# Compromised Network Printer ## Challenge : [Compromised Network Printer](https://app.letsdefend.io/challenge/compromised-network-printer) ### Q1: Identify the port scan activity performed by the attacker on the network. What was the NAT IP Address(Internal IP Address) assigned to the machine being used by the attacker on the internal network?

The pcap file reveals numerous SYN packets originating from the IP address `172.31.35.23`. This activity resembles port scanning behavior. ### Q2: Which ports were open on the network printer? Identify the port used for printer exploitation.

Upon analyzing the pcap file, we observed communication between the attacker and the device with the IP address `172.31.40.241` on port `9100`. By following the TCP stream, we identified that the device is a printer.

### Q3: Based on the abused port number, which printer language/method was being abused by the attacker for unattended malicious activity on the network printer? As shown in the image above, the syntax includes "@PJL," which indicates the use of PJL (Printer Job Language). {% hint style="info" %} Printer Job Language (PJL) is a command language developed by Hewlett-Packard (HP) for managing and controlling printers. It allows for communication between printers and computers, enabling features such as printer configuration, job control, and status reporting. {% endhint %} ### Q4: Which Printer Name/Model was attacked? As seen in the image above, the name of the printer was displayed. ### Q5: The attacker has discovered a scheduled print job that is associated with an employee who is suspected of being an insider threat. What is the full path of the print job file?

By analyzing the TCP stream, we can observe a query from the attacker to the file system. ### Q6: What is the name of the targeted organization? By reading the content of the "scheduled.ps" file, we can uncover the name of the targeted organization. ### Q7: The attacker found information about RDP within the internal network. What is the directory path where this sensitive information was located? Using the hint from the question, we discovered a file named `.rdp`.

By simply searching in the search bar, we can easily find information related to `internal.rdp`. Following the TCP stream, we can uncover more details, as mentioned in the previous question.

### Q8: What is the IP address of the Jumphost?

By reading the content of the `internal.rdp` file, the IP address of the target system is revealed. ### Q9: What is the filename of the PowerShell script used by admins which was also found by the attacker?

At the end of stream 65623, a new `.ps` file is revealed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://walterdrake.gitbook.io/mysite/lab-and-challenge/letsdefend/compromised-network-printer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.