Locating and Exploiting local network printers

Github: https://github.com/RUB-NDS/PRET <- We'll be using this awesome toolkit throughout this next bit! 

The Printer Exploitation Toolkit is a handy tool that is used for both local targeting and exploitation.

You can install it by running the following commands:

git clone https://github.com/RUB-NDS/PRET && cd PRET
python2 -m pip install colorama pysnmP

- Locating printers

Simply running python pret.py will start an automatic printer discovery in your local network. 

It is also possible by running an Nmap scan on your whole network, but unfortunately, it might take a longer time. This is because the pret.py scan is focused on the ports which printer communication on by default, thus making it immensely faster. 

Sample output from pret.py discovering accessible printers

- Exploiting

Now, it is time to finally exploit the printer. 

There are exactly three options you need to try when exploiting a printer using PRET:

1. ps (Postscript)

2. pjl (Printer Job Language)

3. pcl (Printer Command Language)

You need to try out all three languages just to see which one is going to be understood by the printer. 

Sample Usage:

python pret.py {IP} pjl
python pret.py laserjet.lan ps
python pret.py /dev/usb/lp0 pcl 

(Last option works if you have a printer connected to your computer already)

After running this command, you are supposed to get shell-alike output with different commands. Run help to see them.

Various sample commands available in the different languages which printers can use to communicate

As you can see, PRET allows us to interact with the printer as if we were working with a remote directory. We can now store, delete, or add information on the printer. 

(For more commands and examples read the project's GitHub)

You can possibly try PRET on your printer at home, just to test its security. 

Here's a nice cheat sheet: hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet

Practice - Bad Example of IPP configuration

I have attached a poorly configured CUPS server VM in this task.

Deploy it and access the IPP port at MACHINE_IP:631. See if you can retrieve any sensitive information.
(PRET isn't going to work here as it is using port 9000 by default)

Note also: An ssh access to the machine allows you to set up ssh tunneling, opening all CUPS features and providing you an ability to use attached printers. SSH password can be easily brute-forced (weak password).

An example command for ssh tunneling:

ssh printer@MACHINE_IP -T -L 3631:localhost:631

After doing so, you can easily add the CUPS server in your VM's printer settings and even try to send some printing jobs.

Try out different techniques and have fun!