Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: printers

Shmoocon 2011: Printers gone wild!

Printers Gone Wild!

Ben Smith

Printers are everywhere… they are ubiquitous!

Everybody seems to ignore them. They get plugged in, and just work!

HP Basics

Listens on tcp/9100

Admin page on 80/443

Many have hard disks!

HP printers have 3 passwords

  • Web admin
  • Telnet (same as the wedadmin)
  • PJLPassword

PJLPassword can be used to lockout the console, make disks read-only etc…

PJLPassword is weak… no brute-force protections

PJL is unathenticated and widely supported, going away, but will be here for a while.

SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100

Google search “PJL DMINFO ASCIIHEX” for more info

Overview

PJL (Printer Job Langauge)

Sets up printer for jobs

Created by HP, used in many other devices

Really old!

Fun PJL commands

  • FSUPLOAD (not an upload)
  • FSDOWNLOAD (not a download)
  • FSDIRLIST
  • FSDELETE
  • RDYMESSAGE
  • DMINFO ASCIIHEX

There’s een lots of research before (Hijetter etc…)

Bringing that into the modern environment with printFS

printFS

Python tool for covert file systems using HP printers

Distributes files over multiple printers

Uses the printer RAM disks or physical disks

Works on any supported printer via network or the internet!

All stored files are compressed/encrypted and saved using random filenames

All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)

Supports panic mode (panic) remotely reboots every device in the file table to destroy the data

pfsScanner

multithreaded scanner

Scans printers to see if necessary commands are supported to use printFS

Scans are randomized in the order that functions are run and the timing between them

Test upload files are random data and given random names

Entire scan peppered with random sleeps

pyPJL

Main support lib

Used by all tools

Implements most of the documented PJL commands

printJack

A support tool for doing nasty funny things

User interface to the PJL password cracker

Mass control panel lock/unlock

Mass RamDisk/Disk Lock/Unlock

Pass printing (toner is cheap!)

pyPJLpass

Support class for printjack

Brute-forces all possible password combinations in about 2 hours (single thread)

So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)

Other fun stuff to do to PJL

  • Mass reboot loop
  • Mass connect to port 9100 and remain connected (blocking)
  • Animated LCD messages
  • SE LCD messages (please call xxxxx)
  • Mass disk lock
  • Mass printing
  • Mass control panel locking

Limitations

Can only upload files form the directory you are running printFS from

Known issue where some printers won’t respond to pfsScanner if they’re offline

To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)

Code Release

Remote-exploit.org will receive it within the next week

Links:

  • Shmoocon Schedule –> HERE
  • Talk synopsis –> HERE
  • HP PML faq –> HERE
Advertisements

Shmoocon 2011: Printer to Pwnd

 

Printer to PWND: Leveraging Multifunction Printers During Penetration Testing

(Deral Heiland “PercX” and Pete Arzamendi “Bokojan”)

History of printers

1969 – Xerox creates the first printer
March 1991 – HP LaserJet IIISi, the worlds first networked printer
1987 – Xerox Printer 100, the first multifunction printer
MFP functions and features
Looking for features that can be exploited to assist in penetration testing
  • Email
    • Server Settings
    • Address Book
  • Fax
    • Inbound/Outbound
  • Scanning
    • SMB Authentication
      • System
      • Users
    • FTP
  • LDAP
    • Access credentials
  • Logging
    • Usernames
  • Remote retrieval of print/fax/scan
Systems looked at in this presentation .:
  • Example system: Toshiba
Various settings when accessing the HTTP interface, including access to view credentials and system/network settings
  • Example system: Canon imageRUNNER
Ability to configure things like LDAP, as well as exporting settings to make things easier to rollout across systems!
  • Example system: HP Colour LaserJet CP4005
Tracks individual usernames of people printing
Uses LDAP for validation and to fill in address books etc…
Ability to clone device for ease of creating multiple printers. Export for settings!

