TCPDump printer

[qry]

Has anybody been able to mitm a printer which was using a (windows) print server?

I tried running default payload 1: tcpdump to sniff traffic going to a printer.
I read the payload and saw it put the PS into transparent netmode.

Hookup:   [printer] --CAT5-->  in-[PS]-out  --CAT5--> [wall-jack-to-switch]

The printer is hardcoded to a specific IPv4 address and uses a print server for spooling.
Whenever the PS is placed inline, all systems & print-server say the printer is no longer reachable.
Confirmed by pinging the hardcoded IP of printer that it is not reachable.

PS boots up fine (blue-blinky) then starts payload,
even though the printer's not available I still sent a print-job
waited, hit the PS button and connected it back to my attack platform.

The payload didn't seem to have run, as there was no "loot/tcpdump" folder created.
The fact the printer dropped off, makes me wonder about transparent mode as well.

Pretty sure there's no port-security, the other network segments don't have it.
I also tried swapping the in/out cables to the PS and rebooted it, still no success.

[Dave-ee Jones]

I suspect it's not running the right payload, maybe the wrong switch?

Refer to this image:

[qry]

Update
Bought two more packet squirrels,
updated all to firmware 1.2

Ran default payload 1 TCPdump with NTFS formatted USB drive.
Worked first time like a charm, LED lit up, button worked, loot folder created etc.
And the computer being mitm actually received a corporate DHCP IP, not the 172.16 one.

Reflashed the first PS, still won't work.  Only thing I can think of is bad hardware.
Weird though, since it appears to work ok, allowing SSH into it etc.

[Dave-ee Jones]

Think about this - TCPDump sets the PS to "TRANSPARENT", meaning that the PS will not get an IP and will not serve IPs. Therefore the machine on the end of the PS chain will still get an IP from the corporate DHCP server, because that's the only thing responding. If you want the PS to serve IPs (and get an IP), you need to set it to either NAT or BRIDGE. NAT will give the machine an IP in the 172.16.32.* range (same as PS). BRIDGE will give the PS and the machine on the end IPs on the corporate network.

Hope it helps!

[I_am_Nothing]

So I seem to be having this same issue, I am actually on a job right now so this is more than frustrating.  I hadnt had a chance to play with the squirrel but I need to do a packet capture and I have no way of hopping on a monitor port or anything so it seems the squirrel would be my best option.  I cleared and formatted a 32GB USB stick to NTFS plugged in the network client on power side and network on storage side, flipped the switch to 1 and applied USB power.  the PS booted verified by green LED the LED on my flash drive blinked as it was being accessed but when payload time hit I was greeted with alternating Red Green Blue instead of the yellow I was hoping for.  I downloaded the latest firmware and attempted an upgrade but instead of upgrading the PS just goes into arming mode indicated by a slow flashing blue light.  Im not sure whats going on, I can put the PS in transparent mode while SSHed in and it seems to work fine but when running the tcpdump payload the client device is never granted network access and never gets an IP from the network.

[I_am_Nothing]

It also will not accept a firmware upgrade.

[korang]

16 hours ago, I_am_Nothing said:

So I seem to be having this same issue, I am actually on a job right now so this is more than frustrating.  I hadnt had a chance to play with the squirrel but I need to do a packet capture and I have no way of hopping on a monitor port or anything so it seems the squirrel would be my best option.

OK, please do not take the wrong way.  But why would you take a tool on site that you had not vetted yet?  While I agree the the PS is a good option for what your trying to do.  

 

While you are in the PS can you see the USB drive mounted?  Have you tried a small capture without the drive inserted to verify the drive isn't causing some issue?  When trying the firmware upgrade, is it connected locally to the laptop/desktop you are using?  Have you tried a factory reset to clear everything?

[I_am_Nothing]

Thanks for the respone,

So short answer, because this tool is advertised as working "out of the box."  Longer answer, because I have a van and I keep every tool I think may be useful with me at all times, some haven't even been opened yet ?.  

I have not had the chance to do further digging yet, that being said, I had no idea I could do a capture without a drive in there, I was under the impression that the tcpdump payload was designed to fail if it did not detect a mounted drive.  I was going to to look for a way to force a firmware upgrade using a connected host but so far I have just followed the instructions on the site which is, format drive to NTFS, copy firmware file to drive, plug in drive, plug in power, watch LEDs... which never blinked the correct pattern for firmware upgrade it just went into arming mode and to specifically answer your question it was not connected on either ethernet port to anything.  Also haven't found the factory reset instructions quite yet, like I said I haven't had much time to look, but it was out of the box so I hope it doesn't need a factory reset straight from the factory.

[I_am_Nothing]

^^ Thanks for the response,* ^^