PRET: Printer Exploitation Toolkit
PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently, PostScript, PJL, and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.
The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.
PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0 for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:
The printer language to be abused must be one of ps, pjl or pcl. Not all languages are supported by every printer, so you may want to switch languages if you don’t receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.
–safe try to check via IPP, HTTP, and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail.
–quit suppresses printer model determination, intro message, and some other chit-chat.
–debug shows the data stream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use Wireshark. Debugging can also be switched on/off within a PRET session using the debug command
–load filename reads and executes PRET commands from a text file. This is useful for automation. Command files can also be invoked later within a PRET session via the load command.
–log filename writes a copy of the raw data stream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from a USB drive.
Copyright (C) 2017 jensvoid