Brute-Force-Printing

[thomas springer <tuevsec () gmx net>]

You might already have heard of "brute-force-hacking" - trying out every
possible password. I had a bit of fun doing "Brute-Force-Printing" recently:

I got a NashuaTec/Ricoh "Colour DocuStation DSc428", an all-in-one
device: printer, fax, scanner, copyier and document-managment-system.
The machine is pin-protected: you need to enter a 1-8-digit-pin to
authorize, either in your printer-driver or at the machine-display.
Depending from setup the pin might also be used to identify a user for
access to document-managment, scanned docs and incoming faxes.

I found that NashuaTec stores the pin you need for the printer-driver
unencrypted in the registry (at my machine in
[HKEY_CURRENT_USER\Printers\DevModePerUser]). I did a few lines of perl that

- change the printer-drivers pin-value in registry (crafting and
importing a new <pin>.reg via "regedit /s")
- try to print <pin>.txt containing the pin (using a simple "notepad /p")
- try the next pin-value

Only valid PINs get printed, the printer will discard the invalid ones
silently. This means, you just start the script and sit in front of the
printer, waiting for the machine to print out every valid pin.

About speed:
Using WinXP's printer-spooler, i was able to spool >10.000 printjobs per
hour. The printer itself is processing about 5.000 (invalid) jobs per
hour. This means:
~2 hours to get every 4digit-pin
~20 hours to get every 5digit-pin
~200 hours to get every 6digit-pin
...

I'm quite sure that this might apply to many other printers using
similar authentification-mechanisms.

Thomas Springer
thomas.springer () gmail com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/