJetPrinter207.160.42.124 5120 tcp open ipx_port HP LaserJetPrinter

207.160.42.124 5121 tcp open ipx_port HP LaserJetPrinter207.160.42.124 5122 tcp open ipx_port HP LaserJetPrinter207.160.42.124 9100 tcp open jetdirect HP LaserJetPrinter

207.160.42.185 21 tcp open ftp HP LaserJet Printer (same ports as above)

207.160.43.93 21 tcp open ftp HP LaserJet Printer (same ports as above)

207.160.44.89 7 tcp open echo Tektronix Phaser 360Extended207.160.44.89 7 udp open echo Tektronix Phaser 360Extended207.160.44.89 9 tcp open discard Tektronix Phaser 360Extended207.160.44.89 19 tcp open chargen Tektronix Phaser 360Extended207.160.44.89 19 udp open chargen Tektronix Phaser 360Extended207.160.44.89 21 tcp open ftp Tektronix Phaser 360Extended207.160.44.89 23 tcp open telnet Tektronix Phaser 360

Extended207.160.44.89 80 tcp open http Tektronix Phaser 360Extended207.160.44.89 161 udp open snmp Tektronix Phaser 360Extended207.160.44.89 489 udp open nest-protocolTektronix Phaser 360Extended207.160.44.89 515 tcp open printer Tektronix Phaser 360Extended207.160.44.89 520 udp open route Tektronix Phaser 360


29/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Extended207.160.44.89 9100 tcp open jetdirect Tektronix Phaser 360Extended207.160.44.89 9101 udp open jetdirect Tektronix Phaser 360Extended

207.160.44.123 23 tcp filtered telnetRouter/Switch/Printer (LanPlex 2500/Cisco Catalyst

5505/CISCO 6509/Trancell Webramp/Xylan Omni Switch)/Epson Stylus(100BTX-NIC HP Secure Web Console Sonicwall firewall appliance 3.3.1)

207.160.44.123 80 tcp open http ditto207.160.44.123 111 tcp open SunRPC ditto207.160.44.123 111 udp open SunRPC ditto207.160.44.123 161 udp open snmp ditto207.160.44.123 513 tcp open loginditto207.160.44.123 515 tcp open printer ditto207.160.44.123 1009 tcp open unknown ditto

207.160.44.128 2 3 tcp open telnet HP printer w/JetDirect card

207.160.44.128 161 udp open snmp HP printer w/JetDirect card207.160.44.128 515 tcp open printer HP printer w/JetDirect card207.160.44.128 9099 tcp open unknown HP printer w/JetDirect card207.160.44.128 9100 tcp open jetdirect HP printer w/JetDirect card

207.160.44.198 21 tcp open ftp HP LaserJet Printer 207.160.44.198 23 tcp open telnet HP LaserJetPrinter207.160.44.198 80 tcp open http HP LaserJet Printer 207.160.44.198 161 udp open snmp HP LaserJetPrinter207.160.44.198 280 tcp open http-mgmt HP LaserJetPrinter

207.160.44.198 427 udp open svrloc HP LaserJetPrinter207.160.44.198 515 tcp open printer HP LaserJetPrinter207.160.44.198 631 tcp open ipp HP LaserJet Printer 207.160.44.198 5120 tcp open ipx_port HP LaserJetPrinter207.160.44.198 5121 tcp open ipx_port HP LaserJetPrinter207.160.44.198 5122 tcp open ipx_port HP LaserJetPrinter207.160.44.198 9100 tcp open jetdirect HP LaserJetPrinter

207.160.44.198 9220 tcp open hp-ieee1284HP LaserJetPrinter207.160.44.198 9280 tcp open hp-http HP LaserJetPrinter207.160.44.198 9290 tcp open hp-ieee1284HP LaserJetPrinter207.160.44.198 32768 udp open unknown

HP LaserJet Printer

207.160.45.25 21 tcp open ftp Lexmark Optra R+ (4049-


30/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




RA0) w. MarkNet XL card (firmware rev. 79.133.1

207.160.45.25 79 tcp open Finger (ditto)207.160.45.25 515 tcp open printer 207.160.45.25 9000 tcp open unknown207.160.45.25 9100 tcp open jetdirect207.160.45.25 9200 tcp open unknown207.160.45.25 9400 tcp open unknown207.160.45.25 9500 tcp open unknown207.160.45.25 9501 tcp open unknown

