HackTricks
Search…
HackTricks
👾
Welcome!
HackTricks
About the author
Getting Started in Hacking
🤩
Generic Methodologies & Resources
Pentesting Methodology
External Recon Methodology
Pentesting Network
Pentesting Wifi
Phishing Methodology
Basic Forensic Methodology
Brute Force - CheatSheet
Python Sandbox Escape & Pyscript
Exfiltration
Tunneling and Port Forwarding
Search Exploits
Shells (Linux, Windows, MSFVenom)
🐧
Linux Hardening
Checklist - Linux Privilege Escalation
Linux Privilege Escalation
Useful Linux Commands
Bypass Linux Shell Restrictions
Linux Environment Variables
Linux Post-Exploitation
🍏
MacOS Hardening
MacOS Security & Privilege Escalation
🪟
Windows Hardening
Checklist - Local Windows Privilege Escalation
Windows Local Privilege Escalation
Active Directory Methodology
NTLM
Lateral Movement
Authentication, Credentials, UAC and EFS
Stealing Credentials
Basic CMD for Pentesters
Basic PowerShell for Pentesters
AV Bypass
📱
Mobile Pentesting
Android APK Checklist
Android Applications Pentesting
iOS Pentesting Checklist
iOS Pentesting
👽
Network Services Pentesting
Pentesting JDWP - Java Debug Wire Protocol
Pentesting Printers
Accounting bypass
Buffer Overflows
Credentials Disclosure / Brute-Force
Cross-Site Printing
Document Processing
Factory Defaults
File system access
Firmware updates
Memory Access
Physical Damage
Software packages
Transmission channel
Print job manipulation
Print Job Retention
Scanner and Fax
Pentesting SAP
Pentesting Remote GdbServer
7/tcp/udp - Pentesting Echo
21 - Pentesting FTP
22 - Pentesting SSH/SFTP
23 - Pentesting Telnet
25,465,587 - Pentesting SMTP/s
43 - Pentesting WHOIS
53 - Pentesting DNS
69/UDP TFTP/Bittorrent-tracker
79 - Pentesting Finger
80,443 - Pentesting Web Methodology
88tcp/udp - Pentesting Kerberos
110,995 - Pentesting POP
111/TCP/UDP - Pentesting Portmapper
113 - Pentesting Ident
123/udp - Pentesting NTP
135, 593 - Pentesting MSRPC
137,138,139 - Pentesting NetBios
139,445 - Pentesting SMB
143,993 - Pentesting IMAP
161,162,10161,10162/udp - Pentesting SNMP
194,6667,6660-7000 - Pentesting IRC
264 - Pentesting Check Point FireWall-1
389, 636, 3268, 3269 - Pentesting LDAP
500/udp - Pentesting IPsec/IKE VPN
502 - Pentesting Modbus
512 - Pentesting Rexec
513 - Pentesting Rlogin
514 - Pentesting Rsh
515 - Pentesting Line Printer Daemon (LPD)
548 - Pentesting Apple Filing Protocol (AFP)
554,8554 - Pentesting RTSP
623/UDP/TCP - IPMI
631 - Internet Printing Protocol(IPP)
873 - Pentesting Rsync
1026 - Pentesting Rusersd
1080 - Pentesting Socks
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
1433 - Pentesting MSSQL - Microsoft SQL Server
1521,1522-1529 - Pentesting Oracle TNS Listener
1723 - Pentesting PPTP
1883 - Pentesting MQTT (Mosquitto)
2049 - Pentesting NFS Service
2301,2381 - Pentesting Compaq/HP Insight Manager
2375, 2376 Pentesting Docker
3128 - Pentesting Squid
3260 - Pentesting ISCSI
3299 - Pentesting SAPRouter
3306 - Pentesting Mysql
3389 - Pentesting RDP
3632 - Pentesting distcc
3690 - Pentesting Subversion (svn server)
3702/UDP - Pentesting WS-Discovery
4369 - Pentesting Erlang Port Mapper Daemon (epmd)
5000 - Pentesting Docker Registry
5353/UDP Multicast DNS (mDNS) and DNS-SD
5432,5433 - Pentesting Postgresql
5555 - Android Debug Bridge
5601 - Pentesting Kibana
5671,5672 - Pentesting AMQP
5800,5801,5900,5901 - Pentesting VNC
5984,6984 - Pentesting CouchDB
5985,5986 - Pentesting WinRM
5985,5986 - Pentesting OMI
6000 - Pentesting X11
6379 - Pentesting Redis
8009 - Pentesting Apache JServ Protocol (AJP)
8086 - Pentesting InfluxDB
8089 - Pentesting Splunkd
8333,18333,38333,18444 - Pentesting Bitcoin
