Cатсн²² (in)sесuяitу / ChrisJohnRiley
Because we're damned if we do, and we're damned if we don't!
Update: Since this Python script was released I’ve rewritten the logic as a Metasploit module which can be found in the Metasploit trunk (information on the module can be found HERE)
PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.
Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.
Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.
Sample PS file –> HERE
PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.
OpenPCL Viewer – Java based viewer (project can be found here)
GhostPCL – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)
Example command line (example output):
pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl
Sample PCL file –> HERE
So, what’s next!
The script is available for download HERE..
The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!
Though I just got word of this tool and didn’t get a chance to play with it in the office, I’m curious as to why would an innocent user’s computer choose to use my ip address instead of the real printer’s ip address to send print jobs to.
Getting people to print to your IP isn’t really the goal. A couple of examples (other than physical access to the printer or client), ARP spoofing, DNS spoofing (if printing to a DNS name and not direct to an IP address)… anything where you can perform a MITM attack on a client you can apply to perform a MITM on printjobs as well.
FYI: There’s now a Metasploit module that does the same (and a few bits more)
I didn’t read it thoroughly and for some reason I thought that the tool would actually broadcast itself somehow and trick clients into believing it’s “the real printer” without having to MITM. If using MITM can’t you do the same thing by dumping the files via any packet capturing software (note: I’m not trying to say that having a tool that automatically dumps the print jobs to PS files isn’t cool. Just trying to get a clearer image) ?