Hacktricks Printer
Chadwick Bosse
I had some access to different printers over the last couple of month and learned some basic principles, which I wanna share with
you as good as possible now.
Printer use a various amount of protocols and firmwares which differ from vendor to vendor and model to model.
So this first part might be boring to some, you can try to skip the theoretical part and jump right to the exploitation paragraph, but talking about fundamentals will cover important topics.
In the Windows world, SMB/CIFS printer are popular.
The most common printing protocols supported directly by network printers however are LPD, IPP, and raw port 9100 printing, which I will explain a bit more in depth now.
Furthermore, some devices support printing over generic protocols such as FTP or HTTP file uploads as well.
IPP is an extendable protocol and based on HTTP, so it inherits all existing security features like basic authentication and SSL/TLS encryption.
To submit a print job, a HTTP POST request is sent to the IPP server, which listens on 631/TCP.
For anyone wondering CUPS is an IPP implementation, which is a default printing system in many Linux distributions and macOS X.
This one basically specifies how the actual document will look like appearance wise.
Here comes the printer driver into play which kinda translate the file to be printed into a PDL that is understood by the printer.
Depending on the planned attack and possible access one has a variety of attack vectors.
One need more planning than others.
Some need physical access and some can be done from remote.
Combinations of those are easily possible!
The Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser.
It allows the penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.
This is not really printer specific, but it is a framework to implement cross-site printing functionality.
This one is real nifty tool written in python to check for basically every attack vector I mentioned above.
It tries to connect to the printer via network or USB and tries to exploit the used printer languages, currently supported are PS, PJL and PCL.
When successfully connected one has a ton of available commands.
A full list can be found on the Github, linked below.
Linux Exploit Suggester is a neat little perl script, which gives some options for possible exploits depending on your kernel.
As stated above the kernel versions for embedded operating systems are often far lower, compared to current linux based desktop or server distributions.
So old, usually fixed exploit techniques might still be viable here!
So we have the usual printing ports open, as well as some other basic ones.
It is running an older Linux as well, so no big surprise there!
No open 22/TCP port though.
So causing mayhem on the file system is not possible as of now.
Anyway using PRET is easy and self explanatory, once connected a help function will give you an overview of available stuff!
From checking the file-system. creating directories, changing configuration files or even dumping the whole NVRAM.
PRET can do it all (in theory that is ).
If I get the hands on some nicer printer I will deliver some exploit stuff later on I promise.
If I get some more time to get a breakdown of my current home printer so I can take a look under the hood and to figure something out.
An example here would be to capture a firmware update and trying to unpack/reverse that one.
This would take a lot more time and preparation of my part, which would cause serious delay to this article as well.
This Insane-difficulty machine from Hack The Box took me a lot longer to progress to the initial foothold than most boxes take to root! This machine had some very interesting avenues of approach that greatly differed from the standard enumeration and progression that most of the lower difficulty machines require. I had to research new protocols just to begin, and by the end had to write five python scripts to progress through the initial foothold and for later privilege escalation. All in all it was a fun, but very challenging ride!
Next, I connected with telnet but everything I sent just got back the reply ?. I did some further research to see what kind of vulnerabilities might be exposed by having these two ports open. There was plenty of information on how to exploit open printers.
Following the instructions, I was able to quickly get it up and running, and got a pret shell on the machine using the PS printer language. This only gave errors, so I switched to the PCL language and tried again. This time I was able to use the help command to get a list of further options to try.
After removing the extra characters (that looked to indicate that it was supposed to be a python byte string) from the file I tried to base64 decode it, but it still seemed to be invalid encoding. I decided to keep enumerating to see if I could find anything to help me move forward.
I wrote a simple python script to decode the queued file after I stripped out the extraneous characters, and wrote it out to a file q-out. It took a few tries to do since there was no IV. I read that sometimes the IV is simply the last 16 byte section of the file, which worked to decode the file. Since the file was an odd number of byte-chunks, I had to strip off the beginning extra bytes to get it to decode.
I then created a python client grpc_client.py to connect to port 9000 on the server and send my request. I set the feed URL to be my machine to test the connection. Next I created a netcat listener to catch the return message.
After redirecting the target to be the internal machine I got an error message with a new hostname. I added this to my /etc/hosts file. Sending the traffic to this hostname did not resolve my connection errors.
I used the grpc_client.py as a base to build the port scanner. The scanner was very slow as it made a full connection, sent its message, and waited for a reply for every port. I thought about making the script multithreaded, but had to go out so I left it running instead.
Solr is an open source application from Apache which provides searching and indexing capabilities for large amounts of data. Using the code from the exploit and my client from earlier I crafted a python script that would connect to the server, change the configuration to enable code execute, then allow for execution of arbitrary commands specified as arguments to the script.
ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user.
Using this password and SSH I was able to log in as root to the docker container. Next I tried a standard docker container privilege escalation method where I mount the root filesytem into the container.
Since the process that was running the clear.sh script on the machine was owned by root, and since it was trying to run by connecting to port 22 on the container, I figured I needed a way to redirect that connection back to the local machine since there was no script named clear.sh there in the /tmp directory. This would give me the perfect opportunity to supply one for them for my own purposes. After doing some research on how to redirect ports without using SSH, I found the easiest way was by using socat.
For some reason I was unable to SSH in at one point while fixing up everything (it took me a number of tries to get it to work properly, as there was something causing the connection to the container to timeout after a short time!). Running the command it mentioned in the error message:ssh-keygen -f "/var/solr/.ssh/known_hosts" -R "172.18.0.2" cleared the error and allowed me to log in again.
Thanks to MrR3boot & R4J for creating such a fun and interesting test of my python abilities. I think this is the first time that I have had to write so many scripts for just one machine. It was nice to learn about some new protocols, and also work in some API interaction as well.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the Ricoh Savins) Hacking Network Printers
(Mostly HP JetDirects, but a little info on the Ricoh Savins)
By Adrian "Irongeek" Crenshaw
Other JetDirects may also be v\erle, so it's worth testing. I tried it with my Hewlett Packard HP JetDirect 300X (J3263A) and installing the latest firmware (H.08.49) seems to fix this problem but I imagine there are still a lot of un-patched JetDirects out there. Some print servers like the HP J3258A JetDirect 170X do not have user upgradeable firmware at all so you are stuck with the firmware they were shipped with. The only way to fix the vulnerability on them is to by a new JetDirect.
Also try "rsh ip-address reboot" to see if you can reset the printer remotely (check syslog to see if it worked. Much the same information can be obtain by downloading files from the Savin printer's built in FTP server and reading them in a text editor. See the screen shot below:
The following example assumes that port 9100/tcp is open past the firewall (don't laugh, I've seen it), but with some motification I'm pretty sure it could be made to work with IPP and FTP enabled printers too. All one has to do is generate a PostScript or PCL file with the content they want to send it the spam message. The Windows "Printer to File" option works well for this. In a pinch a plain old text file will also work. Then they can use Netcat and IPIterator to send the print job to a whole IP range of printers.
Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary and the source code for this app from:
You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.
c80f0f1006