9000 - Pentesting FastCGI
9001 - Pentesting HSQLDB
9042/9160 - Pentesting Cassandra
9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
9200 - Pentesting Elasticsearch
10000 - Pentesting Network Data Management Protocol (ndmp)
11211 - Pentesting Memcache
15672 - Pentesting RabbitMQ Management
24007,24008,24009,49152 - Pentesting GlusterFS
27017,27018 - Pentesting MongoDB
44134 - Pentesting Tiller (Helm)
44818/UDP/TCP - Pentesting EthernetIP
47808/udp - Pentesting BACNet
50030,50060,50070,50075,50090 - Pentesting Hadoop
🕸
Pentesting Web
Web Vulnerabilities Methodology
Reflecting Techniques - PoCs and Polygloths CheatSheet
2FA/OTP Bypass
Bypass Payment Process
Captcha Bypass
Cache Poisoning and Cache Deception
Clickjacking
Client Side Template Injection (CSTI)
Command Injection
Content Security Policy (CSP) Bypass
Cookies Hacking
CORS - Misconfigurations & Bypass
CRLF (%0D%0A) Injection
Cross-site WebSocket hijacking (CSWSH)
CSRF (Cross Site Request Forgery)
Dangling Markup - HTML scriptless injection
Deserialization
Domain/Subdomain takeover
Email Injections
File Inclusion/Path traversal
File Upload
Formula/Doc/LaTeX Injection
HTTP Request Smuggling / HTTP Desync Attack
HTTP Response Smuggling / Desync
Upgrade Header Smuggling
hop-by-hop headers
IDOR
JWT Vulnerabilities (Json Web Tokens)
LDAP Injection
Login Bypass
NoSQL injection
OAuth to Account takeover
Open Redirect
Parameter Pollution
PostMessage Vulnerabilities
Race Condition
Rate Limit Bypass
Registration & Takeover Vulnerabilities
Regular expression Denial of Service - ReDoS
Reset/Forgotten Password Bypass
SAML Attacks
Server Side Inclusion/Edge Side Inclusion Injection
SQL Injection
SSRF (Server Side Request Forgery)
SSTI (Server Side Template Injection)
Reverse Tab Nabbing
Unicode Normalization vulnerability
Web Tool - WFuzz
XPATH injection
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
XXE - XEE - XML External Entity
XSS (Cross Site Scripting)
XSSI (Cross-Site Script Inclusion)
XS-Search
Cloud Security
GCP Security
Workspace Security
Github Security
Gitea Security
Kubernetes Security
Concourse
CircleCI
Jenkins
Apache Airflow
Atlantis
Cloud Security Review
AWS Security
😎
Hardware/Physical Access
Physical Attacks
Escaping from KIOSKs
Firmware Analysis
🦅
Reversing & Exploiting
Reversing Tools & Basic Methods
Common API used in Malware
Word Macros
Linux Exploiting (Basic) (SPA)
Exploiting Tools
Windows Exploiting (Basic Guide - OSCP lvl)
🔮
Crypto & Stego
Cryptographic/Compression Algorithms
Certificates
Cipher Block Chaining CBC-MAC
Crypto CTFs Tricks
Electronic Code Book (ECB)
Hash Length Extension Attack
Padding Oracle
RC4 - Encrypt&Decrypt
Stego Tricks
Esoteric languages
Blockchain & Crypto Currencies
🧐
External Platforms Reviews/Writeups
BRA.I.NSMASHER Presentation
INE Courses and eLearnSecurity Certifications Reviews
🦂
C2
Merlin
Empire
Salseo
ICMPsh
Cobalt Strike
TODO
Other Big References
Rust Basics
More Tools
MISC
Pentesting DNS
Hardware Hacking
Radio Hacking
Burp Suite
Other Web Tricks
Interesting HTTP
Emails Vulnerabilities
Android Forensics
TR-069
6881/udp - Pentesting BitTorrent
CTF Write-ups
1911 - Pentesting fox
Online Platforms with API
Stealing Sensitive Information Disclosure from a Web
Post Exploitation
Powered By GitBook
Pentesting Printers
Support HackTricks and get benefits!
Please, note that most of the content of all the info related to _Pentesting Printers_** ** was taken from the huge and amazing research you can find on http://hacking-printers.net/. I tried to summarise that information here but you can always go to the source to learn more about the topic.

