Printer Hacking 101: TryHackMe Writeup.
The room covers the most common printer hacking techniques.
Unit 1 — Introduction
Mass printer hacking has been taking advantage of over the past few years. One example would be when one attacker hacked around 50,000 printers, printing out messages asking people to subscribe to PewDiePie. In the next task we’ll take a look at the reasons behind the success of this attack.
Unit 2: IPP Port
The reason behind the printers’ vulnerability which effected those 50,000 printers, was simply an open IPP port.
“The Internet Printing Protocol (IPP) — is a specialized Internet protocol for communication between client devices and printers. It allows clients to submit one or more print jobs to the printer or print server, and perform tasks such as querying the status of a printer, obtaining the status of print jobs, or canceling individual print jobs.”
When an IPP port is open to the internet, it is possible for anyone to print to the printer or even transfer malicious data through it (using it as a middleman for attacks).
A recent study by VARIoT (Vulnerability and Attack Repository for IoT) showed that there are still around 80 thousand vulnerable printers opened to the world. Most of them appear to run the CUPS server (which is a simple UNIX printing system).
An open IPP port can expose a lot of sensitive information such as printer name, location, model, firmware version, or even printer wifi SSID.
#1. What port does IPP run on?
Answer: 631
Unit 3: Targeting & Exploitation
Locating and Exploiting local network printers:
Github: https://github.com/RUB-NDS/PRET <- We’ll be using this awesome toolkit throughout this next bit!
The Printer Exploitation Toolkit is a handy tool that is used for both local targeting and exploitation.
You can install it by running the following commands:
git clone https://github.com/RUB-NDS/PRET && cd PRET
python2 -m pip install colorama pysnmP
- Locating printers
Simply running python pret.py will start an automatic printer discovery in your local network.
It is also possible by running an Nmap scan on your whole network, but unfortunately, it might take a longer time. This is because the pret.py scan is focused on the ports which printer communication on by default, thus making it immensely faster.
Exploiting:
Now, it is time to finally exploit the printer.
There are exactly three options you need to try when exploiting a printer using PRET:
1. ps (Postscript)
2. pjl (Printer Job Language)
3. pcl (Printer Command Language)
You need to try out all three languages just to see which one is going to be understood by the printer.
Sample Usage:
python pret.py {IP} pjl
python pret.py laserjet.lan ps
python pret.py /dev/usb/lp0 pcl
(Last option works if you have a printer connected to your computer already)
After running this command, you are supposed to get shell-alike output with different commands. Run help to see them.
As you can see, PRET allows us to interact with the printer as if we were working with a remote directory. We can now store, delete, or add information on the printer.
(For more commands and examples read the project’s GitHub)
You can possibly try PRET on your printer at home, just to test its security.
Here’s a nice cheat sheet: hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet
Questions:
#1. How would a simple printer TCP DoS attack look as a one-line command?
Answer: while true; do nc printer 9100; done
#2. Review the cheat sheet provided in the task reading above. What attack are printers often vulnerable to which involves sending more and more information until a pre-allocated buffer size is surpassed?
Answer: Buffer Overflow
#3. Connect to the printer per the instructions above. Where’s the Fox_Printer located?
Answer: Skidy’s basement
Navigate to the ip address in browser
http://10.10.187.170:631/
Click on the “printers” tab, and we get the location.
#4. What is the size of a test sheet?
Answer: 1k
Next click on the Fox_Printer option. And then change the option from maintenance to print test page in the drop down menu. The result will be as shown in the below image:
Unit 4 — Conclusion
Turns out printer hacking isn’t that hard at all. The problem here arises from low awareness of these issues and multiple misconfigurations made by administrators and users.
A small research project of mine suggested that it is possible to get almost full server file access by simply exploiting the printer service running on it. A shock from this discovery motivated me to create this room and bring more attention to this.
Now, make sure you secure your printer by making it invisible for the outer internet and re-configuring administrator access.
