Headline
HP LaserJet Printer SNMP Enumeration
This Metasploit module allows enumeration of files previously printed. It provides details as filename, client, timestamp and username information. The default community used is "public".
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SNMPClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'HP LaserJet Printer SNMP Enumeration', 'Description' => %q{ This module allows enumeration of files previously printed. It provides details as filename, client, timestamp and username information. The default community used is "public". }, 'References' => [ [ 'URL', 'https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ], [ 'URL', 'https://net-snmp.sourceforge.io/docs/man/snmpwalk.html' ], [ 'URL', 'http://www.nothink.org/codes/snmpcheck/index.php' ], [ 'URL', 'http://www.securiteam.com/securitynews/5AP0S2KGVS.html' ], [ 'URL', 'http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib' ], ], 'Author' => 'Matteo Cantoni <goony[at]nothink.org>', 'License' => MSF_LICENSE )) end def run_host(ip) begin snmp = connect_snmp vprint_status("Connecting to #{ip}") output_data = [] output_data << "IP address : #{ip}" sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s output_data << "Hostname : #{sysName.strip}" sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ') output_data << "Description : #{sysDesc.strip}" sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s output_data << "Contact : #{sysContact.strip}" if not sysContact.empty? sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s output_data << "Location : #{sysLocation.strip}" if not sysLocation.empty? output_data << "" snmp.walk([ "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1", # job-info-name1 - document name1 "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.2", # job-info-name2 - document name2 "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1", # job-info-attr-1 - username "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2", # job-info-attr-2 - machine name "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.3", # job-info-attr-3 - domain (?) "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.4", # job-info-attr-4 - timestamp "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.6", # job-info-attr-6 - application name "1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.7", # job-info-attr-7 - application command ]) do |name1,name2,username,client,domain,timestamp,app_name,app_command| filename = name1.value.to_s + name2.value.to_s if (username.value.to_s !~ /noSuchInstance/) if username.value.to_s =~ /^JobAcct(\d+)=(.*)/ username = $2 end else username = '' end if (client.value.to_s !~ /noSuchInstance/) if client.value.to_s =~ /^JobAcct(\d+)=(.*)/ client = $2 end else client = '' end if (domain.value.to_s !~ /noSuchInstance/) if domain.value.to_s =~ /^JobAcct(\d+)=(.*)/ domain = $2 end else domain = '' end if (timestamp.value.to_s !~ /noSuchInstance/) if timestamp.value.to_s =~ /^JobAcct(\d+)=(.*)/ timestamp = $2 end else timestamp = '' end if (app_name.value.to_s !~ /noSuchInstance/) if app_name.value.to_s =~ /^JobAcct(\d+)=(.*)/ app_name = $2 end else app_name = '' end if (app_command.value.to_s !~ /noSuchInstance/) if app_command.value.to_s =~ /^JobAcct(\d+)=(.*)/ app_command = $2 end else app_command = '' end if not timestamp.empty? output_data << "File name : #{filename}" output_data << "Username : #{username}" if not username.empty? output_data << "Client : #{client}" if not client.empty? output_data << "Domain : #{domain}" if not domain.empty? output_data << "Timestamp : #{timestamp}" if not timestamp.empty? output_data << "Application : #{app_name} (#{app_command})" if not app_name.empty? output_data << "" end end output_data.each do |row| print_good("#{row}") end disconnect_snmp rescue SNMP::RequestTimeout print_error("#{ip}, SNMP request timeout.") rescue Errno::ECONNREFUSED print_error("#{ip}, Connection refused.") rescue SNMP::InvalidIpAddress print_error("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("#{ip}, Unknown error: #{e.class} #{e}") end endend