Fundamentals

A schematic relationship regarding the encapsulation of printer languages is given below:\
Encapsulation of printer languages

Network printing protocols

Sending data to a printer device can be done by USB/parallel cable or over a network. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's NCP or AppleTalk. In the Windows world, SMB/CIFS printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as FTP or HTTP file uploads. The most common printing protocols supported directly by network printers however are LPD, _IPP**, and **raw port 9100 _ printing. Network printing protocols can be attacked directly, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a carrier/channel to deploy malicious Printer language code. Note that a network printer usually supports multiple protocols to ‘print’ a document which broadens the attack surface.

Learn more about raw port 9100 here.

Learn more about LPD in Pentesting 515 here.

Learn more about IPP in Petesting 631 here.

Printer Control Languages

A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are CPCA, XJCL, EJL and PJL – which is supported by a variety of printers and will be discussed below. In addition, printer control and management languages are designed to affect not only a single print job but the device as a whole. One approach to define a common standard for this task was NPAP. However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its PJL-based metalanguage PML.

PJL

The Printer Job Language (PJL) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ and can be used to change settings like paper tray or size. It must however be pointed out that PJL is not limited to the current print job as some settings can be made permanent. PJL can also be used to change the printer's display or read/write files on the device. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. PJL is further used to set the file format of the actual print data to follow. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:
@PJL SET PAPER=A4
@PJL SET COPIES=10
@PJL ENTER LANGUAGE=POSTSCRIPT
Inside the page about port 9100 'raw port' you can find more information about how to enumerate PJL.

PML

The Printer Management Language (PML) is a proprietary language to control HP printers. It basically combines the features of SNMP with PJL. Publicly available documentation has not been released, however parts of the standard were leaked by the LPRng project: the PJL Passthrough to PML and SNMP User’s Guide defines defines PML as ‘an object-oriented request-reply printer management protocol’ and gives an introduction to the basics of the syntax. PML is embedded within PJL and can be used to read and set SNMP values on a printer device. This is especially interesting if a firewall blocks access to SNMP services (161/udp). The use of PML within a print job retrieving the hrDeviceDescr value (OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device) is demonstrated below:
> @PJL DMINFO ASCIIHEX="000006030302010301"
< "8000000603030201030114106870204c617365724a65742034323530
The rear part of string responded by the printer, 6870204c617365724a65742034323530 is hexadecimal for hp LaserJet 4250. As can be seen, it is possible to invoke (a subset of) SNMP commands over PJL via PML. A security-sensitive use of PML is to reset HP printers to factory defaults via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.

UEL

The Universal Exit Language (UEL) actually is not a real job control ‘language’ but a single command used to terminate the current data stream: the escape character (\x1b), followed by %-12345X. It was originally introduced with HP's PCL and is supported by most modern laser printers. A good practice of ‘printer drivers’ is to invoke the UEL at the beginning and at the end of each print job, so interpretation of the printer language is stopped/restarted and each job has its own, separate environment as shown below:
\x1b%-12345X
@PJL SET PAPER=A4
@PJL ENTER LANGUAGE=PCL
...
[PCL datastream]
...
\x1b%-12345X
Otherwise, for example PJL settings like paper media size or PostScript definitions set in one print job would influence the next job. UEL can be handy to string together multiple jobs into a single file/datastream sent to the printer. This can be used to fool hardware page counters or to switch the printing language in advances cross-site printing attacks.

Page Description Languages

A page description language (PDL) specifies the appearance of the actual document. It must however be pointed out that some PDLs offer limited job control, so a clear demarcation between page description and printer/job control language is not always possible. The function of a ‘printer driver’ is to translate the file to be printed into a PDL that is understood by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or GDI printers only accept simple bitmap datastreams like ZJS while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's PRESCRIBE, SPL, XES, CaPSL, RPCS, ESC/P which is mostly used in dot matrix printers or HP-GL and HP-GL/2 which have been designed for plotters. Support for direct PDF and XPS printing is also common on newer printers. The most common ‘standard’ page description languages however are PostScript and PCL.

PostScript (PS)

The term ‘page description’ may be misleading though, as PostScript is capable of much more than just creating vector graphics. PostScript is a stack-based, Turing-complete programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries and was created by Adobe. Technically spoken, access to a PostScript interpreter can already be classified as code execution because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files. Originally designed as a feature, the dangers of such functionality were limited before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript (EPS) is also noteworthy as it can be included in other file formats to be interpreted on the host such as LaTeX documents. Like PJL and PCL, PostScript supports bidirectional communication been host and printer. Example PostScript code to echo Hello world to stdout is given below:
%!
(Hello world) print
Brother and Kyocera use their own PostScript clones: Br-Script and KPDL. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as denial of service (for example, through infinite loops), print job manipulation and retention as well as gaining access to the printer's file system.

