lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri Mar 24 12:01:40 2006
From: tuevsec at gmx.net (thomas springer)
Subject: Brute-Force-Printing

You might already have heard of "brute-force-hacking" - trying out every
possible password. I had a bit of fun doing "Brute-Force-Printing" recently:

I got a NashuaTec/Ricoh "Colour DocuStation DSc428", an all-in-one
device: printer, fax, scanner, copyier and document-managment-system.
The machine is pin-protected: you need to enter a 1-8-digit-pin to
authorize, either in your printer-driver or at the machine-display.
Depending from setup the pin might also be used to identify a user for
access to document-managment, scanned docs and incoming faxes.

I found that NashuaTec stores the pin you need for the printer-driver
unencrypted in the registry (at my machine in
[HKEY_CURRENT_USER\Printers\DevModePerUser]). I did a few lines of perl that

- change the printer-drivers pin-value in registry (crafting and
importing a new <pin>.reg via "regedit /s")
- try to print <pin>.txt containing the pin (using a simple "notepad /p")
- try the next pin-value

Only valid PINs get printed, the printer will discard the invalid ones
silently. This means, you just start the script and sit in front of the
printer, waiting for the machine to print out every valid pin.

About speed:
Using WinXP's printer-spooler, i was able to spool >10.000 printjobs per
hour. The printer itself is processing about 5.000 (invalid) jobs per
hour. This means:
~2 hours to get every 4digit-pin
~20 hours to get every 5digit-pin
~200 hours to get every 6digit-pin
...

I'm quite sure that this might apply to many other printers using
similar authentification-mechanisms.

Thomas Springer
thomas.springer@...il.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