Capture and re-print print-jobs on your network

Recently I was asked to audit a network printer environment to find out if it was possible to capture and re-print print-jobs of other network users.

This was actually more easy then I thought.

Check out the steps below:

In this example the following IP’s are used:

Victims Windows Desktop: 10.34.50.100
Central Printer server       :  10.34.6.91
Network Printer                 :  10.34.48.3
Attacker Kali Laptop         :  10.34.50.102

Scenario: a victim Windows Desktop user summits a print-job to a central printer server. The victim walks to the nearest network printer and uses a personal code or RFID card to identify him or herself on the printer. The printer gets the pending print-jobs of the central printer sever and starts printing them.

In order to capture the summited print-job you can do one of the following:

  1. Perform a ARP-Spoof attack between the victims desktop and the central print server so that traffic directed to the central print server gets intercepted by your machine.
  2. Perform a ARP-Spoof attack between the central print servers and the network printer so that traffic directed to the printer gets intercepted by your machine.
  3. Place a small managed switch between the network printers UTP cable connection and the UTP wall socket and create a SPAN port.

Step 1: Capture print-jobs

During my test I choose option three. Whatever you choose the aim is to capture the raw print-job packets that is send to either the print server or the network printer.

Once you have captured the packets, open it with Wireshark:

printer-1

Step 2: Create a Wireshark filter

In order to filter out the traffic you are looking for, you must create a Wireshark filter. In my case this was the following:

ip.addr == 10.34.0.91 && ip.addr == 10.34.48.3 && tcp.port == 9100

10.34.0.91 = the central printer server
10.34.48.3 = the local network printer
9100 = printer port used

When you appy the filter you should get something like this:

printer-2

Step 3: Follow the TCP stream to obtain the raw packets

Now that you have filtered the interesting traffic it is time to select any TCP session entry, right click on it and select the “Follow TCP Stream” option. Once this is done you will see that all TCP packets related to one print-job are combined together.

This will look like this: (notice the print and user information)

printer-3

Step 4: Export the captured data

Once you have combined all TCP packets it is time to export the information to a new .pcap file. You do this by selecting all traffic between the two selected sources from the dropdown menu, select Raw and click on Save As

printer-4

Step 5: Print the captured print-job to your own printer

Now that you have a raw packet file containing a print-job you are ready to replay or resend this information to you own network printer. In my case I used netcat  on Kali for this.

printer-5

Step 6. Walk to you printer and collect you treasure

printer-6.png

If you don’t like to send the captured data to a network printer you are also able to convert it to PDF format using a PCL converter program.

Want to know how? read the easy steps below:

1.  Download and install “VeryPDF PCL Converter” which is available in a free trial version;

2.  Open the PCL Converter tool, import the captured RAW data and select the output destination;

3. Click start and a PDF file will be opened.

Geplaatst op december 28, 2013, in Hacking, Printers. Markeer de permalink als favoriet. 2 reacties.

  1. Excellent article.
    Could you tell me: Is there a way to convert these captured packets back to their original form (e.g. PDF or xml) and not send them to a printer?

    • Hi Thanks for your comment. Actually this is possible and there is a very easy tool to do so. If you search in google for PCL converter you will find a program called “VeryPDF PCL Converter”. You are able to download a free trial version. Once you did so you will only have to start the PCL Converter, import the captured RAW data and select the output destination. Click start and a PDF file will be opened. I have only tried this with captured PDF files and not with for example word or excel documents. Hope this will help.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: