HackTricks
Search…
Pentesting
Powered By GitBook
9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)

Basic Information

Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a bidirectional channel gives us direct access to results of PJL, PostScript or PCL commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. (From here)
If you want to learn more about hacking printers read this page.
Default port: 9100
1
9100/tcp open jetdirect
Copied!

Enumeration

Manual

1
nc -vn <IP> 9100
2
@PJL INFO STATUS #CODE=40000 DISPLAY="Sleep" ONLINE=TRUE
3
@PJL INFO ID # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26
4
@PJL INFO PRODINFO #Product info
5
@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 #List dir
6
@PJL INFO VARIABLES #Env variales
7
@PJL INFO FILESYS #?
8
@PJL INFO TIMEOUT #Timeout variables
9
@PJL RDYMSG #Ready message
10
@PJL FSINIT
11
@PJL FSDIRLIST
12
@PJL FSUPLOAD #Useful to upload a file
13
@PJL FSDOWNLOAD #Useful to download a file
14
@PJL FSDELETE #Useful to delete a file
Copied!

Automatic

1
nmap -sV --script pjl-ready-message -p <PORT> <IP>
Copied!
1
msf> use auxiliary/scanner/printer/printer_env_vars
2
msf> use auxiliary/scanner/printer/printer_list_dir
3
msf> use auxiliary/scanner/printer/printer_list_volumes
4
msf> use auxiliary/scanner/printer/printer_ready_message
5
msf> use auxiliary/scanner/printer/printer_version_info
6
msf> use auxiliary/scanner/printer/printer_download_file
7
msf> use auxiliary/scanner/printer/printer_upload_file
8
msf> use auxiliary/scanner/printer/printer_delete_file
Copied!

Printers Hacking tool

This is the tool you want to use to abuse printers:
GitHub - RUB-NDS/PRET: Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.
GitHub

Hacking Printers best reference

File system access - Hacking Printers

Shodan

    pjl port:9100
Last modified 1yr ago