View Full Version : Man in the Middling Printers

11-24-2010, 06:52 PM
Ever thought of diverting/stealing all printer jobs from the network printer.....leave alone that do we really care about testing printer security in Pen Test.

Have a look at this tool 'PRN-2-ME'

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run…

There are four easy methods for stealing print jobs that spring to mind, other than using standard ARP or DNS spoofing attacks.

1. Physical access – A majority of printers offer unprotected access to the menu. Through physical access you can change the printers IP address and assume the original for yourself.
2. Telnet access – Not seen so often in modern printers, but can give you complete access if the passwords are blank or left at default. Again, reset the IP address and assume the original.
3. Webserver access – Most modern printers offer a web interface for easy configuration. Brute-Force is an option here as they rarely enforce lockouts or use domain credentials. Again, reset the IP address and assume the original.
4. Denial of Service – Crude but effective. This isn’t really a MITM attack, as you’d not be able to forward on the print job. Just drop the printer off the network (turn it off if you have to) and steal it’s IP.

Once you’ve gained access and stolen the IP address of the remote printer, there are a couple of ways to steal the print jobs. Start off by playing about with netcat using a simple netcat relay


11-24-2010, 08:31 PM
Oh thats a nice Share bro this will help in our pentest

11-24-2010, 10:57 PM
thanks a lot for the share bro, I once was able to see the printing of ATM pin numbers, and the worst part was the printer was connected to the same network that I was in. But another application was listening for commands and was forwarding it to the printer though . That time the printer was not in my scope of work so could not experiment though I found the printer ip, next time will definitely give it a try. That Ip changing trick seems to be the perfect option.

11-25-2010, 10:07 AM
If we found this vuln in client network then can we add it in report???
Coz mostly printers are not in scope of PT....

11-25-2010, 05:04 PM
If we found this vuln in client network then can we add it in report???
Coz mostly printers are not in scope of PT....

41.w4r10r, a generic advice for any such "extra" efforts or good will for client:

Know the client first! With experience you'll see that they range from very good and polite to damn strict some times and unnecessarily trouble some.

Now a days I am dealing with a worst ever client I've ever seen. Today he raised question that why I did not take his consent while trying mail relay on his SMTP server!!! He is calling that as an exploitation attempt although the server was under scope of Internal Penetration Test. He is such a bad client that finally our organization is thinking on pulling out the plug.

So know your client first and then think whether to care for him or not.


11-25-2010, 05:36 PM
If we found this vuln in client network then can we add it in report???
Coz mostly printers are not in scope of PT....

I totally agree with b0nd,you will find clients who are very understanding and some who can be a pain in ur ass......you have to play according to the situations......I often keep this kind of findings as a backup slide in my presentations .....if the presentation goes well.....i wud use the slides.....

So its always down to the situation and how u handle it...

11-26-2010, 09:40 AM
thnx for suggestion....

07-19-2012, 11:14 AM
how do i find the port number of the port to which i want to configure the listener to,the port number which is entered as user input in this program.i have windows xp.