Hacking a network printer

[79wjd]

I need to come up with a project for my forensics class, so I was thinking about trying to hack my networked printer to see what kind of information I can get off of it and what kind of exploits I can use to get passwords/user activity/print logs/network activity/etc... I would also like to try and get the data off of RAM (via the network).

 

I'm honestly not really sure where to look for insight, but so far, I've done an smpwalk to gain basic information (ink levels, printer name/network config, dhcp server, etc...), and I've also tried telnet to print text as well as modify the display on the printer (although I haven't had any success with the latter). 

 

For reference, I have an HP Officejet 8100 N811a

[Doramius]

unless using wireless, hacking through the printer is pretty tough.  the protocols are set pretty securely as they are, mainly because of how the printer functions.  The only info you'll get is directly from the printer, and possibly close data sent to it to be spooled to another printer.  If the printer has built in storage like a SATA drive or something similar, that might be more of what you're looking to try and hack into.  Even then, you're going to use software to rebuild data, or bypass encryption.  

 

I did a similar project using a network hub instead of a printer.  Network hubs aren't used much anymore, but REALLY easy and cool to work with.  Plus they demonstrate why small businesses should upgrade if they're still using this tech from the '90s.

[79wjd]

1 minute ago, Doramius said:

unless using wireless, hacking through the printer is pretty tough.  the protocols are set pretty securely as they are, mainly because of how the printer functions.  The only info you'll get is directly from the printer, and possibly close data sent to it to be spooled to another printer.  If the printer has built in storage like a SATA drive or something similar, that might be more of what you're looking to try and hack into.  Even then, you're going to use software to rebuild data, or bypass encryption.  

 

I did a similar project using a network hub instead of a printer.  Network hubs aren't used much anymore, but REALLY easy and cool to work with.  Plus they demonstrate why small businesses should upgrade if they're still using this tech from the '90s.

The printer is wireless. I originally wanted to do forensics on a drive from an old printer, but I can't seem to find an old printer (with an HDD) for cheap. 

[Doramius]

If you're going over wireless, there should be plenty of software for hacking.  printers are mainly "stupid" machines and you might be able to setup some data or packet movement to help break wireless network passwords.  Some professors may have specific software preferred to be used as forensic troubleshooting, so check on that.  Sort of like training a mechanic on a specific model of vehicle for basic understanding, and then start throwing foreign & import models in the advanced classes.  I've used Kismac with Macbooks and then used telnet to create multiple packets of data to be sniffed and decrypted.

 

Hopefully, that gives you some good ideas, and allows you to see how the data flows and through what ports, so you can properly demonstrate the security risks, as well as how to block them.

[NumLock21]

It's said that laser printers prints out secret codes on paper which can then be traced back to the original owner.

[79wjd]

On 2/7/2017 at 1:56 PM, Doramius said:

If you're going over wireless, there should be plenty of software for hacking.  printers are mainly "stupid" machines and you might be able to setup some data or packet movement to help break wireless network passwords.  Some professors may have specific software preferred to be used as forensic troubleshooting, so check on that.  Sort of like training a mechanic on a specific model of vehicle for basic understanding, and then start throwing foreign & import models in the advanced classes.  I've used Kismac with Macbooks and then used telnet to create multiple packets of data to be sniffed and decrypted.

 

Hopefully, that gives you some good ideas, and allows you to see how the data flows and through what ports, so you can properly demonstrate the security risks, as well as how to block them.

I've been putting off the project for the last month+ as I haven't really been sure where to start, but I'm going to be unable to work on it soon, so I need to try to get it down in the next couple days. 

 

Do you have any good resources I should check out? I'm still not entirely sure where to start. I can also probably switch to another project (of a similar type) if you think there would be something easier/more interesting. 

[Doramius]

What are the requirements for the project?  I don't think the network printer direction would be the best route, but it all depends on what is being looked for.  To make an assignment look good and show u=you understand the concepts, I'd look more into hacking an older router.  Set it up with WEP encryption, and use software to break the encryption.  Then you can contrast and compare by increasing the encryption to WPA or WPA2 to show the improvements and why WEP is a bad encryption method to use.  I'm not saying to use that directly, as I don't know what requirements the assignment dictates.  It does allow you to show forensic work, cause & effect, the reason for improving, comparison, and compromise of network securities.

