Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: pcl

{QuickPost} /auxiliary/server/capture/printjob_capture

Some months bask I asked people to help me test out a printer MITM modules I was working on for Metasploit. Well the good news is, I finally managed to get things working (mostly) and the module was accepted into Metasploit trunk a few months back (yeah, I’ve been slacking recently on updating the blog, sorry).

Currently it supports RAW and LPR (IPP proved a pain in the… well, you know what. I’m hoping to implement this in a future revision however.)

Feel free to try it out and let me know what you think… More information can be found HERE


PrintJob MITM – Testers Wanted

I had some time over the long weekend to tweak a Metasploit script I’ve had lying around for a few months years. When I wrote the Python prn-2-me script I also drew up the basics of a printjob MITM module for Metasploit but never managed to finish it up.

The Python version is limited in that it was designed to handle RAW print streams only… it was also really badly written (like most of my early Python stuff). The Metasploit Module I’m testing currently should also handle LPR/LPD printjobs by sitting in the middle and passing communications backwards and forwards between the client and the printer. I’ve also begun to look at implementing some IPP sniffing as well, using the same technique as LPR/LPD (streaming the data to the printer and sniffing out the printjob and Metadata).

This is still a work in progress, and handling LPR/LPD and IPP is a bit more tricky than RAW printjobs.

A couple of helpful folks have been testing out the module for me… if you want to assist please take a look at the module and see what you think (download link below). If you have any problems please do a packet capture so I can see what’s not working correctly and adapt the module. As the various printers and drivers handle things slightly differently the idea is to look at as many models as possibly (not just HP!).


Printer MITM revisited: prn-2-me

Well it’s been a while since I wrote about man in the middling printers (original post here), but I’ve not been totally ignoring the subject. After releasing the UA-Tester tool and writing a few small scripts for things like scr.im, I went back and had a look at the printer MITM topic with a mind to writing up a tool (in python obviously) to automate some of it. The result is a workable PoC tool called prn-2-me (mostly because it was late, and all creativity was long gone… sorry, no snazzy title this time!).

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.

Sample PS file –> HERE

PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.

OpenPCL Viewer – Java based viewer (project can be found here)

GhostPCL  – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)

Example command line (example output):

pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl

Sample PCL file –> HERE

So, what’s next!

I’ve given up promising things on the blog, as I’ve already got a plate full of other projects waiting to start. Still, I hope to implement the same functionality into Metasploit at some point. There’s no reason why one of the capture modules couldn’t be re-written to capture printer traffic to file. If I can do it, it can’t be that complex after all 😉

The script is available for download HERE or in the tools section.

The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!