Full Disclosure mailing list archives
Brute-Force-Printing
From: thomas springer <tuevsec () gmx net>
Date: Fri, 24 Mar 2006 13:00:25 +0100
You might already have heard of "brute-force-hacking" - trying out every possible password. I had a bit of fun doing "Brute-Force-Printing" recently: I got a NashuaTec/Ricoh "Colour DocuStation DSc428", an all-in-one device: printer, fax, scanner, copyier and document-managment-system. The machine is pin-protected: you need to enter a 1-8-digit-pin to authorize, either in your printer-driver or at the machine-display. Depending from setup the pin might also be used to identify a user for access to document-managment, scanned docs and incoming faxes. I found that NashuaTec stores the pin you need for the printer-driver unencrypted in the registry (at my machine in [HKEY_CURRENT_USER\Printers\DevModePerUser]). I did a few lines of perl that - change the printer-drivers pin-value in registry (crafting and importing a new <pin>.reg via "regedit /s") - try to print <pin>.txt containing the pin (using a simple "notepad /p") - try the next pin-value Only valid PINs get printed, the printer will discard the invalid ones silently. This means, you just start the script and sit in front of the printer, waiting for the machine to print out every valid pin. About speed: Using WinXP's printer-spooler, i was able to spool >10.000 printjobs per hour. The printer itself is processing about 5.000 (invalid) jobs per hour. This means: ~2 hours to get every 4digit-pin ~20 hours to get every 5digit-pin ~200 hours to get every 6digit-pin ... I'm quite sure that this might apply to many other printers using similar authentification-mechanisms. Thomas Springer thomas.springer () gmail com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brute-Force-Printing thomas springer (Mar 24)