The article explains how modern office printers can become overlooked entry points for Active Directory compromise. Printers are no longer simple peripherals: they run embedded operating systems, expose network services, store documents and address books, and often integrate with LDAP, SMTP, SMB, FTP, SNMP, IPP, LPD, RAW 9100, PostScript, PJL, and PCL. The main risk comes from weak configuration: default admin passwords, exposed management ports, SNMPv2 with default community strings, cleartext credentials, outdated firmware, and poor monitoring. A key scenario is the “pass-back attack,” where a printer is reconfigured to send authentication data to an attacker-controlled listener through LDAP, SMTP, or SMB. Captured domain credentials can then become the starting point for AD enumeration, Kerberoasting, AS-REP roasting, BloodHound mapping, ADCS abuse, NTLM relay, or lateral movement. The defensive message is clear: treat printers as real network assets—change defaults, disable unused services, use SNMPv3, restrict management access, segment printers into VLANs, enforce HTTPS/IPPS, and keep firmware updated.
Welcome back, aspiring pentesters!
Modern printers are no longer simple devices that just put ink on paper. Today, a typical office printer is a fully functional computer with its own operating system and direct access to both wired and wireless communication channels. It can store documents, maintain address books and communicate with multiple parts of the corporate infrastructure. Because of this evolution, the idea of a printer being hacked is common. It’s a real and often underestimated risk for businesses.
In many organizations, security efforts are heavily focused on servers, domain controllers and employee workstations. Those are critical assets. But what is often forgotten is that the printer sits on the same network. It’s rarely monitored with the same level of attention as more “important” systems.
Why Printers?
Any office printer is a network device with multiple exposed services. It often integrates with protocols such as LDAP, SMTP, SMB and FTP. When these services are configured in a basic or careless way, they can be exploited. The most common problems tend to repeat themselves across different environments. Default administrator credentials are often left unchanged, which means anyone who knows the vendor defaults can gain access. Open network ports such as IPP, LPD, RAW 9100, and SNMP expose interfaces that can be interacted with remotely. SNMP version 2 is still widely used with default community strings, which means read access to sensitive configuration data. In some cases, credentials are stored in clear text.
Many printers also support page description and control languages such as PostScript, PJL, and PCL. These are interfaces that can be abused. A well-known tool called the Printer Exploitation Toolkit (PRET), lets you work with printers at this level. With a poorly secured configuration, it can find the internal file system of the device and give access to configuration files.
There are also various scripts that can brute-force default HTTP passwords on devices. One example is default-http-login-hunter.sh
Possible Attacks
During penetration tests, certain attack scenarios appear again and again. One of them is the so-called pass-back attack. In this scenario, the printer is configured in such a way that it sends authentication data to a hacker. This often happens because LDAP, SMTP or SMB settings are misconfigured. The printer is simply doing what it was told to do.
Below, you can see how SMTP was abused on a Brother printer. When credentials are sent over LDAP or SMTP, they are transmitted in cleartext. These are domain credentials. The same attack will work on HP, Kyocera and other printers.
Responder is used to capture credentials over SMTP
It can also be achieved with other protocols, such as SMB.
Responder is used to capture credentials over SMB
There are several other techniques that hackers use in this space. SNMP can be used to extract login credentials if it isn’t secured well. Address books stored on the printer may contain domain usernames and sometimes even authentication data. Vulnerable firmware may allow remote command execution, which opens the door to direct control of the device. The printer itself can be used as a proxy to launch attacks against other systems inside the network. Even print jobs themselves can become a target, especially when they contain sensitive or confidential information.
From an attacker’s point of view, the pass-back scenario is the best option. Printers are rarely protected by strict firewall rules and logging is often minimal. Security teams may not even be aware of how the device communicates with the rest of the infrastructure. This lack of visibility creates a blind spot.
From SNMP to RCE
Some printer models have historically exposed sensitive information through SNMP. In such cases, it was possible to retrieve credentials used for accessing file shares. That alone can lead directly to corporate data leakage. There have also been vulnerabilities in printer management interfaces that allow unauthenticated access to address books or even remote command execution. One example is CVE-2022-1026, where a flaw allowed hackers to extract stored data without authentication. If a device like this is connected to a domain environment, the consequences can escalate very quickly.
Once a single valid account is found, it can be enough to begin exploring Active Directory. Using LDAP queries, hackers can find privileged group members such as Domain Admins or Enterprise Admins, and see if other accounts are vulnerable to Kerberoasting or AS-REP roasting. At that point, the printer becomes an entry point into the entire domain. BloodHound can map relationships between objects in Active Directory and find complex attack paths. ADCS misconfigurations can make escalation even easier. If you don’t find any exploitable vulnerabilities, the credentials stored on the printer can still be used to poison shares with LNK files and perform NTLM relay attacks against workstations once a privileged account is captured. This can lead to dumping SAM hashes, and in many environments, the local Administrator password is often reused across multiple machines. That means you can then look for active sessions of domain admins using those local Administrator credentials on other computers and servers.
Defending Against These Attacks
To reduce these risks, it is necessary to treat the printer as a full network node that deserves the same attention as any other system. Security should not be an afterthought. Changing default administrator passwords is a basic step. Disabling unnecessary services reduces the attack surface and removes entry points that are not needed. Replacing older protocols like SNMPv2 with SNMPv3 adds a layer of protection through authentication and encryption. Restricting access to the web interface by IP and enforcing HTTPS ensures that management traffic is not exposed.
Wireless features that are not in use should be turned off, and printers should ideally be placed in a separate VLAN to limit their interaction with sensitive systems. Firmware updates should be applied regularly, because many vulnerabilities are fixed over time. Enabling encrypted printing through IPPS adds another layer of protection for data in transit.
Summary
The danger of printer compromise is not limited to document theft. That is only the surface. A compromised printer can provide access to the internal network and serve as a launch point for further attacks. From there, a hacker can move laterally and eventually gain control over critical systems.
The good news is that most of the common vulnerabilities can be eliminated with proper configuration and auditing. When organizations begin to treat printers as real network assets, they remove an entire class of easy entry points for hackers.
IoT devices are often easy to compromise and are typically not well protected. Firmware can be reverse engineered with basic Linux skills, allowing credentials to be extracted from it. There are many other attack paths available as well. If you want to learn how wind farms, cameras, traffic light controllers and many other IoT devices are hacked, we have our training on IoT Hacking.