Jump to content
Just_a_User

PacketSquirrel + Printer Exploitation Toolkit

Recommended Posts

Since getting a PacketSquirrel and learning that it would be great to drop behind amongst other things printers it got me thinking. The PacketSquirrel already has some solid tools installed as default but figured PRET (Printer Exploitation Toolkit) would be a nice addition.

Info on PRET https://github.com/RUB-NDS/PRET Recent Blackhat presentation https://www.blackhat.com/docs/us-17/thursday/us-17-Mueller-Exploiting-Network-Printers.pdf

Other printer attack info http://hacking-printers.net/wiki/index.php/Main_Page

known vulnerable printer databases here https://github.com/RUB-NDS/PRET/tree/master/db Mine wasn't in the db but worked with pcl so I'm sure others will work also.

After some challenges squeezing it onto the PocketSquirrel without going full extroot I think I figured it out on the default squirrel build. I tried adding /mnt as a opkg destination and using links and then pip etc... but in the end manual install of python modules seems to have the lowest footprint. After install still leaving the PacketSquirrel with 55% of unused rootfs .

I'm not 100% sure if this can be "payloaded" but at least for remote SSH access its a nice tool to have. My problem now is the printer I borrowed uses PCL and that in itself is quite restrictive in what can be done with PRET, so im kinda out of my testing limit and need other targets to test against so I'm sharing it here for others to try.

The install method I used in the end was to plug my USB drive into my laptop and git cloned each of the following to the drive.

https://github.com/RUB-NDS/PRET

https://github.com/etingof/pysnmp

https://github.com/etingof/pysmi

https://github.com/etingof/pyasn1

https://github.com/tartley/colorama

Once cloned unplug safely and replug back into your squirrel. Then EXCLUDING PRET, go into each dir and use python to install the modules  "python setup.py install' afterwards you should then be able to run PRET and use its tools from the squirrel directly.

image.png.4cf79b3705c6cfc9547242571159dc08.png

 

Edited by Just_a_User
added presentation info
  • Like 3

Share this post


Link to post
Share on other sites

On this topic, check out the LPR and DIPRINT protocols. With the tcpdump payload between a network printer and the rest of the LAN you'd be able to reassemble the print job. You'd be best to filter for just ports 515 and 9100. 

Here's some reading on it: 

http://rfg-esource.ricoh-usa.com/oracle/groups/public/documents/communication/rfg042515.pdf
https://ask.wireshark.org/questions/27981/how-to-get-lpd-data-content
https://www.backtrack-linux.org/forums/showthread.php?t=34435

  • Like 3

Share this post


Link to post
Share on other sites

I've messed with PRET in the past.  It is all python.  I would say if the dependencies are met (which I believe they are all in python core) then it should work if PS has same dependencies in its core.  You could make it an ssh console but it being python you could look through the main module to see how it uses its sub modules and incorporate that into your own interface to use.

Hey @Dave-ee Jones , why don't you see how this can be incorporated as a module into that Wrt web interface you made?  Would be great as a starter module to get a feel on how users can create their own modules for your system if you are going that way.  :-)

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...