Xerox Administrator Console Password Extractor - Metasploit

This page contains detailed information about how to use the auxiliary/gather/xerox_pwd_extract metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: Xerox Administrator Console Password Extractor
Module: auxiliary/gather/xerox_pwd_extract
Source code: modules/auxiliary/gather/xerox_pwd_extract.rb
Disclosure date: -
Last modification time: 2019-11-05 18:32:45 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 80
List of CVEs: -

This module will extract the management console's admin password from the Xerox file system using firmware bootstrap injection.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use auxiliary/gather/xerox_pwd_extract
msf auxiliary(xerox_pwd_extract) > show targets
    ... a list of targets ...
msf auxiliary(xerox_pwd_extract) > set TARGET target-id
msf auxiliary(xerox_pwd_extract) > show options
    ... show and set options ...
msf auxiliary(xerox_pwd_extract) > exploit

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

---

Here is how the gather/xerox_pwd_extract auxiliary module looks in the msfconsole:

msf6 > use auxiliary/gather/xerox_pwd_extract

msf6 auxiliary(gather/xerox_pwd_extract) > show info

       Name: Xerox Administrator Console Password Extractor
     Module: auxiliary/gather/xerox_pwd_extract
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Deral "Percentx" Heiland
  Pete "Bokojan" Arzamendi

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  JPORT    9100             yes       Jetdirect port
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    80               yes       Web management console port for the printer (TCP)
  TIMEOUT  45               yes       Timeout to wait for printer job to run

Description:
  This module will extract the management console's admin password 
  from the Xerox file system using firmware bootstrap injection.

Module Options

---

This is a complete list of options available in the gather/xerox_pwd_extract auxiliary module:

msf6 auxiliary(gather/xerox_pwd_extract) > show options

Module options (auxiliary/gather/xerox_pwd_extract):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   JPORT    9100             yes       Jetdirect port
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       Web management console port for the printer (TCP)
   TIMEOUT  45               yes       Timeout to wait for printer job to run

Advanced Options

---

Here is a complete list of advanced options supported by the gather/xerox_pwd_extract auxiliary module:

msf6 auxiliary(gather/xerox_pwd_extract) > show advanced

Module advanced options (auxiliary/gather/xerox_pwd_extract):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CHOST                            no        The local client address
   CPORT                            no        The local client port
   ConnectTimeout  10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                        no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode   PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion      Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the gather/xerox_pwd_extract module can do:

msf6 auxiliary(gather/xerox_pwd_extract) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the gather/xerox_pwd_extract auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(gather/xerox_pwd_extract) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<RHOST>:<JPORT> - No credentials extracted

---

Here is a relevant code snippet related to the "<RHOST>:<JPORT> - No credentials extracted" error message:

55:	      print_good("#{rhost}:#{jport} - Credentials saved in: #{p}")
56:	
57:	      register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd)
58:	
59:	    else
60:	      print_error("#{rhost}:#{jport} - No credentials extracted")
61:	    end
62:	  end
63:	
64:	  # Trigger firmware bootstrap write out password data to URL root
65:	  def write

<RHOST>:<JPORT> - Error connecting to <RHOST>

---

Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error connecting to <RHOST>" error message:

92:	
93:	    begin
94:	      connect(true, 'RPORT' => jport)
95:	      sock.put(create_print_job)
96:	    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
97:	      print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
98:	    ensure
99:	      disconnect
100:	    end
101:	  end
102:	

<RHOST>:<JPORT> - Error getting password from <RHOST>

---

Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error getting password from <RHOST>" error message:

109:	      sock.put(request)
110:	      res = sock.get_once || ''
111:	      passwd = res.match(/\r\n\s(.+?)\n/)
112:	      return passwd ? passwd[1] : ''
113:	    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
114:	      print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
115:	      return
116:	    ensure
117:	      disconnect
118:	    end
119:	  end

<RHOST>:<JPORT> - Error removing print job from <RHOST>

---

Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error removing print job from <RHOST>" error message:

146:	
147:	    begin
148:	      connect(true, 'RPORT' => jport)
149:	      sock.put(remove_print_job)
150:	    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
151:	      print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
152:	    ensure
153:	      disconnect
154:	    end
155:	  end
156:	

Go back to menu.

Related Pull Requests

---

• #12543 Merged Pull Request: Fix: auxiliary/kerberos_enumusers stops after first match
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #5059 Merged Pull Request: Yard doc corrections
• #4123 Merged Pull Request: Cosmetic title/desc updates
• #4114 Merged Pull Request: Rescue the correct exception: Rex::HostUnreachable
• #4085 Merged Pull Request: Xerox Admin password extractor.

Go back to menu.

See Also

---

Check also the following modules related to this module:

• auxiliary/gather/xerox_workcentre_5xxx_ldap
• auxiliary/scanner/snmp/xerox_workcentre_enumusers
• exploit/unix/misc/xerox_mfp
• auxiliary/admin/vmware/vcenter_offline_mdb_extract
• auxiliary/gather/konica_minolta_pwd_extract
• auxiliary/gather/wp_ultimate_csv_importer_user_extract
• auxiliary/gather/wp_w3_total_cache_hash_extract
• auxiliary/scanner/printer/canon_iradv_pwd_extract
• auxiliary/admin/http/dlink_dir_645_password_extractor
• auxiliary/admin/http/dlink_dsl320b_password_extractor
• auxiliary/admin/http/netgear_soap_password_extractor
• auxiliary/admin/http/zyxel_admin_password_extractor
• auxiliary/gather/memcached_extractor
• auxiliary/gather/redis_extractor
• auxiliary/scanner/http/meteocontrol_weblog_extractadmin
• auxiliary/scanner/sap/sap_mgmt_con_extractusers
• exploit/windows/browser/facebook_extractiptc
• auxiliary/gather/coldfusion_pwd_props
• auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
• auxiliary/scanner/http/titan_ftp_admin_pwd
• exploit/linux/misc/ib_pwd_db_aliased
• exploit/windows/ftp/ftpgetter_pwd_reply
• exploit/windows/ftp/ftpshell51_pwd_reply
• exploit/windows/ftp/xftp_client_pwd
• post/windows/gather/credentials/enum_picasa_pwds

Authors

---

• Deral "Percentx" Heiland
• Pete "Bokojan" Arzamendi

Version

---

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.