MFP flaws and vulnerabilities

Security Bypass
Despite a large number of systems being configured to use default accounts.
If the password isn’t default you can bypass the system by insert an addition / into the URL at which point you can directly call Administrative functions.
HP Offiejet has a similar issue where directly calling a page=faxaddr results in a username/password prompt. Changing the URL to add an additional page=xxx to the URL (e.g. page=xxx&page=faxaddr the username/password prompt is avoided and access is granted.
Canon imageRUNNER. Altering the ACL=1 parameter grants a bypass on several models depending on firmware.
A lot of system seem to have these kind (forced browsing) type flaws.
Xerox supports a clone device function. http://target:8080/cloning.dlm
If a clone has been made of this machine, you can directly access the clone copy without requiring username/password.
The format is encrypted in most cases. Currently under investigation.
Extracting settings
The Canon supports exporting of settings. As you’d expect this shows usernames and settings. However (depending on configuration) these exports also include clear-text passwords.
Information Leaks
Many printers within the administrative console, hide passwords using *****, however the password is present in clear text within the HTML source!

Leveraging MFP during penetration testing

Example 1
Leveraging HP to gain domain access
  • HP Colour LaserJet CP4025
  • Extract users’ names from colour job log
  • User with weak password
  • Access to workstation
  • Domain Admin token
Total compromise of the environment through information disclosure on an MFP device
Example 2
Leveraging Toshiba to get payroll data
  • Toshiba e-Studio
  • Extract password from scan-to-file function
  • Gain access to AD domain
  • Gain access to a number of folders/shares/files
  • Access to one special file share “Payroll Backup”

Access to scanned records and payroll backups (SQL DB dumps)

Further access was possible through password re-use (ended in total Domain Admin access)

Example 3
Leveraging Canon to gain domain controller access
  • Canon imageRUNNER
  • Extract LDAP settings
  • Enumerate domain user info
  • Remote Desktop access to all server
Example4
Leveraging fax to pwn the network
  • OfficeBridge – Fax System
  • First device we found credentials stored on
  • Extract password from LDAP (Base64 encoded)
  • Account was Domain Admin account

Workflow for attacking/testing printers

Development of an auto-harvesting tool ‘PRAEDA’

Designed to automate some of the information gathering from network appliances through web-management interfaces
  • printers
  • network appliances
Written in PERL (currently in BETA)
Goal was to create a simplistic tool that was modular
Has modules for the examples discussed and others.
Currently enumerated about a dozen different models of printers using Title page and Server type responses from the printer management page.
Currently researching encryption methods used by some vendors for backup and clone processes (HP / Xerox)
Looking to migrate code to Ruby – early stages are already in progress
Currently not multi-threaded, but it will be!

Conclusions

This tool has already been used in active penetration tests, but needs community support to implement new modules.
There is a mailing-list to discuss this and the Foofus.net tools (http://lists.foofus.net)
Currently looking for feedback on DELL printers!

Prevention:

  • Change password from default
  • Isolate printers on a VLAN
  • Patch printers when new software is available
  • Use accounts with limited access (write only)

Links:

Printer MITM revisited: prn-2-me

Well it’s been a while since I wrote about man in the middling printers (original post here), but I’ve not been totally ignoring the subject. After releasing the UA-Tester tool and writing a few small scripts for things like scr.im, I went back and had a look at the printer MITM topic with a mind to writing up a tool (in python obviously) to automate some of it. The result is a workable PoC tool called prn-2-me (mostly because it was late, and all creativity was long gone… sorry, no snazzy title this time!).

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.

Sample PS file –> HERE

PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.

OpenPCL Viewer – Java based viewer (project can be found here)

GhostPCL  – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)

Example command line (example output):

pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl

Sample PCL file –> HERE

So, what’s next!

