This isn't particularly elegant, and I haven't had time to test it much, but I think it'll work. Assuming you have the ability to run commands on the box of course.
FOR /L %i in (1,0,2) DO @ping -n 6 127.0.0.1 > nul & (copy c:\Windows\System32\spool\PRINTERS\*.* c:\temp\ >nul 2>nul) It loops infinitely (or until 1+0=2) and on each iteration does a 5 second ping delay before trying to copy any files in your print spool to c:\temp\. It also spits standard output & standard error to nul just to be clean, though I assume you wouldn't be running this from the desktop anyway. I have no clue how long files stay in the spool folder though, so you may want to increase or decrease the delay. And since the spooler service removes the files after they're printed, you don't have to worry about the same files being copied repeatedly. One addition that might be neat would be some kind of warning when files have been copied. So for instance when the second command is successful, have it send a message to a box that you have listening. Here's a slightly more evil idea I had. Drop the ping delay on this down to 1 second. Then every time a file shows up, MOVE the file to your other directory and replace it with another SPL file that has something you've created. So every time anyone prints anything, they get your file, whatever you'd like that to be. I don't know if that would work or not, but it would certainly be fun to try in the office. Who's ever going to troubleshoot a printer problem like that by looking for a random cmd.exe process? -- Nathan ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Adrian Crenshaw Sent: Tuesday, August 25, 2009 7:03 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Need help with a printer hacking idea Ok, I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes has SPL files in it that contain EMF versions of what is being printed (I've attached a sample). You can find a viewer here http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These normaly get deleted as soon as the print job finishes printing. I've tried using tools that look in the MFT, but they don't see any deleted files that match (working on the data carve as we speak), Other than having a app that sits there that constantly polls for new files in the spool folder, can you think of a way to have an event fire off that will copy these jobs as they are printed? Lot's of sensitive stuff is printed, and this could be some useful info for pentesters/forensics guys. Adrian
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