Exiting the server loop

Normally, each print job is encapsulated in its own, separate environment. One interesting feature of PostScript is that a program can circumvent print job encapsulation and alter the initial VM for subsequent jobs. To do so, it can use either startjob, a Level 2 feature:
true 0 startjob
or exitserver (available in all implementations that include a job server):
serverdict begin 0 exitserver
This capability is controlled by the StartJobPassword which defaults to 0 (compare credential disclosure). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs. In other words, a print job can access and alter further jobs. Bingo!

Operator redefinition

When a PostScript document calls an operator, the first version found on the dictionary stack is used. Operators usually reside in the systemdict dictionary, however by placing a new version into the userdict dictionary, operators can be practically overwritten because the user-defined version is the first one found on the dictionary stack. Using the startjob/exitserver operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below:
The potential impact of redefining operators is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as denial of service, print job retention and manipulation. Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and RIP.

PCL

PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as direct access to the file system is not intended. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol. An example PCL document to print ‘Hello world’ is given below:
<Esc>Hello world
Due to its limited capabilities, PCL is hard to exploit from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The PRET tool implements a virtual, PCL-based file system which uses macros to save file content and metadata in the printer's memory. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy.

Misc Attacks

USB drive or cable

Data can be sent to and received from a local printer by USB or parallel cables. Both channels are supported by PRET to communicate with the device. In addition, printers and MFPs often ship with Type-A USB ports which allows users to print directly from an USB device. While plugged-in USB drives do not offer a bidirectional channel, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations.

Cross-site printing

Abusing client web request an attacker can abuse arbitrary printers inside the internal network of the client connected to his malicious web page. Learn how can this be possible here.

Abusing Spooler service in AD

If you can find any Spool service listening inside the domain, you may be able to abuse is to obtain new credentials and escalate privileges. More information about how to find a abuse Spooler services here.

Privilege Escalation

Factory Defaults

There are several possible ways to reset a device to factory defaults, and this is a security-critical functionality as it overwrites protection mechanisms like user-set passwords. Learn more here.

Accounting Bypass

You may be able to impersonate existent or non-existent users to print pages using their accounts or manipulate the hardware or software counter to be able to print more pages. Learn how to do it here.

Scanner and Fax

Accessing the Scanner of Fax functionalities you may be able to access other functionalities, but this all of this is vendor-dependent. Learn more here.

Print job access

Jobs can be retained in memory and be printed again in a later moment from the control panel, or using PostScript you can even remotely access all the jobs that are going to be printed, download them and print them. Learn more here.
You can add new content to the pages that are printed, change all the content that is going to be printed or even replace just certain letters or words. Learn how to do it here.

Information Disclosure

Memory access

You may be able to dump the NVRAM memory and extract sensitive info (like passwords) from there. Read how to do that here.

File system access

You may be able to access the file system abusing PJL or PostScript. Read how to do that here.

Credentials Disclosure/Brute-Force

You may be able to disclosure the password being using abusing SNMP or the LDAP settings or you could try to brute-force PJL or PostScript. Read how to do that here.

Code Execution

Buffer Overflows

Several buffer overflows have been found already in PJL input and in the LPD daemon, and there could be more. Read this for more information.

Firmware updates

You may be able to make the printer update the driver to a malicious one specially crafted by you. Read this for more information.

Software Packages

printer vendors have started to introduce the possibility to install custom software on their devices but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors. Read more about this here.

Denial of service

Transmission channel

Occupying all the connections and increasing the timeout of the server could lead to a DoS. Learn more about this here.

Document Processing

You can use PostScript and PJL to perform infinite loops, redefine commands to avoid any printing, turn off any printing functionality or even set the printer in offline mode. Learn more about this here.

Physical damage

One could abuse PJL or PostScript to write in the NVRAM hundreds of thousands of times with the goal of breaking the chip or at least make the parameters be frozen intro the factory default ones. Learn more about this here.
Support HackTricks and get benefits!
Network Services Pentesting - Previous
Pentesting JDWP - Java Debug Wire Protocol
Next
Accounting bypass
Last modified 3mo ago
Copy link
Outline
Fundamentals
Network printing protocols
Learn more about raw port 9100 here.
Learn more about LPD in Pentesting 515 here.
Learn more about IPP in Petesting 631 here.
Printer Control Languages
PJL
PML
UEL
Page Description Languages
PostScript (PS)
PCL
Misc Attacks
USB drive or cable
Cross-site printing
Abusing Spooler service in AD
Privilege Escalation
Factory Defaults
Accounting Bypass
Scanner and Fax
Print job access
Print Job Retention
Print Job Manipulation
Information Disclosure
Memory access
File system access
Credentials Disclosure/Brute-Force
Code Execution
Buffer Overflows
Firmware updates
Software Packages
Denial of service
Transmission channel
Document Processing
Physical damage