Reconfigure MFP LDAP → harvest service-account credentials

§ Context

Assumed environment: foothold on the corporate LAN. MFP admin panel reachable with vendor-default credentials (admin/admin / admin/<empty>). LDAP service account is a privileged domain user.

§ Steps

1. 01
   Authenticate as service accountInitial Access

   T1078— Valid Accounts
2. 02
   Pivot via the harvested credentialsLateral Movement

   T1550.002— Pass the Hash
3. 03
   Default credentials on admin web panelCredential Access

   W-AUTH-DEFAULT— Default Credentials
4. 04
   Discover MFP on the LANDiscovery

   N-NMAP-INTERNAL— Internal Nmap Sweep
5. 05
   Run rogue LDAP listenerResource Development

   T1583— Acquire Infrastructure
6. 06
   MFP binds + leaks service-account credsCredential Access

   T1556— Modify Authentication Process
7. 07
   Repoint LDAP server to attacker hostCredential Access

   PRT-LDAP-CRED-STEAL— MFP LDAP Address-Book Credential Theft

§ References

• T1078Valid Accounts
• T1550.002Pass the Hash
• T1583Acquire Infrastructure
• T1556Modify Authentication Process

§ Frequently asked

What is the "Reconfigure MFP LDAP → harvest service-account credentials" attack path?

Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Authenticate as service account (T1078) — a initial access primitive. Assumed environment: foothold on the corporate LAN.

What is the final impact of this kill-chain?

The final step lands on Repoint LDAP server to attacker host (PRT-LDAP-CRED-STEAL), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Jenkins /script Groovy console → RCE → AD

  Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.

• Shared techniques2

  Industroyer2 IEC-104 substation hijack

  Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  BGP prefix hijack → traffic interception

  From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  z/OS TN3270 → RACF userID brute → mainframe shell

  Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.