I’ve given up promising things on the blog, as I’ve already got a plate full of other projects waiting to start. Still, I hope to implement the same functionality into Metasploit at some point. There’s no reason why one of the capture modules couldn’t be re-written to capture printer traffic to file. If I can do it, it can’t be that complex after all 😉

The script is available for download HERE or in the tools section.

The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!

 

Man in the Middling Printers

This one has been rattling around in my head for a while, and since I’ve found myself with a few spare minutes, it’s time I wrote it up for your enjoyment and mine. This is certainly nothing new, but its one of those things that people seem to discount when performing penetration testing. After all, printers aren’t really cool anymore.

MITM attacks are often talked about together with credential stealing or traffic manipulation (inserting javascript into http streams). The new tool from Inguardians (the Middler) is a prime example of where the focus is right now. Although the middler was designed as a tool for performing attacks on all kinds of protocols, the examples provided with the alpha all focus on http(s) traffic. However what I want to talk about was using MITM attacks to steal confidential data in the form of print jobs.

When it comes to stealing data, most of the time you’re going to need a valid username/password to gain access. Sure you can exploit systems, use pass the hash or go the social engineering route, but you’re going to need access. However in this day and age of the failed paperless office, why go to those lengths when you can just steal the documents straight from the print queue. We all know how to perform ARP or DNS poisoning  to insert a system into the flow of traffic, but with printers this job can be made so much easier due to the overall lack of security on print devices.

There are four easy methods for stealing print jobs that spring to mind, other than using standard ARP or DNS spoofing attacks.

  1. Physical access – A majority of printers offer unprotected access to the menu. Through physical access you can change the printers IP address and assume the original for yourself.
  2. Telnet access – Not seen so often in modern printers, but can give you complete access if the passwords are blank or left at default. Again, reset the IP address and assume the original.
  3. Webserver access – Most modern printers offer a web interface for easy configuration. Brute-Force is an option here as they rarely enforce lockouts or use domain credentials. Again, reset the IP address and assume the original.
  4. Denial of Service – Crude but effective. This isn’t really a MITM attack, as you’d not be able to forward on the print job. Just drop the printer off the network (turn it off if you have to) and steal it’s IP.

Once you’ve gained access and stolen the IP address of the remote printer, there are a couple of ways to steal the print jobs. I started off by playing about with netcat using a simple netcat relay (and using tcpdump to copy the traffic).

mknod backpipe p
nc -l -p 9100 0<backpipe | nc <new printer ip> 9100 0>backpipe

The problem with this is that it would work on the first print job and then lockup. This is because the netcat relay would make the connection and leave it running. All subsequent print jobs would fail. Back to the drawing board.

My second attempt included the -w1 timeout for the second half of the netcat relay . This forces the connection to be dropped after 1 second of inactivity. This worked a little better but still not perfectly. I also threw in tee to prevent having to use tcpdump to capture the traffic (-a sets append).

mknod backpipe p
nc -l -p 9100 0<backpipe | tee -a capture.out | nc <new printer ip> -w1 9100 0>backpipe

The best results came from using the above command in a loop. I wrote a small bash script to do this. This is something to play with (your mileage may vary).

#!/bin/bash
i=1
PRNIP=10.10.10.10

while true; do
echo “Print jobs captured = $i”
nc -l -p 9100 0<backpipe | tee -a capture-$i.out | nc $PRNIP -w1 9100 0>backpipe
i=$i+1
done

As an alternative to netcat I also tested the use of iptables to perform a prerouting of the traffic.

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -A PREROUTING -p tcp — dport 9100 -j DNAT –to-destination <new printer ip>

The problem I can see here is that PREROUTING is performed before any of the traffic will be visible to TCPDUMP. So although we’re routing all the traffic to the printer, we can’t dump any of the print jobs. I’m no iptables expert by any stretch of the imagination. So maybe there is a way to do this easily without extra tools. I’ll have to try playing with the mangling rules and see if I can get some better results with iptables.