I was recently engaged on a pentest and came across a “butt-ton” (over 50) of printers on a client’s network. In addition, I had little to no experience exploiting printer vulnerabilities. So, I decided to do some research to see what tools or scripts were available to aid with exploitation of a printer.
During my research, I discovered the PRET (Printer Exploitation Toolkit) GitHub site hosted managed by Ruhr University Bochum. PRET is a toolkit that tests printer security via a network or USB connection. One of the many capabilities contained within the toolkit was the ability to traverse a vulnerable printer to find cached documents. A detailed list of the additional capabilities can be found at the Hacking Printers Wiki.
After following the installation instructions for PRET, I launched the toolkit and connected to the target using the PJL printer language. It should be noted that PRET utilizes TCP port 9100 when connecting over the network.
Once connected, I noticed that the commands within the shell were very similar to Linux. So, I issued a pwd to determine the current working directory and then ls to view the contents.
Note: the printers that had updated firmware and patching did not return any data when listing its contents.
Next, I used the traversal command to see if I could set the path to the root directory or at least to a sub-level.
After successfully setting the traversal path, I reviewed the contents of the Jobs directory; where there appeared to be cached content.
Examining one of the cached directories a little closer, I noticed a file named ThumbNail.jpg.
Next, I used the get command to download the ThumbNail.jpg to my local system for further review.
Unfortunately, I was not at liberty to reveal the actual contents of ThumbNail.jpg file due to the sensitivity of the contents contained within the file. However, I learned that the cached file was from a scanned image that occurred several days prior to the exploitation of the target.
In continuing my exploration of the target, I used the find command with no arguments. This command returned all data that was available within the path; to include other cached documents not contained within the Jobs directory.
From a mitigation standpoint, there are probably numerous ways to secure the device and its content on the network. I thought of three possible solutions:
· Patch Management
· Network ACLs
· Power Cycle
Patch Management of the printer(s) should be scheduled and implemented during routine maintenance windows. Too often a printer is overlooked as a possible attack vector and many in IT use the plug and play mentality with these devices.
Setup a network ACL (Access Control List) for devices utilizing the printer. It may be wise to limit access over the network to those devices/individuals that routinely deal with sensitive data (legal, HR, etc.). Especially, knowing that there are tools like PRET that can connect to a printer over TCP port 9100.
For the super paranoid, or just not knowing the environment, power cycle the printer. The power cycle (reboot) should clear out the cached content and put one’s mind at ease, temporarily.
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.