Attacking a Blind Spot
by Tim Kulp (cloak13)
scotoma n. A spot in the visual field in which vision is absent or deficient.
Information security is full of scotomas. To find one, look no further than the network printer. Modern printers are no longer merely ink cartridges with a network card; they are document management systems with large memory stores and direct server access. Using unsecured network printers, you can own and disrupt a network resource that is critical for most business functionality.
Why a Printer?
Enterprise/business computers have many checks and policies to monitor information coming from and going to them with devices like proxy servers and firewalls. Printers, on the other hand, do not access the web or even other computers; they only receive instructions to print and therefore do not need these various checks, right? Many modern network printers have management features that can be accessed via a web browser or Telnet, which means that ports 80, 443 and 23 are open by default. Too often, IT professionals simply plug the printer in and point computers to it. They are ignoring the security implications of treating a printer as a "receive only" device.
A quick browse of the Ricoh or HP printer websites reveals that modern printers are capable of much more than just putting ink on various paper sizes. Today, printers have hard drives, access to network storage, and email, which translates to broadcasting data and not just receiving it.
Attack 1: Building Your Zombie (Scanner) Army
You have scanned your network to find systems with open ports using a tool like Nmap or Hping2 (for this article, we will be using Nmap).
A system is returned with ports 515 (printer/LPD), 631 (IPP) and 9100 (JetDirect) open. These ports are the main Page Description Language (PDL) data stream ports. PDL is the command language network printers use to know how to draw the document that they are trying to print. Having these ports open is a sure indicator that the device is a network printer. If you are still not sure, you can always run:
The -o modifier tells Nmap to determine the operating system of what you are scanning. If the device is indeed a printer, then you can expect something like "HP LaserJet 4050/4200/4600/5100 (JetDirect) printer," which tells you that the network printer in question is an HP LaserJet and could be a 4050, 4200, 4600 or 5100 model. This is great information to start looking for vulnerabilities, but for this attack we are only delivering a scan through our printer.
Lets get this printer working for us.
Using the following command in Nmap:
The printer (now our zombie system) will scan the target for port information. This is called an idle scan or a zombie scan because, while you are executing the scan, another system tunnels the requests for you. This particular scan is useful when you know an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) system will be logging scan activities. The IDS/IPS will record the scanning system's information which, when using a zombie scan, will be the zombie device (in this case, our target network printer). This type of scan is great for hiding your computer's identity while still retrieving useful and accurate port information from the target.
Attack 2: Killing Trees, Blocking Business
While a zombie scan can be useful, you can do a lot more with an unsecured printer. Using just the address of the printer and Telnet, you can send print jobs to the network printer. Using Telnet and an unsecured printer, we are going to launch a Denial-of-Service (DoS) attack.
Connect to the printer via Telnet:
This will open a Telnet connection to port 9100, the port that receives all the PDL commands that we introduced earlier in the article.
Type whatever you would like and press Crtl-] to send the command to the printer. This will cause the printer to print the text that you typed before hitting Ctrl-].
With a little scripting skill you can build an automated process that will print random strings, causing a tremendous waste of ink and paper as well as clogging the print queue and thus preventing other users from being able to print.
Another way to do this same attack is to connect to the printer via a web browser.
As an example, you could type the following into the address bar of your web browser:
Notice we are connecting to port 9100. This connection will cause the printer to spit out a HTTP request. If you get creative with a tool like Fiddler, you can craft your own HTTP commands and flood the printer with HTTP GET requests. Each GET would be printed out, again causing the print queue to be flooded with bogus print requests.
But wasting paper is not the only DoS we can perform. Using Telnet, you can change settings on an unsecured printer by connecting to port 23. You can use this connection to reset the administrative password, change the user time out, and a ton of other mischievous things.
We will walk through a quick scenario that will get the printer's hostname using Telnet and an unsecured HP 4050n printer.
Telnet into the printer using a standard Telnet open connection command:
If the printer is unsecured, you will not be prompted for a username or password. After gaining access to the printer, type menu and hit Enter.
This will return the control menu. To get the hostname, select Option 2, for "TCP/IP Settings", then select Option 1, for 'Main TCP/IP Settings".
This will return all of the general TCP/ IP settings, including hostname, IP address, subnet mask, etc... You can change the IP address here to create a simple, but temporary, DoS attack. As soon as network administrators realize no one can print to the specific printer, the changed IP address will be discovered and corrected. Whether or not the printer will then be secured is another story.
Return to the main menu and browse the other options to get a complete picture of all the settings you can manipulate. Many of these settings, with slight changes, can cause major disruptions in the printer's operations or be other routes to a DoS attack.
Conclusion
The few examples in this article are simple attacks for standard network printers but can be used as a basis for more sophisticated attacks against robust printing systems.
As printers improve in capabilities and features, new security issues arise. Imagine the security concerns of a "document management solution" printer, or of a printer tied directly to the company's Exchange server. If left unsecured, what kind of attacks could be used to compromise the connected systems? Like many non-computer devices, network printers are often forgotten in security audits and analysis. Keep this in mind during your next penetration test project.
By targeting network printers, you can leverage a powerful network resource while operating in a very large security blind spot.