Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!


Update: Since this Python script was released I’ve rewritten the logic as a Metasploit module which can be found in the Metasploit trunk (information on the module can be found HERE)

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.

Sample PS file –> HERE

PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.

OpenPCL Viewer – Java based viewer (project can be found here)

GhostPCL  – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)

Example command line (example output):

pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl

Sample PCL file –> HERE

So, what’s next!

The script is available for download HERE..

The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!

9 responses to “PRN-2-ME

  1. Jay October 4, 2012 at 15:44

    Though I just got word of this tool and didn’t get a chance to play with it in the office, I’m curious as to why would an innocent user’s computer choose to use my ip address instead of the real printer’s ip address to send print jobs to.

  2. ChrisJohnRiley October 4, 2012 at 16:01

    Getting people to print to your IP isn’t really the goal. A couple of examples (other than physical access to the printer or client), ARP spoofing, DNS spoofing (if printing to a DNS name and not direct to an IP address)… anything where you can perform a MITM attack on a client you can apply to perform a MITM on printjobs as well.

    FYI: There’s now a Metasploit module that does the same (and a few bits more)
    –> https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/printjob_capture.rb

  3. Jay October 5, 2012 at 11:40

    I didn’t read it thoroughly and for some reason I thought that the tool would actually broadcast itself somehow and trick clients into believing it’s “the real printer” without having to MITM. If using MITM can’t you do the same thing by dumping the files via any packet capturing software (note: I’m not trying to say that having a tool that automatically dumps the print jobs to PS files isn’t cool. Just trying to get a clearer image) ?

  4. Neeraj Kumar (@bundlexec) August 12, 2014 at 13:10

    Any similar solution for ESPON TM-T88 printer which uses IPP protocol? Is it possible to get the solution in javascript using nodejs or java? If not possible then can we modify the same for ESPON TM-T88 printer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: