HackTricksInformation in Printers
Reading time: 6 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
There are several blogs in the Internet which highlight the dangers of leaving printers configured with LDAP with default/weak logon credentials.
This is because an attacker could trick the printer to authenticate against a rogue LDAP server (typically a nc -vv -l -p 389 or slapd -d 2 is enough) and capture the printer credentials in clear-text.
Also, several printers will contain logs with usernames or could even be able to download all usernames from the Domain Controller.
All this sensitive information and the common lack of security makes printers very interesting for attackers.
Some introductory blogs about the topic:
- https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/
- https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856
Printer Configuration
- Location: The LDAP server list is usually found in the web interface (e.g. Network β LDAP Setting β Setting Up LDAP).
- Behavior: Many embedded web servers allow LDAP server modifications without re-entering credentials (usability feature β security risk).
- Exploit: Redirect the LDAP server address to an attacker-controlled host and use the Test Connection / Address Book Sync button to force the printer to bind to you.
Capturing Credentials
Method 1 β Netcat Listener
sudo nc -k -v -l -p 389 # LDAPS β 636 (or 3269)
Small/old MFPs may send a simple simple-bind in clear-text that netcat can capture. Modern devices usually perform an anonymous query first and then attempt the bind, so results vary.
Method 2 β Full Rogue LDAP server (recommended)
Because many devices will issue an anonymous search before authenticating, standing up a real LDAP daemon yields much more reliable results:
# Debian/Ubuntu example
sudo apt install slapd ldap-utils
sudo dpkg-reconfigure slapd # set any base-DN β it will not be validated
# run slapd in foreground / debug 2
slapd -d 2 -h "ldap:///" # only LDAP, no LDAPS
When the printer performs its lookup you will see the clear-text credentials in the debug output.
π‘ You can also use
impacket/examples/ldapd.py(Python rogue LDAP) orResponder -w -r -fto harvest NTLMv2 hashes over LDAP/SMB.
Recent Pass-Back Vulnerabilities (2024-2025)
Pass-back is not a theoretical issue β vendors keep publishing advisories in 2024/2025 that exactly describe this attack class.
Xerox VersaLink β CVE-2024-12510 & CVE-2024-12511
Firmware β€ 57.69.91 of Xerox VersaLink C70xx MFPs allowed an authenticated admin (or anyone when default creds remain) to:
- CVE-2024-12510 β LDAP pass-back: change the LDAP server address and trigger a lookup, causing the device to leak the configured Windows credentials to the attacker-controlled host.
- CVE-2024-12511 β SMB/FTP pass-back: identical issue via scan-to-folder destinations, leaking NetNTLMv2 or FTP clear-text creds.
A simple listener such as:
sudo nc -k -v -l -p 389 # capture LDAP bind
or a rogue SMB server (impacket-smbserver) is enough to harvest the credentials.
Canon imageRUNNER / imageCLASS β Advisory 20 May 2025
Canon confirmed a SMTP/LDAP pass-back weakness in dozens of Laser & MFP product lines. An attacker with admin access can modify the server configuration and retrieve the stored credentials for LDAP or SMTP (many orgs use a privileged account to allow scan-to-mail).
The vendor guidance explicitly recommends:
- Updating to patched firmware as soon as available.
- Using strong, unique admin passwords.
- Avoiding privileged AD accounts for printer integration.
Automated Enumeration / Exploitation Tools
| Tool | Purpose | Example |
|---|---|---|
| PRET (Printer Exploitation Toolkit) | PostScript/PJL/PCL abuse, file-system access, default-creds check, SNMP discovery | python pret.py 192.168.1.50 pjl |
| Praeda | Harvest configuration (including address books & LDAP creds) via HTTP/HTTPS | perl praeda.pl -t 192.168.1.50 |
| Responder / ntlmrelayx | Capture & relay NetNTLM hashes from SMB/FTP pass-back | responder -I eth0 -wrf |
| impacket-ldapd.py | Lightweight rogue LDAP service to receive clear-text binds | python ldapd.py -debug |
Hardening & Detection
- Patch / firmware-update MFPs promptly (check vendor PSIRT bulletins).
- Least-Privilege Service Accounts β never use Domain Admin for LDAP/SMB/SMTP; restrict to read-only OU scopes.
- Restrict Management Access β place printer web/IPP/SNMP interfaces in a management VLAN or behind an ACL/VPN.
- Disable Unused Protocols β FTP, Telnet, raw-9100, older SSL ciphers.
- Enable Audit Logging β some devices can syslog LDAP/SMTP failures; correlate unexpected binds.
- Monitor for Clear-Text LDAP binds on unusual sources (printers should normally talk only to DCs).
- SNMPv3 or disable SNMP β community
publicoften leaks device & LDAP config.
References
- https://grimhacker.com/2018/03/09/just-a-printer/
- Rapid7. βXerox VersaLink C7025 MFP Pass-Back Attack Vulnerabilities.β February 2025.
- Canon PSIRT. βVulnerability Mitigation Against SMTP/LDAP Passback for Laser Printers and Small Office Multifunction Printers.β May 2025.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.