PaulDotCom mailing list archives
Need help with a printer hacking idea
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Tue, 25 Aug 2009 20:09:25 -0500
This isn't particularly elegant, and I haven't had time to test it much, but I think it'll work. Assuming you have the ability to run commands on the box of course. FOR /L %i in (1,0,2) DO @ping -n 6 127.0.0.1 > nul & (copy c:\Windows\System32\spool\PRINTERS\*.* c:\temp\ >nul 2>nul) It loops infinitely (or until 1+0=2) and on each iteration does a 5 second ping delay before trying to copy any files in your print spool to c:\temp\. It also spits standard output & standard error to nul just to be clean, though I assume you wouldn't be running this from the desktop anyway. I have no clue how long files stay in the spool folder though, so you may want to increase or decrease the delay. And since the spooler service removes the files after they're printed, you don't have to worry about the same files being copied repeatedly. One addition that might be neat would be some kind of warning when files have been copied. So for instance when the second command is successful, have it send a message to a box that you have listening. Here's a slightly more evil idea I had. Drop the ping delay on this down to 1 second. Then every time a file shows up, MOVE the file to your other directory and replace it with another SPL file that has something you've created. So every time anyone prints anything, they get your file, whatever you'd like that to be. I don't know if that would work or not, but it would certainly be fun to try in the office. Who's ever going to troubleshoot a printer problem like that by looking for a random cmd.exe process? -- Nathan ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw Sent: Tuesday, August 25, 2009 7:03 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Need help with a printer hacking idea Ok, I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes has SPL files in it that contain EMF versions of what is being printed (I've attached a sample). You can find a viewer here http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These normaly get deleted as soon as the print job finishes printing. I've tried using tools that look in the MFT, but they don't see any deleted files that match (working on the data carve as we speak), Other than having a app that sits there that constantly polls for new files in the spool folder, can you think of a way to have an event fire off that will copy these jobs as they are printed? Lot's of sensitive stuff is printed, and this could be some useful info for pentesters/forensics guys. Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090825/787005ed/attachment.htm
Current thread:
- Need help with a printer hacking idea Adrian Crenshaw (Aug 25)
- Need help with a printer hacking idea genesiswave at gmail.com (Aug 25)
- Need help with a printer hacking idea Nathan Sweaney (Aug 25)
- Need help with a printer hacking idea Joel Folkerts (Aug 26)
- Need help with a printer hacking idea Russell Butturini (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 26)
- Need help with a printer hacking idea Joel Folkerts (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 26)
- Need help with a printer hacking idea k41zen at live.co.uk (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 26)
- Need help with a printer hacking idea Adrian Crenshaw (Aug 27)