8

I've got to the section related to network printers exploitation while going through one security course. Under "network printer" I understand standalone devices with a dedicated ethernet\wireless link, listening on port 9100, with some administration interface (web, snmp, vendor's custom app) accessible over the network, or something like that. There were several attacks I would really love to try to reproduce, but I'm definetely do not want to buy them all (actually some of them would cost me a fortune). But it seems that most of these devices nowdays run some kind of linux as firmware (at least the most expensive of them do), and this firmware is easy to acquire. So I thought there could be some project aiming to emulate some of them (well, we have GNS for Cisco, so why not?).

I must clarify: I'm not talking about some virtual printer shared from MS Windows host or about a generic linux box with some general purpose printing daemon listening on port 9100. I need an exact firmware of some really existing network printer running on a virtuall machine of sort. It needn't to actually print something (like, to file), but from all other perspectives it must handle all connections and requests as the real one would did.

Kind regards and thank you for help in advance.

tis
  • 275
  • 2
  • 9
  • Very interesting question, even-though I'm a bit pessimistic if it exists any general solution since, while you may still be able to emulate the processor running the firmware, to fully boot it will need very specific interaction with hardware expected to be present. To work, it would require emulating this specific hardware too, so it would not be generic anymore, the resulting software would be able to emulate only a very single model of printer. – WhiteWinterWolf Mar 29 '15 at 12:57
  • 4
    QEMU can emulate many different processors, so maybe you can get one of these firmware images to boot. The hard part would be to emulate the same network hardware so the firmware can actually "talk" to the outside and you can start pentesting it. –  Mar 29 '15 at 16:35
  • @André Daniel Dang, I was going to mention QEMU. It is the dev tool of choice for embedded devices that are njon-x86. – rook Mar 29 '15 at 19:47
  • I am also looking for printer firmware to virtulize to add to my pentest lab, but yeah so far its been near impossible to find. Your post here is the closest thing I have to a solution. Did you pursue Simics or manage to find anything better? – Steve Turns Apr 27 '16 at 22:00

1 Answers1

3

I'd recommend Virtutech's SIMICS software. Note that Virtutech was bought by Intel and assigned to their subsidiary: Wind River.

Simics is a SIMULATOR, which has important distinctions from an EMULATOR (like qemu). See https://stackoverflow.com/questions/1584617/simulator-or-emulator-what-is-the-difference for specifics on the differences.

Simics simulates many (hundreds?) of architectures. You select the specific one you are interested in (in your case, the architecture in use by the desired printer) and load it's environment within simics. Then you load the software (kernel & OS if it has an OS) that you want to test. Afterwards you execute simics and it boots and executes the target software exactly as it would execute on the native hardware. This is a chief benefit of simulators versus emulators.

With simics you can pause execution, set breakpoints in the kernel, and reverse a crash! Indeed, you can encounter a crash and then effectively execute in reverse to understand what led to the crash. You cannot easily do that in an emulator and even if you were to attempt it the internal state of the emulator differs from the real hardware architecture of the target so the results are mixed.

BLUF: you need a SIMULATOR not an EMULATOR.

[edit]: Link to simics information: http://www.windriver.com/products/simics/

Nick
  • 437
  • 2
  • 9