(nmap lists Optra UDP ports as filtered)

207.160.45.26 21 tcp open ftp HP LaserJet Printer 207.160.45.26 23 tcp open telnet HP LaserJet Printer 207.160.45.26 80 tcp open http HP LaserJet Printer 207.160.45.26 161 udp open snmp HP LaserJet Printer 207.160.45.26 280 tcp open http-mgmt HP LaserJet Printer 207.160.45.26 427 udp open svrloc HP LaserJet Printer 207.160.45.26 515 tcp open printer HP LaserJet Printer 207.160.45.26 631 tcp open ipp HP LaserJet Printer

207.160.45.26 1782 udp open hp-hcip HP LaserJet Printer 207.160.45.26 5120 tcp open ipx_port HP LaserJet Printer 207.160.45.26 5121 tcp open ipx_port HP LaserJet Printer 207.160.45.26 5122 tcp open ipx_port HP LaserJet Printer 207.160.45.26 9100 tcp open jetdirect HP LaserJet Printer

207.160.95.27 23 tcp open telnet CABLETRON SystemsIncorporated Module Firmware Revision: 01.01.01

207.160.95.27 80 tcp open http ditto207.160.95.27 515 tcp open printer ditto207.160.95.27 2048 tcp open dls-monitor ditto207.160.95.27 2501 tcp open rtsclient ditto

207.160.95.27 5001 tcp open commplex-link(nmap lists all UDP ports as filtered)

207.160.45.36 21 tcp open ftp HP LaserJet Printer 207.160.45.36 23 tcp open telnet HP LaserJet Printer 207.160.45.36 80 tcp open http HP LaserJet Printer 207.160.45.36 161 udp open snmp HP LaserJet Printer 207.160.45.36 280 tcp open http-mgmt HP LaserJet Printer 207.160.45.36 427 udp open svrloc HP LaserJet Printer 207.160.45.36 515 tcp open printer HP LaserJet Printer 207.160.45.36 631 tcp open ipp HP LaserJet Printer 207.160.45.36 1782 udp open hp-hcip HP LaserJet Printer 207.160.45.36 5120 tcp open ipx_port HP LaserJet Printer

207.160.45.36 5121 tcp open ipx_port HP LaserJet Printer 207.160.45.36 5122 tcp open ipx_port HP LaserJet Printer 207.160.45.36 9100 tcp open jetdirect HP LaserJet Printer 207.160.45.36 32768udp open unknown HP LaserJet Printer 207.160.45.36 34861udp open unknown HP LaserJet Printer

207.160.45.37 21 tcp open ftp HP LaserJet Printer 207.160.45.37 23 tcp open telnet HP LaserJet Printer 207.160.45.37 80 tcp open http HP LaserJet Printer 207.160.45.37 161 udp open snmp HP LaserJet Printer


31/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




207.160.45.37 280 tcp open http-mgmt HP LaserJet Printer 207.160.45.37 427 udp open svrloc HP LaserJet Printer 207.160.45.37 515 tcp open printer HP LaserJet Printer 207.160.45.37 631 tcp open ipp HP LaserJet Printer 207.160.45.37 1782 udp open hp-hcip HP LaserJet Printer 207.160.45.37 5120 tcp open ipx_port HP LaserJet Printer 207.160.45.37 5121 tcp open ipx_port HP LaserJet Printer 207.160.45.37 5122 tcp open ipx_port HP LaserJet Printer 207.160.45.37 9100 tcp open jetdirect HP LaserJet Printer 207.160.45.37 32768udp open unknown HP LaserJet Printer 207.160.45.37 34861udp open unknown HP LaserJet Printer

207.160.95.40 23 tcp open telnet CABLETRON SystemsIncorporated Module Firmware Revision: 01.01.01

207.160.95.40 80 tcp open http ditto207.160.95.40 515 tcp open printer ditto207.160.95.40 2048 tcp open dls-monitor ditto207.160.95.40 2501 tcp open rtsclient ditto207.160.95.40 5001 tcp open commplex-link

(nmap lists all UDP ports as filtered)

207.160.45.64 23 tcp open telnet HP JetDirect207.160.45.64 161 udp open snmp HP JetDirect207.160.45.64 427 udp open svrloc HP JetDirect207.160.45.64 515 tcp open printer HP JetDirect128.106.45.64 9100 tcp open jetdirect HP JetDirect

