PoC script to recover domain passwords stored in the Address Book of HP LaserJet Enterprise M775 printers.
This repository contains the code described in the research article:
Reversing HP LaserJet Enterprise M775 Firmware: Recovering Domain Passwords from the Address Book
The HP M775 multifunction printers can export their Address Book to a CSV file. When configured to scan to network folders (SMB), the device stores domain user credentials within this file.
The authpassword field in the CSV is encrypted (AES-256-CBC) and Base64 encoded. The firmware analysis revealed that the encryption key is derived using PBKDF2-HMAC-SHA1. This script reverses that process to recover the plaintext password.
- Python 3.x
- PyCryptodome library
git clone https://github.com/itres-labs/HP-LaserJet-M775-Decryptor.git
cd HP-LaserJet-M775-Decryptor
pip install pycryptodomexThe script m775-authpassword-decrypt.py requires the encryption password (often the one set during export or the admin password) and the encrypted blob from the CSV.
python m775-authpassword-decrypt.py -p <PASSWORD> <BASE64_BLOB>python m775-authpassword-decrypt.py -p mySecretPass U2FsdGVkX19hYmNkZWY...Output:
Blob: U2FsdGVkX19hYmNkZWY...
Plaintext : RecoveredPassword123!
SHA-256 : 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Integrity : ✔
IV : a1b2c3d4e5f67890...
This tool is provided for educational and research purposes only. It is intended to demonstrate the findings of the firmware reverse engineering process. Do not use this tool on systems or data without authorization.