[79wjd]

Just now, Doramius said:

What are the requirements for the project?  I don't think the network printer direction would be the best route, but it all depends on what is being looked for.  To make an assignment look good and show u=you understand the concepts, I'd look more into hacking an older router.  Set it up with WEP encryption, and use software to break the encryption.  Then you can contrast and compare by increasing the encryption to WPA or WPA2 to show the improvements and why WEP is a bad encryption method to use.  I'm not saying to use that directly, as I don't know what requirements the assignment dictates.  It does allow you to show forensic work, cause & effect, the reason for improving, comparison, and compromise of network securities.

There aren't really any official project requirements, it's a project for a digital forensics class, so anything along the lines hacking/finding vulnerabilities/forensics/etc (it doesn't have to be network related either)... would work (basically, I can do almost anything I want as long as it's not stupidly trivial). 

 

I'm not sure if there would be enough with WEP vs. WPA/WPA2, I've had a project where I had to break WEP encryption (in a different class) before to gain access to a network, and from what I remember it was as simple as just running aircrack-ng.

[Doramius]

Yes, it is a simple item, but again, without requirements it's hard to gauge a good project.  Breaking WEP "IS" very easy, but it usually goes through a lot of the fundamentals of Forensic Security.  You could look into light coding and create a simple viral attack of a Win98 or DOS based system.  Without objective details, some recommended items might consume quite a bit more time than you have available to a project like this.

[79wjd]

4 hours ago, Doramius said:

Yes, it is a simple item, but again, without requirements it's hard to gauge a good project.  Breaking WEP "IS" very easy, but it usually goes through a lot of the fundamentals of Forensic Security.  You could look into light coding and create a simple viral attack of a Win98 or DOS based system.  Without objective details, some recommended items might consume quite a bit more time than you have available to a project like this.

I'll do WEP vs. WPA for now, worst case I'll figure out something to add or whatever. 

 

I don't have a router that supports WEP, so I'll either buy one or just use what I had from the last time I cracked a WEP router. I'm trying to crack WPA2 using Reaver and the WPS exploit, although I'm getting a "failure to associate" error -- I assumed that it was because my router (Asus AC68u) fixed that exploit somehow, but then I tried manually inputting the pin of my router with the -P argument and it's still not working.

 

With "reaver -i wlan0mon -b F0:..... -vv" I get: 

Waiting for beacon from F0:...... 

switching wlan0mon to channel 1

switching wlan0mon to channel 2

....

switching wlan0mon to channel 6

Warning: failed to associate with F0:....... (ESSID: _____)

and the last warning message just repeats forever.

 

and with "reaver -i wlan0mon -b F0:...... -c 6 -e _____ -p ____ -vv", I get: 

switching wlan0mon to channel 8
waiting for beacon from F0:.....

and then nothing else for a while....after about two hours I saw two "warning: failed to associate with F0:...... (ESSID: ______)". So, I'm not sure why it would take so long if it knows the correct pin? 

 

If I run "wash -i wlan0mon" it shows wps version 1.0 and that it is not locked. 

 

EDIT: I ran "reaver -i wlan0mon -b F0:..... -c 8 -e ____ -vv" and I'm getting getting a different output: 

 

Switching wlan0mon to channel 6

waitinf for beacon from _____

warning failed to associate....

....

warning failed to associate....

associated with F0:.....

starting cracking session. Pin count: 0, max pin attempts: 11000

Trying pin 12345670.

warning: failed to associate.....

....

warning: failed to associate....

sending eapol start request

received identity request

sending identity request

......

received identity request

sending identity request

E-Nonce: b3:...........

PKE: 56:........

WPS Manufacturer: AsusTek

wps model name: wifi protected setup router

wps model number: ac68u

access point serial number: f0:.....

received m1 message

R-Nonce.....

PKR......

authkey......

sending m2 message

received m1 message

sending wsc nack

sending wsc nack

wps transaction failed (code 0x03)

trying pin 12345670

failed to associate

And then it repeats with the same pin (wps transaction failed code is sometimes 0x02). When I specify the pin as the WPS pin of my router I get a similar output except it tries the pin I input instead of 12345670.

[79wjd]

@Doramius I figured out my issue. When I manually enter the pin it works and it finds it before my router disables WPS, otherwise it looks like my router has some WPS-vulnerability protection. With that said, I discovered a very interesting vulnerability, but I can't quite seem to figure out what causes it to happen. While running reaver the SSID gets reset to the default (Asus and Asus_5g) and the wireless password gets disabled completely. It's happened five times out of the ten tests I've ran so far but under very different circumstances.

