Jump to content
Hak5 Forums
Sign in to follow this  
qry

TCPDump printer

Recommended Posts

Has anybody been able to mitm a printer which was using a (windows) print server?

I tried running default payload 1: tcpdump to sniff traffic going to a printer.
I read the payload and saw it put the PS into transparent netmode.

Hookup:   [printer] --CAT5-->  in-[PS]-out  --CAT5--> [wall-jack-to-switch]

The printer is hardcoded to a specific IPv4 address and uses a print server for spooling.
Whenever the PS is placed inline, all systems & print-server say the printer is no longer reachable.
Confirmed by pinging the hardcoded IP of printer that it is not reachable.

PS boots up fine (blue-blinky) then starts payload,
even though the printer's not available I still sent a print-job
waited, hit the PS button and connected it back to my attack platform.

The payload didn't seem to have run, as there was no "loot/tcpdump" folder created.
The fact the printer dropped off, makes me wonder about transparent mode as well.

Pretty sure there's no port-security, the other network segments don't have it.
I also tried swapping the in/out cables to the PS and rebooted it, still no success.

Share this post


Link to post
Share on other sites
Posted (edited)

I suspect it's not running the right payload, maybe the wrong switch?

Refer to this image:

packet_squirrel_diagram2.png

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites

Update
Bought two more packet squirrels,
updated all to firmware 1.2

Ran default payload 1 TCPdump with NTFS formatted USB drive.
Worked first time like a charm, LED lit up, button worked, loot folder created etc.
And the computer being mitm actually received a corporate DHCP IP, not the 172.16 one.

Reflashed the first PS, still won't work.  Only thing I can think of is bad hardware.
Weird though, since it appears to work ok, allowing SSH into it etc.

Share this post


Link to post
Share on other sites
Posted (edited)

Think about this - TCPDump sets the PS to "TRANSPARENT", meaning that the PS will not get an IP and will not serve IPs. Therefore the machine on the end of the PS chain will still get an IP from the corporate DHCP server, because that's the only thing responding. If you want the PS to serve IPs (and get an IP), you need to set it to either NAT or BRIDGE. NAT will give the machine an IP in the 172.16.32.* range (same as PS). BRIDGE will give the PS and the machine on the end IPs on the corporate network.

Hope it helps!

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites

So I seem to be having this same issue, I am actually on a job right now so this is more than frustrating.  I hadnt had a chance to play with the squirrel but I need to do a packet capture and I have no way of hopping on a monitor port or anything so it seems the squirrel would be my best option.  I cleared and formatted a 32GB USB stick to NTFS plugged in the network client on power side and network on storage side, flipped the switch to 1 and applied USB power.  the PS booted verified by green LED the LED on my flash drive blinked as it was being accessed but when payload time hit I was greeted with alternating Red Green Blue instead of the yellow I was hoping for.  I downloaded the latest firmware and attempted an upgrade but instead of upgrading the PS just goes into arming mode indicated by a slow flashing blue light.  Im not sure whats going on, I can put the PS in transparent mode while SSHed in and it seems to work fine but when running the tcpdump payload the client device is never granted network access and never gets an IP from the network.

Share this post


Link to post
Share on other sites
16 hours ago, I_am_Nothing said:

So I seem to be having this same issue, I am actually on a job right now so this is more than frustrating.  I hadnt had a chance to play with the squirrel but I need to do a packet capture and I have no way of hopping on a monitor port or anything so it seems the squirrel would be my best option.

OK, please do not take the wrong way.  But why would you take a tool on site that you had not vetted yet?  While I agree the the PS is a good option for what your trying to do.  

 

While you are in the PS can you see the USB drive mounted?  Have you tried a small capture without the drive inserted to verify the drive isn't causing some issue?  When trying the firmware upgrade, is it connected locally to the laptop/desktop you are using?  Have you tried a factory reset to clear everything?

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks for the respone,

So short answer, because this tool is advertised as working "out of the box."  Longer answer, because I have a van and I keep every tool I think may be useful with me at all times, some haven't even been opened yet ?.  

I have not had the chance to do further digging yet, that being said, I had no idea I could do a capture without a drive in there, I was under the impression that the tcpdump payload was designed to fail if it did not detect a mounted drive.  I was going to to look for a way to force a firmware upgrade using a connected host but so far I have just followed the instructions on the site which is, format drive to NTFS, copy firmware file to drive, plug in drive, plug in power, watch LEDs... which never blinked the correct pattern for firmware upgrade it just went into arming mode and to specifically answer your question it was not connected on either ethernet port to anything.  Also haven't found the factory reset instructions quite yet, like I said I haven't had much time to look, but it was out of the box so I hope it doesn't need a factory reset straight from the factory.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×