207.160.45.104 21 tcp open ftp HP LaserJet Printer 207.160.45.104 23 tcp open telnet HP LaserJetPrinter207.160.45.104 80 tcp open http HP LaserJet Printer 207.160.45.104 161 udp open snmp HP LaserJet

Printer207.160.45.104 280 tcp open http-mgmt HP LaserJetPrinter207.160.45.104 427 udp open svrloc HP LaserJetPrinter207.160.45.104 515 tcp open printer HP LaserJetPrinter207.160.45.104 631 tcp open ipp HP LaserJet Printer 207.160.45.104 1782 udp open hp-hcip HP LaserJetPrinter207.160.45.104 5120 tcp open ipx_port HP LaserJetPrinter207.160.45.104 5121 tcp open ipx_port HP LaserJet

Printer207.160.45.104 5122 tcp open ipx_port HP LaserJetPrinter207.160.45.104 9100 tcp open jetdirect HP LaserJetPrinter

207.160.45.137 23 tcp open telnet HP JetDirect(same as 207.160.45.64)

207.160.45.142 21 tcp open ftp HP LaserJet Printer


32/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




(same as 207.160.45.104 minus 1782)

207.160.45.173 21 tcp open ftp HP LaserJet Printer (same as 207.160.45.104)

207.160.45.232 23 tcp filtered telnetRouter/Switch/Printer (LanPlex 2500/Cisco Catalyst

5505/CISCO 6509/Trancell Webramp/Xylan Omni Switch)/Epson Stylus(100BTX-NIC HP Secure Web Console Sonicwall firewall appliance 3.3.1)

207.160.45.232 80 tcp open http ditto207.160.45.232 111 tcp open SunRPC ditto207.160.45.232 111 udp open SunRPC ditto207.160.45.232 161 udp open snmp ditto207.160.45.232 513 tcp open loginditto207.160.45.232 515 tcp open printer ditto207.160.45.232 1009 tcp open unknown ditto

FIGURE 9: Open Ports Discovered on 19 Printers

14 Printer models representedCount Port nmap-services

1 7/tcp echo1 7/udp echo1 9/tcp discard1 19/tcp chargen1 19/udp chargen

15 21/tcp ftp18 23/tcp telnet3 68/udp bootpc1 79/tcp Finger

15 80/tcp http2 111/tcp SunRPC2 111/udp SunRPC3 137/udp netbios-ns

18 161/udp snmp10 280/tcp http-mgmt14 427/udp svrloc1 489/udp nest-protocol2 513/tcp login

19 515/tcp printer

1 520/udp route10 631/tcp ipp2 1009/tcp unknown8 1782/udp hp-hcip2 2048/tcp dls-monitor 2 2501/tcp rtsclient2 5001/tcp commplex-link

10 5120/tcp ipx_port


33/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




10 5121/tcp ipx_port10 5122/tcp ipx_port1 9000/tcp unknown1 9099/tcp unknown

17 9100/tcp jetdirect

1 9101/udp jetdirect1 9200/tcp unknown1 9220/tcp hp-ieee12841 9280/tcp hp-http1 9290/tcp hp-ieee12841 9400/tcp unknown1 9500/tcp unknown1 9501/tcp unknown3 32768/udp unknown2 34861/udp unknown

5. If possible, verify service or protocol running on each port using Nessus [14],telnet, ftp, web browsers, SNMP tools, etc.

For purposes of this presentation, the first occurrence of an interesting itemin the following Nessus HTML report has been highlighted. This report listsonly representative hosts of those in the audit domain.

FIGURE 10: NESSUS REPORTS OF REPRESENTATIVE

DEVICES

Number of hosts which were alive during the test : 6Number of security holes found : 21Number of security warnings found : 29Number of security notes found : 18

List of the tested hosts :mu-043093.dhcp.missouri.edu (Security holes found)hpcommons.iats.missouri.edu (Security holes found)static-044198.static.missouri.edu (Security holes found)static-045232.static.missouri.edu (Security holes found)static-044123.static.missouri.edu (Security holes found)

peacock.research.missouri.edu (no noticeable problem found)

[ Back to the top ]

mu-043093.dhcp.missouri.edu :

List of open ports :


34/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




ftp (21/tcp) (Security hole found)telnet (23/tcp) (Security hole found)http (80/tcp)unknown (280/tcp) (Security warnings found)printer (515/tcp)

jetdirect (9100/tcp)general/tcp (Security hole found)unknown (631/tcp) (Security warnings found)unknown (5122/tcp)unknown (5121/tcp)unknown (5120/tcp)snmp (161/udp) (Security hole found)general/udp (Security notes found)[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)

It is possible to log into the remote FTP server as ' '/' '.

