Need help with a printer hacking idea

[NSweaney at tulsacash.com (Nathan Sweaney)]

This isn't particularly elegant, and I haven't had time to test it much,
but I think it'll work.  Assuming you have the ability to run commands
on the box of course.

 

FOR /L %i in (1,0,2) DO @ping -n 6 127.0.0.1 > nul & (copy
c:\Windows\System32\spool\PRINTERS\*.* c:\temp\ >nul 2>nul)

 

It loops infinitely (or until 1+0=2) and on each iteration does a 5
second ping delay before trying to copy any files in your print spool to
c:\temp\.  It also spits standard output & standard error to nul just to
be clean, though I assume you wouldn't be running this from the desktop
anyway.  I have no clue how long files stay in the spool folder though,
so you may want to increase or decrease the delay.  And since the
spooler service removes the files after they're printed, you don't have
to worry about the same files being copied repeatedly.

 

One addition that might be neat would be some kind of warning when files
have been copied.  So for instance when the second command is
successful, have it send a message to a box that you have listening. 

 

 

Here's a slightly more evil idea I had.  Drop the ping delay on this
down to 1 second.  Then every time a file shows up, MOVE the file to
your other directory and replace it with another SPL file that has
something you've created.  So every time anyone prints anything, they
get your file, whatever you'd like that to be.  I don't know if that
would work or not, but it would certainly be fun to try in the office.
Who's ever going to troubleshoot a printer problem like that by looking
for a random cmd.exe process?

 

-- Nathan

 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian
Crenshaw
Sent: Tuesday, August 25, 2009 7:03 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Need help with a printer hacking idea

 

Ok, 
    I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes
has SPL files in it that contain EMF versions of what is being printed
(I've attached a sample). You can find a viewer here
http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These
normaly get deleted as soon as the print job finishes printing. I've
tried using tools that look in the MFT, but they don't see any deleted
files that match (working on the data carve as we speak), Other than
having a app that sits there that constantly polls for new files in the
spool folder, can you think of a way to have an event fire off that will
copy these jobs as they are printed? Lot's of sensitive stuff is
printed, and this could be some useful info for pentesters/forensics
guys.

Adrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090825/787005ed/attachment.htm