Recently I was asked to audit a network printer environment to find out if it was possible to capture and re-print print-jobs of other network users.
This was actually more easy then I thought.
Check out the steps below:
In this example the following IP’s are used:
Victims Windows Desktop: 10.34.50.100
Central Printer server : 10.34.6.91
Network Printer : 10.34.48.3
Attacker Kali Laptop : 10.34.50.102
Scenario: a victim Windows Desktop user summits a print-job to a central printer server. The victim walks to the nearest network printer and uses a personal code or RFID card to identify him or herself on the printer. The printer gets the pending print-jobs of the central printer sever and starts printing them.
In order to capture the summited print-job you can do one of the following:
- Perform a ARP-Spoof attack between the victims desktop and the central print server so that traffic directed to the central print server gets intercepted by your machine.
- Perform a ARP-Spoof attack between the central print servers and the network printer so that traffic directed to the printer gets intercepted by your machine.
- Place a small managed switch between the network printers UTP cable connection and the UTP wall socket and create a SPAN port.
Step 1: Capture print-jobs
During my test I choose option three. Whatever you choose the aim is to capture the raw print-job packets that is send to either the print server or the network printer.
Once you have captured the packets, open it with Wireshark:
Step 2: Create a Wireshark filter
In order to filter out the traffic you are looking for, you must create a Wireshark filter. In my case this was the following:
ip.addr == 10.34.0.91 && ip.addr == 10.34.48.3 && tcp.port == 9100
10.34.0.91 = the central printer server
10.34.48.3 = the local network printer
9100 = printer port used
When you appy the filter you should get something like this:
Step 3: Follow the TCP stream to obtain the raw packets
Now that you have filtered the interesting traffic it is time to select any TCP session entry, right click on it and select the “Follow TCP Stream” option. Once this is done you will see that all TCP packets related to one print-job are combined together.
This will look like this: (notice the print and user information)
Step 4: Export the captured data
Once you have combined all TCP packets it is time to export the information to a new .pcap file. You do this by selecting all traffic between the two selected sources from the dropdown menu, select Raw and click on Save As
Step 5: Print the captured print-job to your own printer
Now that you have a raw packet file containing a print-job you are ready to replay or resend this information to you own network printer. In my case I used netcat on Kali for this.
Step 6. Walk to you printer and collect you treasure
If you don’t like to send the captured data to a network printer you are also able to convert it to PDF format using a PCL converter program.
Want to know how? read the easy steps below:
1. Download and install “VeryPDF PCL Converter” which is available in a free trial version;
2. Open the PCL Converter tool, import the captured RAW data and select the output destination;
3. Click start and a PDF file will be opened.
RootSecurity 
2 reacties op “Capture and re-print print-jobs on your network”
Excellent article.
Could you tell me: Is there a way to convert these captured packets back to their original form (e.g. PDF or xml) and not send them to a printer?
Hi Thanks for your comment. Actually this is possible and there is a very easy tool to do so. If you search in google for PCL converter you will find a program called “VeryPDF PCL Converter”. You are able to download a free trial version. Once you did so you will only have to start the PCL Converter, import the captured RAW data and select the output destination. Click start and a PDF file will be opened. I have only tried this with captured PDF files and not with for example word or excel documents. Hope this will help.