If the remote server is PFTP, then anyone can use this account to readarbitrary files on the remote host.

Solution : upgrade PFTP to version 2.9gRisk factor : High[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)This FTP server accepts any login/password combination. This is a

real threat, since anyone can browse the FTP section of your diskwithout your consent.

Solution : upgrade WFTP.

Risk factor : HighCVE : CAN-1999-0200[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)There is a backdoor in the old ftp daemons of Linux, which allows remoteusers to log in as 'NULL', with password 'NULL', and to get root privileges

over FTP.

Solution : Update your FTP server to the latest version available.

Risk factor : HighCVE : CAN-1999-0452[ back to the list of ports ]Warning found on port ftp (21/tcp)


35/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




The FTP service allows anonymous logins. If you do not want to sharedata with anyone you do not know, then you should deactivate theanonymous account, since it can only cause troubles.Under most Unix system, doing :echo ftp >> /etc/ftpusers

will correct this.

Risk factor : LowCVE : CAN-1999-0497[ back to the list of ports ]Information found on port ftp (21/tcp)Remote FTP server banner :jd ftp server ready[ back to the list of ports ]Vulnerability found on port telnet (23/tcp)The remote printer has no password set. This allows anyone to

change its IP, thus to generate problems on your network.

Solution : telnet to this printer and set a password.

Risk factor : Serious[ back to the list of ports ]Warning found on port telnet (23/tcp)The Telnet service is running.This service is dangerous in the sense that it is not ciphered - that is,everyone can sniff the data that passes between the telnet client and the

telnet server. This includes logins and passwords.

You should disable this service and use OpenSSH instead.(www.openssh.com)

Solution : Comment out the 'telnet' line in /etc/inetd.conf.

Risk factor : LowCVE : CAN-1999-0619[ back to the list of ports ]Information found on port telnet (23/tcp)

Remote telnet banner :

HP JetDirect

Please type "?" for HELP, or "/" for current settings

>[ back to the list of ports ]


36/60


37/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




[ back to the list of ports ]Warning found on port snmp (161/udp)SNMP Agent port open, it is possible to execute

SNMP GET and SET, (with the proper community names)

[ back to the list of ports ]

Information found on port general/udpFor your information, here is the traceroute to 207.160.43.93 :207.160.43.93

[ Back to the top ]

hpcommons.iats.missouri.edu :

List of open ports :ftp (21/tcp) (Security hole found)telnet (23/tcp) (Security hole found)http (80/tcp)

unknown (280/tcp) (Security warnings found)printer (515/tcp)jetdirect (9100/tcp)general/tcp (Security hole found)unknown (631/tcp) (Security warnings found)unknown (5122/tcp)unknown (5121/tcp)unknown (5120/tcp)snmp (161/udp) (Security hole found)general/udp (Security notes found)[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)



Solution : upgrade PFTP to version 2.9gRisk factor : High[ back to the list of ports ]

Vulnerability found on port ftp (21/tcp)This FTP server accepts any login/password combination. This is a realthreat, since anyone can browse the FTP section of your disk without yourconsent.


Risk factor : High


38/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




CVE : CAN-1999-0200[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)There is a backdoor in the old ftp daemons of Linux, which allows remoteusers to log in as 'NULL', with password 'NULL', and to get root privileges

over FTP.

Solution : Update your FTP server to the latest version available.

Risk factor : HighCVE : CAN-1999-0452[ back to the list of ports ]Warning found on port ftp (21/tcp)The FTP service allows anonymous logins. If you do not want to share datawith anyone you do not know, then you should deactivate the anonymousaccount, since it can only cause troubles.

Under most Unix system, doing :echo ftp >> /etc/ftpuserswill correct this.

Risk factor : LowCVE : CAN-1999-0497[ back to the list of ports ]Information found on port ftp (21/tcp)Remote FTP server banner :jd ftp server ready

[ back to the list of ports ]Vulnerability found on port telnet (23/tcp)The remote printer has no password set. This allows anyone to change its IP,thus to generate problems on your network.

Solution : telnet to this printer and set a password.

Risk factor : Serious[ back to the list of ports ]Warning found on port telnet (23/tcp)The Telnet service is running.

This service is dangerous in the sense that it is not ciphered - that is,everyone can sniff the data that passes between the telnet client and thetelnet server. This includes logins and passwords.


Solution : Comment out the 'telnet' line in /etc/inetd.conf.


39/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




Risk factor : LowCVE : CAN-1999-0619[ back to the list of ports ]Information found on port telnet (23/tcp)

Remote telnet banner :

HP JetDirect

Please type "?" for HELP, or "/" for current settings

>[ back to the list of ports ]Warning found on port unknown (280/tcp) a web server is running on thisport[ back to the list of ports ]

Vulnerability found on port general/tcpThe TCP sequence numbers of the remote host depends on the time, so theycan be guessed rather easily. A cracker may use this flaw to spoof TCPconnections easily.

Solution : contact your vendor for a patchRisk factor : High[ back to the list of ports ]Warning found on port general/tcp

The remote host uses non-random IP IDs, that is, it is possible to predict thenext value of the ip_id field of the ip packets sent by this host.

An attacker may use this feature to determine if the remote host sent apacket in reply to another request. This may be used for portscanning andother things.

Solution : Contact your vendor for a patchRisk factor : Low[ back to the list of ports ]Information found on port general/tcp

Nmap found that this host is running HP LaserJet Printer[ back to the list of ports ]Warning found on port unknown (631/tcp) a web server is running on thisport[ back to the list of ports ]Vulnerability found on port snmp (161/udp)SNMP Agent responded as expected with community name: publicCVE : CAN-1999-0517


40/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




[ back to the list of ports ]Warning found on port snmp (161/udp)It was possible to obtain the list of network interfaces of the remote host viaSNMP :

. HP ETHERNET MULTI-ENVIRONMENT,ROMG.07.02,JETDIRECT,JD33,EEPROM G.08.32

An attacker may use this information to gain more knowledge aboutthe target host.Solution : disable the SNMP service on the remote host if you do not use it,or filter incoming UDP packets going to this portRisk factor : Low[ back to the list of ports ]Warning found on port snmp (161/udp)SNMP Agent port open, it is possible to execute

SNMP GET and SET, (with the proper community names)[ back to the list of ports ]Information found on port general/udpFor your information, here is the traceroute to 207.160.45.37 :?

[ Back to the top ]

static-044198.static.missouri.edu :

List of open ports :ftp (21/tcp) (Security hole found)telnet (23/tcp) (Security warnings found)http (80/tcp)unknown (280/tcp) (Security warnings found)printer (515/tcp)jetdirect (9100/tcp)general/tcp (Security hole found)unknown (631/tcp) (Security warnings found)unknown (5120/tcp)unknown (5122/tcp)unknown (5121/tcp)

unknown (9220/tcp)unknown (9290/tcp)unknown (9280/tcp) (Security warnings found)snmp (161/udp) (Security hole found)general/udp (Security notes found)[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)


41/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.






Solution : upgrade PFTP to version 2.9gRisk factor : High[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)This FTP server accepts any login/password combination. This is arealthreat, since anyone can browse the FTP section of your disk without yourconsent.


Risk factor : HighCVE : CAN-1999-0200[ back to the list of ports ]Vulnerability found on port ftp (21/tcp)The remote FTP server closes the connection when one of the

commands USER, PASS or HELP is given with a too long argument.

This probably due to a buffer overflow, which allows anyone to

execute arbitrary code on the remote host.

This problem is threatening, because the attackers don't need anaccount to exploit this flaw.

Solution : Upgrade your FTP server or change itRisk factor : High[ back to the list of ports ]Warning found on port ftp (21/tcp)The FTP service allows anonymous logins. If you do not want to share datawith anyone you do not know, then you should deactivate the anonymousaccount, since it can only cause troubles.Under most Unix system, doing :

echo ftp >> /etc/ftpuserswill correct this.

Risk factor : LowCVE : CAN-1999-0497[ back to the list of ports ]Information found on port ftp (21/tcp)Remote FTP server banner :


42/60

SANSIn

stitu

te20

00-20

0

5,Autho

rretain

sfullr

ights.




jd ftp server ready[ back to the list of ports ]Warning found on port telnet (23/tcp)The Telnet service is running.This service is dangerous in the sense that it is not ciphered - that is,

everyone can sniff the data that passes between the telnet client and thetelnet server. This includes logins and passwords.


Solution : Comment

Documents

Auditing Networked Printers 16