Hacking Printers

[Thweety]

Ok so help me out here.  I just thought of this last night and I wonder how simple this truly is in real life.  Darren has covered MITM before and even though this isn't necessarily the same, I think it follows closely with my thought process.  So an example first.  I have a laptop.  I take it to the a hotel and connect to it's WIFI.  The next day I go back to that hotel and my laptop sends out a beacon asking if the hotel WIFI is still there correct? 

Now on topic.  So does a wireless printer do the same thing?

Let's say I get someone's hand me down wireless printer.  I turn it on, connect it to my WIFI and I'm good to go.  But this printer used to be connected to the previous person's WIFI.  So does that mean when I had initially turned it on it sent out beacons asking if the previous WIFI is still there?  And if I used some awesome HAK5 tools could I say I am that WIFI router and thus gain the old WIFI's password?  I may be using the words incorrectly here but wouldn't I be able to basically record and keep the encrypted password or hash and then when I'm actually in front of that person's WIFI could I do some sort of pass the hash technique to gain access?  I mean if that's the case since people are throwing out printers all the time does that mean they are giving out their secret WIFI creds as well???

I just got and then ditched a bunch of WIFI printers and now I'm really wishing I didn't because I'd like to attempt this and see if this is really something to be concerned about.  Let me know your thoughts and if there is any info on this out there I'd be interested.  Simple google search only brought up a webserver flaw in HP printers.

[digininja]

Most wifi printers will just show the PSK in the web GUI so all you need to do is to log into it and ask for it. That assumes it also has a wired interface, if not then it is possible to collect enough packets from the handshake to attempt to crack them.

[Thweety]

Thanks for the reply digininja.  Would cracking even be necessary?  If you got the handshake could you keep it in that form then give it to the actual WIFI router when it asks for it?  Again terminology might be off but could it be along the same lines of hacking into someone's machine?  If I have your password hash...and can get the machine to accept that then I really don't need to know your plain text password.  My thinking may be off but I think it's doable.  Now I just need to borrow a few un-needed printers to test it.

[digininja]

The hash or PSK is never sent, it is used to encode a nonce which is sent from one side to the other. As both sides know the PSK they know what value to expect returned for the nonce they sent.

Google the 4 way handshake, you'll find better explanations than mine out there.

[Thweety]

So googling 4 way handshake and seeing a really nice diagram basically states exactly what you said which is I wouldn't get the PSK.  But, and it's probably just my odd ball thinking, if I could capture the printers side of it that it's sending to my fake AP.  And then replay that to the real AP when I'm pretending to be the printer...You don't think there's any chance of that working?  I may be wrong but I thought Darren did something like this with rogue AP doing a MITM.  I know I'm talking apples to oranges here but I still think I'd have a fighting chance getting this to work.  And for testing I could just use my laptop connecting to a test AP.  I create a fake AP and record my laptop trying to connect to me.  Then I turn around and fake my real AP pretending to be the laptop.  Don't know.  It's probably not possible.  But it sure sounds possible.  Should I get something like that to work I'll let everyone know.  I was just hoping there was something like this already around that I just needed to try out.  Just thinking of all of the IOT devices out there that could have our private data on them.  And we just toss them out and not care.

[digininja]

No, there wouldn't be any chance of it working. The AP sends a nonce to the client which it encodes and sends back. If you captured the reply from the printer and took it to the real AP you've have to be so extraordinarily lucky for it to send the same nonce that you'd be better playing the lottery and winning that.

[Thweety]

In the words of Jim Carry from Dumb and Dumber...So you're telling me there's a chance!  :)