Hi. Today I will teach you about SNMP (Small Network Management Protocol) and Printers. As you may have noticed, this will be a series. The reason is I have much to find out about printers and there is much more that can be done. But, today you will learn how to have some fun with printers at your school, at .edu sites, or any network printers that you have access to.
[***SNMP***]
1 - Basics.
First I will talk about snmp or simple network management protocol. This protocol was developed by microsoft and is supposed to be used for exactly what it is called - network management. The problem version 1 and 2 of the protocol are very insecure allowing arbitrary actions to be made with a password and the password is stored in plain text allowing the attacker to find it in the dumps if they can find the OID (We will talk about these soon) that the password is stored in. Using SNMP a system admin can change various settings on the device he is querying using OID's (Like I said, I will talk about these later). To use SNMP tools on windows download Net-Snmp from http://sourceforge.net/project/downl...exe&a=51221080 and install to a directory of your choice (I named the directory snmp in my c directory).
[***OID's***]
OID's stand for Object Identifiers. They hold the various settings and information about the device in different types of data. Some types are String, Integer, Hex, Timeticks etc...
[***Finding a target***]
1 - Ports.
Printers use some ports you should look for when scanning ip ranges. Here are the most common ones used for printing.
9100 - This port pretty much prints everything it sees besides the PJL Language (Printer Job Language. I will cover this in later tutorials)
515 - This is the "printer" port. I have no idea what this is for. I will do more research and talk about it in later tutorials.
631 - IPP port. This is for Internet Printer Sharing if I am correct. Again, I will cover this later.
2 - Google.
You can use google to look for .edu sites that have instructions on using there network printers and they usually include there printer IP's. To do this use dorks like inurl:, intext:, etc. Here are some examples.
inurl:.edu intext: Printer Address
inurl:.edu intext: Network Printers
inurl:.edu intext: Printing on Campus
"Why .edu?", You may ask. Well .edu domains usually have information for students to help them use the (Usually not fire-walled or protected by ACL's) printers on the network.There are many more I found with different dorks but, these should give you a start.
3 - Google.
Google again . This time we will use different google dorks I found myself and from other sources to target the printers directly.
intitle:Remote UI:Top page - Canon
inurl:":631/printers" -php -demo - CUPS connected Printers.
inurl:hp/device/this.LCDispatcher - HP Jet Directs.
inurl:"/en/sts_index.cgi" - Ricoh Savins.
intitle:"web image monitor" - Ricoh Savins.
inurl:"/web/user/en/websys/webArch/mainFrame.cgi" - Ricoh Savins
intext:centreware inurl:status - Phasers
[***Enumeration***]
1 - Ports and Firewalls.
Lets start by doing a slow, but steady scan of our target. I used nmap with the arguments of -PN -sS --version-intensity 2.
--Example--
nmap -PN -sS --version-intensity 2 127.0.0.1
Depending on the printer you may get something like this.
23 - telnet
21 - ftp
515 - printer
631 - ipp
9100 - jetdirect
Ok. Since in this tutorial I will only focus on SNMP but, these ports can also be used to exploit the printers and I will talk about them in later tutorials.SNMP is located on UDP so lets do a UDP scan.
--Example--
nmap -PN -sS --version-intensity 2 -sU 127.0.0.1
You should see the SNMP port open.
7/udp echo
9/udp discard
111/udp rpcbind
135/udp msrpc
161/udp snmp
Great! Its open.
Note: Don't forget that printers aren't exactly top end servers. Don't crash them with your maniac scans.
2 - Gathering OID's
Here where we start to use the Net-SNMP you downloaded earlier. Go to the directory you installed them to and type the following.
--Example--
c:\>
c:\>cd snmp (the directory I installed the tools to)
c:\snmp>cd bin (Where all the exe's are)
c:\snmp\bin>snmpwalk -v 1 -c public <ip address> > printerInfo.txt
Ok this is where we start to gather some OID's. In the last command we are using the tool snmpwalk which gathers all the OID's we are allowed to view on the system. The -v argument is used to input the version we want to use (1). The -c argument is used to input the community name which is by default, public (Others are private and access if public doesn't work but, keep in mind that a admin can change the community name to tighten up security a bit.). <ipaddress> is, of course, the ip of the printer you are targeting. And lasty, the > printerInfo.txt is saving all output to a text file called printerInfo.txt (You should also save the printers IP, open ports, and all info you get about the system in a nicely organized txt file.).
[***Hacking in***]
1 - Editing OID's.
Now we start to Edit OID's and other options. Since we do not have the password we may not be able to change everything but we can still do some pretty cool stuff. Start to look through the printerInfo.txt file for OID's you may want to change; whether it be Online interface names, sys info, the LCD (Sometimes you can do this with snmp), or whatever you want. After identifying the OID you are interested in changing copy it down.
--Example--
If the inside of the txt file looks like this.
SNMPv2-MIB::sysDescr.0 = STRING: Canon iR5000 /P
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.1602.4.7
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (64661777) 7 days, 11:36:57.77
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: iR5000
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 72
etc...
Than copy down the string after the :: like this.
SNMPv2-MIB::sysContact.0 would become sysContact.0
Note: This IOD happens to be the contact email.
Now take note of the OID type which is String. To change it we must use the correct type and correct length.
Now, to change this OID we will use the SNMPSET command like so.
--Example--
c:\snmp\bin>snmpset -v 1 -c public <ip-address> sysContact.0 (Or whatever you want to change) s "Owned"
Note the s in front of "Owned". This using the string data type to change Integers use i (There are other data types. Type snmpget without any arguments to view them).
Note: If you get an error saying the OID doesn't exist and you are sure it does than the system is protecting that OID from being changed without a password.
[***Fin***]
You now know how to change various OID's on the printer. This allows you to do allot of cool stuff. In later tutorials I will go over SNMP Bugs, the PJL language on port 9100, and the other protocols printers use. I will also introduce some real security issues that affect the network.
Please leave comments and suggestions and look for upcoming tutorials in this series.
Thanks for reading!
Embedded Network Devices: Printers.
-
t3hmadhatt3r
- forum buddy
- Posts: 16
- Joined: 11 May 2009, 16:00
- 14