• Two of the tests were ran with: "reaver -i wlan0mon -b F0:..... -c 6 -T 2.00 --no-nacks --vv" and only for about five minutes (before WPS locked up, the pin was not found -- only the starting pin 12345670 was tested).
• Two of the tests with "reaver -i wlan0mon -b F0:..... -c 6 -T 2.00 --no-nacks -p ______ --vv" after the pin was verified/found.
• The fifth time with: "reaver -i wlan0mon -b F0:..... -c 6 -T 2.00 --no-nacks -p ______ --vv" before the pin was found. 

It also didn't happen in the other 50% of the tests I ran (that fall into one of the three above categories). So, I'm not quite sure what's causing it.

[Doramius]

Check the firmware version you're using on the router.  It shouldn't have too much to do with anything, but you should make a clear note of the firmware version used.  DO NOT upgrade or downgrade firmware without documenting when and why you are making the change.  Next, make sure the reset function of the router is not tied to any of the processes you're attempting.....however, note that the behavior can also be a byproduct of the hacking.  Not sure if it was LaFonera or another manufacturer, but the vulnerability would just reset the router to full defaults, allowing a hacker to set the router any way they wished for access.  

[79wjd]

21 minutes ago, Doramius said:

Check the firmware version you're using on the router.  It shouldn't have too much to do with anything, but you should make a clear note of the firmware version used.  DO NOT upgrade or downgrade firmware without documenting when and why you are making the change.  Next, make sure the reset function of the router is not tied to any of the processes you're attempting.....however, note that the behavior can also be a byproduct of the hacking.  Not sure if it was LaFonera or another manufacturer, but the vulnerability would just reset the router to full defaults, allowing a hacker to set the router any way they wished for access.  

I took note of the firmware in my report. As for the rest of it, it doesn't reset the whole router, just the SSID/wireless password, and then only sometimes -- as far as I've noticed, it doesn't happen at any one particular instant either. I'm sure it is some exploit where maybe the router gets overloaded in the attempt to break wps, I just haven't been able to repeat it consistently 100% of the time. 

[Doramius]

What model was the router?  and what firmware version?

[79wjd]

Just now, Doramius said:

What model was the router?  and what firmware version?

Asus RT-AC68u, 3.0.0.4.378_9313

[Doramius]

Are you running a packet sniffing program to see if there's a difference in network activity for the inconsistencies?  You probably are already using one, but if not, wireshark should be fine.  

[79wjd]

On 3/30/2017 at 3:04 PM, Doramius said:

Are you running a packet sniffing program to see if there's a difference in network activity for the inconsistencies?  You probably are already using one, but if not, wireshark should be fine.  

I didn't get a chance to run it again because it's my primary router and I think when the wireless settings got reset it caused some trouble with my server and I'd rather not shut that down and deal with that right now. So I bought a cheap Netgear WNR2000v5 to test with, but I'm having trouble figuring out a way to force the router to reboot. Any ideas? It seems to be invulnerable to an mkd3 authentication dos attack.

 

The WNR2000v5 automatically disables WPS after 3 failed pin attempts and then re-enables it on reboot. 

[Doramius]

That's their safety protocol.  You might want to check the various firmware updates for that model and see if there are previous versions where there were vulnerability fixes.  Some of those Netgears are hard to reverse flash firmwares, too.

[79wjd]

19 minutes ago, Doramius said:

That's their safety protocol.  You might want to check the various firmware updates for that model and see if there are previous versions where there were vulnerability fixes.  Some of those Netgears are hard to reverse flash firmwares, too.

I know why it's happening, but I was wondering if there was some way to force the router to restart that I haven't found/realized yet. 

[Doramius]

Different routers may have different coding, but it should be possible to do it.  Netgear often uses Atheros chips.  I've had more experience with Broadcom, although it has been quite a few years.  This link might have some help in this instance.

[79wjd]

23 minutes ago, Doramius said:

Different routers may have different coding, but it should be possible to do it.  Netgear often uses Atheros chips.  I've had more experience with Broadcom, although it has been quite a few years.  This link might have some help in this instance.

Alright, thanks, I'll look into that probably tomorrow or the next day. My router isn't on that list (v4 is, v5 is not), but with any luck it still still work. If it doesn't can you think of any other ways to force the router to reboot? 

[79wjd]

On 4/5/2017 at 6:28 PM, Doramius said:

Different routers may have different coding, but it should be possible to do it.  Netgear often uses Atheros chips.  I've had more experience with Broadcom, although it has been quite a few years.  This link might have some help in this instance.

I tried to run telnetenable, but I just get a "Connect: Operation timed out" error. So I don't think my router is vulnerable to that. Any other ideas I could try?