Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Shmoocon 2011: Printer to Pwnd


Printer to PWND: Leveraging Multifunction Printers During Penetration Testing

(Deral Heiland “PercX” and Pete Arzamendi “Bokojan”)

History of printers

1969 – Xerox creates the first printer
March 1991 – HP LaserJet IIISi, the worlds first networked printer
1987 – Xerox Printer 100, the first multifunction printer
MFP functions and features
Looking for features that can be exploited to assist in penetration testing
  • Email
    • Server Settings
    • Address Book
  • Fax
    • Inbound/Outbound
  • Scanning
    • SMB Authentication
      • System
      • Users
    • FTP
  • LDAP
    • Access credentials
  • Logging
    • Usernames
  • Remote retrieval of print/fax/scan
Systems looked at in this presentation .:
  • Example system: Toshiba
Various settings when accessing the HTTP interface, including access to view credentials and system/network settings
  • Example system: Canon imageRUNNER
Ability to configure things like LDAP, as well as exporting settings to make things easier to rollout across systems!
  • Example system: HP Colour LaserJet CP4005
Tracks individual usernames of people printing
Uses LDAP for validation and to fill in address books etc…
Ability to clone device for ease of creating multiple printers. Export for settings!

MFP flaws and vulnerabilities

Security Bypass
Despite a large number of systems being configured to use default accounts.
If the password isn’t default you can bypass the system by insert an addition / into the URL at which point you can directly call Administrative functions.
HP Offiejet has a similar issue where directly calling a page=faxaddr results in a username/password prompt. Changing the URL to add an additional page=xxx to the URL (e.g. page=xxx&page=faxaddr the username/password prompt is avoided and access is granted.
Canon imageRUNNER. Altering the ACL=1 parameter grants a bypass on several models depending on firmware.
A lot of system seem to have these kind (forced browsing) type flaws.
Xerox supports a clone device function. http://target:8080/cloning.dlm
If a clone has been made of this machine, you can directly access the clone copy without requiring username/password.
The format is encrypted in most cases. Currently under investigation.
Extracting settings
The Canon supports exporting of settings. As you’d expect this shows usernames and settings. However (depending on configuration) these exports also include clear-text passwords.
Information Leaks
Many printers within the administrative console, hide passwords using *****, however the password is present in clear text within the HTML source!

Leveraging MFP during penetration testing

Example 1
Leveraging HP to gain domain access
  • HP Colour LaserJet CP4025
  • Extract users’ names from colour job log
  • User with weak password
  • Access to workstation
  • Domain Admin token
Total compromise of the environment through information disclosure on an MFP device
Example 2
Leveraging Toshiba to get payroll data
  • Toshiba e-Studio
  • Extract password from scan-to-file function
  • Gain access to AD domain
  • Gain access to a number of folders/shares/files
  • Access to one special file share “Payroll Backup”

Access to scanned records and payroll backups (SQL DB dumps)

Further access was possible through password re-use (ended in total Domain Admin access)

Example 3
Leveraging Canon to gain domain controller access
  • Canon imageRUNNER
  • Extract LDAP settings
  • Enumerate domain user info
  • Remote Desktop access to all server
Leveraging fax to pwn the network
  • OfficeBridge – Fax System
  • First device we found credentials stored on
  • Extract password from LDAP (Base64 encoded)
  • Account was Domain Admin account

Workflow for attacking/testing printers

Development of an auto-harvesting tool ‘PRAEDA’

Designed to automate some of the information gathering from network appliances through web-management interfaces
  • printers
  • network appliances
Written in PERL (currently in BETA)
Goal was to create a simplistic tool that was modular
Has modules for the examples discussed and others.
Currently enumerated about a dozen different models of printers using Title page and Server type responses from the printer management page.
Currently researching encryption methods used by some vendors for backup and clone processes (HP / Xerox)
Looking to migrate code to Ruby – early stages are already in progress
Currently not multi-threaded, but it will be!


This tool has already been used in active penetration tests, but needs community support to implement new modules.
There is a mailing-list to discuss this and the Foofus.net tools (http://lists.foofus.net)
Currently looking for feedback on DELL printers!


  • Change password from default
  • Isolate printers on a VLAN
  • Patch printers when new software is available
  • Use accounts with limited access (write only)


%d bloggers like this: