Fun with a JetDirect

**rowdy_yates** · September 8th, 2005, 11:01 AM

Originally posted here by SirDice

That's one of the reasons I usually put all printers on a seperate network, firewall them and only allow the printserver access.

BLEEPING FUGGIN GOOD IDEA!!! I will add this to my list of things to do during maintenece down time. If I just VLAN them into their own VLAN world -- could I just do that if i don't want to bother with the hassle?

***SirDice*** · September 8th, 2005, 12:11 PM

At my last job we did it using VLANs. Especially with big sites using dedicated switches is probably not going to work. You would need a lot more switches. Just define a printing VLAN and use an accesslist to regulate who can do what. We had to add 1 or 2 workstations so the guys 'n girls from facility management could monitor the printers for empty toners/papers etc.. Everybody else had to use the printserver.. Pretty simple setup but still effective

***phishphreek*** · September 8th, 2005, 08:32 PM

How about a quick "port scanner" that will scan for port 9100 (jet direct port) and send a print job to it. This could easily be done in perl. I have found example code for a perl based port scanner that can be easily modified to do the job.

I've played with it a bit and gotten it to work quite nice. Though, the code is rather beefy. If I'm not too tired when I get home from the gym I might slim it down. I accidentially spammed some printers with the string "You suck, you jackass!" Immediately afterwards... I started getting phone calls... ooops! At least I know it works... just hopefully they don't report it to mgt.

ROFL

***Irongeek*** · September 8th, 2005, 08:58 PM

One problem with scanning on port 9100 come up with Nmap and version detection. You get garbage print jobs with text like:

GET / HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS / RTSP/1.0

I've found that using the following works well:

***phishphreek*** · September 8th, 2005, 09:20 PM

I don't think that is the case with the new version of nmap 3.90.
Well, I've been unable to duplicate it...

Maybe its just my version of jetdirect?

nmap -O printerip -p 9100

or with

nmap printerip -p 9100

Seems that the printer will print whatever you throw at port 9100

http://printerip:9100 will print your browser info

------ HP JetDirect Configuration ------
Status: I/O Card Ready
Model Number: J6057A
Hardware Address: 000Exxxxxxxx
Firmware Version: R.25.09

Even your example with 9100 added to the port list doesn't set it off...
Either will --allports

Hmmm

***Irongeek*** · September 8th, 2005, 10:56 PM

I'll have to test with the newest version of Nmap sometime. I'm using 3.81 (I think) right now. I contacted Fydor awhile back about JetDirect and version detect, maybe he wrote a work around.

***Irongeek*** · September 8th, 2005, 11:21 PM

Ok, here is the answer:

Thanks for the information Fyodor. I should have RTFCL.

Adrian

-----Original Message-----
From: Fyodor [mailto:fyodor@insecure.org]
Sent: Thu 9/8/2005 5:10 PM
To: Crenshaw, Adrian D
Cc: nmap-dev@insecure.org
Subject: Re: Nmap 3.90 and JetDirects
On Thu, Sep 08, 2005 at 05:04:33PM -0500, Crenshaw, Adrian D wrote:
> I’m writing an article on hacking network printers and this topic came up. One problem with Nmap scanning port 9100 with version detection turned on is you get garbage print jobs with text like:
>
> GET / HTTP/1.0
> OPTIONS / HTTP/1.0
> OPTIONS / RTSP/1.0
>
> That corresponds to the probes Nmap is sending to try and tell what
> service is running on that port. Or at least you use to, a friend said
> he tested with 3.90 and that no longer happens, at least on his
> JetDirect. Was something changed with 3.90 to fix the JetDirect port
> 9100 problems?

Yes, by default Nmap no longer service scans 9100:

o Added "Exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports. This patch came from Doug Hoyte (doug(a)hcsw.org).

[ http://www.insecure.org/nmap/nmap_changelog.html ]

With such a big changelog for this release, you can be forgiven for
missing it

. I'm looking forward to your paper on hacking network
printers.

Cheers,
-F

***phishphreek*** · September 9th, 2005, 03:33 AM

Makes sense. I briefly glanced at the change log when I downloaded it. I noticed that they don't scan 9100 by default but not that it doesn't try version detection. I even tried to use -O to "force" version detection. Seems it still ignores that port.

***rcgreen*** · September 11th, 2005, 06:31 PM

Does this mean I can telnet to the printer ip and type stuff and it will print?
That's almost as easy as typing my doc in MS Word and clicking "print"

***Irongeek*** · September 11th, 2005, 07:23 PM

Originally posted here by rcgreen
Does this mean I can telnet to the printer ip and type stuff and it will print?
That's almost as easy as typing my doc in MS Word and clicking "print"

Kind of sorta if you telnet to port 9100 on a JetDirect. By the way, I hope to have my article up Monday.

Thread: Fun with a JetDirect

Thread Tools

Display

Posting Permissions