Segment 4: Behavioral Profiling

Your network is only as secure as your weakest links. That should be on a bumper sticker. OK maybe not, it is kinda dumb, but still... the truth of the matter is that we over look embedded devices on our network when we deploy NAC. Most of the time those "headless" devices do not support a client nor do they have the interactivity required to work with a clientless type of NAC deployment. So we just put a MAC lock on a port and move on right?

These devices are huge holes on the network for folks to unplug and clone the MAC and then get right in. Plus the large network printers are just fun hack! Check out this C# code that I love to use to change the display of various HP printers. Feel free to use this, just add the IP address of your printer in the code section and compile to an .exe

namespace hphack
{
using System;
using System.Text;
using System.Net;
using System.Net.Sockets;

public class PrnHack
{
public static int Main(string[] args)
{
if(!ParseArgs(args))
{
return -1;
}

Console.WriteLine("\nHP Display Hack");
Console.WriteLine("Host: {0}", args[0]);
Console.WriteLine("Message: {0}\n", message);

IPEndPoint ipEndPoint;
ipEndPoint = new IPEndPoint( Dns.Resolve(args[0]).AddressList[0],

PJL_PORT);

Console.WriteLine("Host is {0}", ipEndPoint.ToString());

Socket socket;
socket = new Socket(
AddressFamily.InterNetwork,
SocketType.Stream,
ProtocolType.Tcp
);

socket.Connect(ipEndPoint);

byte [] sendData;
string sendString;

sendString = String.Format(
"\x1B%-12345X@PJL RDYMSG DISPLAY =

\"{0}\"\r\n\x1B%-12345X\r\n",
message
);

sendData = Encoding.ASCII.GetBytes(sendString);

int result;
result = socket.Send(sendData, sendData.Length, 0);

if(result == 0)
{
Console.WriteLine("Could not send on socket");
}

socket.Close();

Console.WriteLine("Finished\n\n");
return 0;
}



protected static bool ParseArgs(string[] args)
{
if(args.Length != 2)
{
Console.WriteLine(
"HP Display Hack: " +
"hphack printername \"message\" "
);
return false;
}

if(args[1].Length > 16)
{
Console.WriteLine("Message must be <= 16 characters");
return false;
}

if(args[1].CompareTo("random") == 0)
{
message = GetRandomMessage();
}
else
{
message = args[1];
}

return true;
}


public static string GetRandomMessage()
{
string Messages = {
"BUZZ OFF",
"GO FISHIN",
"STEP AWAY",
"SET TO STUN",
"SCORE = 3413",
"PAT EATS MICE",
"FEED ME",
"GO AWAY",
"NEED MORE SPACE",
"POUR ME A DRINK",
"IN DISTRESS",
"NICE SHIRT",
"INSERT QUARTER",
"NO PRINT FOR YOU",
"RADIATION LEAK",
"HANDS UP",
"I AM YOUR FATHER",
"TAKE ME HOME",
"LOOKS LIKE RAIN",
"HELLO WORLD",
"NICE HAIR",
"NEED A MINT?",
"BE GENTLE",
"BE KIND",
"INSERT DISK",
"BUY ME LUNCH",
"TECHWISETV",
"COME CLOSER",
"TAKE A BREAK",
"PHONE CALL",
"THEIR HERE"
};


Random r = new Random();
return Messages[r.Next() % Messages.Length];
}

protected const int PJL_PORT = 9100;
protected static string message = "NO MESSAGE";

}
}

And if you need more reason to take to the bean counters, just pick which regulation that you fall under and quote directly from it:

SOX:
All publicly traded companies must:
a)Maintain an adequate internal control structure and procedures for financial reporting
b)Assess the effectiveness of internal control structures

HIPAA
Maintain administrative, technical and physical safeguards to:
a)Ensure the integrity and confidentiality of patient information
b)Protect against threats or hazards; unauthorized uses or disclosures of patient information

PCI

Any merchant (including electronic) using payment cards, must:
a)Build and maintain a secure network
b)Protect and encrypt cardholder data
c)Regularly monitor and test networks, including wireless

Now back to fixing Robb's printer....