Published on February 2nd, 2017 📆 | 6445 Views ⚑
0Printer Exploitation Toolkit: PRET
iSpeech
PRET is a new tool for printer security testing developed in the scope of a Masterβs Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printerβs file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.
The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.
Installation
PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party party modules need to be installed:
# pip install colorama pysnmp
If running on a Windoze console and unicode characters are not displayed correctly, install the win_unicode_console module:
# pip install win_unicode_console
For experimental, βdriverlessβ printing (see print command), ImageMagick and GhostScript need to be installed:
# apt-get install imagemagick ghostscript
Usage
usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target printer device or hostname
{ps,pjl,pcl} printing language to abuse
optional arguments:
-h, --help show this help message and exit
-s, --safe verify if language is supported
-q, --quiet suppress warnings and chit-chat
-d, --debug enter debug mode (show traffic)
-i file, --load file load and run commands from file
-o file, --log file log raw data sent to the target
PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0
for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:
./pret.py
No target given, discovering local printers
address device uptime status
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
192.168.1.5 hp LaserJet 4250 10:21:49 Ready
192.168.1.11 HP LaserJet M3027 MFP 13 days Paper jam
192.168.1.27 Lexmark X792 153 days Ready
192.168.1.28 Brother MFC-7860DW 16:31:17 Sleep mode
The printer language to be abused must be one of ps
, pjl
or pcl
. Not all languages are supported by every printer, so you may wanβt to switch languages if you donβt receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.
https://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_SheetInstallation
https://github.com/RUB-NDS/PRET
Gloss