coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
528f1b5f9f
hacktricks/pentesting/9100-pjl.md
CPol 3768a62828
GitBook: [master] one page modified
2020-09-22 21:18:17 +00:00

67 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)
## Basic Information
Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as _the simplest, fastest, and generally the most reliable network protocol used for printers_. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing which is supported by almost any network printer is used as the channel for security analysis with PRET and PFT. \(From [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing)\)
If you want to learn more about [**hacking printers read this page**](pentesting-printers/).
**Default port:** 9100
```text
9100/tcp open jetdirect
```
## Enumeration
### Manual
```bash
nc -vn <IP> 9100
@PJL INFO STATUS #CODE=40000 DISPLAY="Sleep" ONLINE=TRUE
@PJL INFO ID # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26
@PJL INFO PRODINFO #Product info
@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 #List dir
@PJL INFO VARIABLES #Env variales
@PJL INFO FILESYS #?
@PJL INFO TIMEOUT #Timeout variables
@PJL RDYMSG #Ready message
@PJL FSINIT
@PJL FSDIRLIST
@PJL FSUPLOAD #Useful to upload a file
@PJL FSDOWNLOAD #Useful to download a file
@PJL FSDELETE #Useful to delete a file
```
### Automatic
```bash
nmap -sV --script pjl-ready-message -p <PORT> <IP>
```
```bash
msf> use auxiliary/scanner/printer/printer_env_vars
msf> use auxiliary/scanner/printer/printer_list_dir
msf> use auxiliary/scanner/printer/printer_list_volumes
msf> use auxiliary/scanner/printer/printer_ready_message
msf> use auxiliary/scanner/printer/printer_version_info
msf> use auxiliary/scanner/printer/printer_download_file
msf> use auxiliary/scanner/printer/printer_upload_file
msf> use auxiliary/scanner/printer/printer_delete_file
```
### Printers Hacking tool
This is the tool you want to use to abuse printers:
{% embed url="https://github.com/RUB-NDS/PRET" %}
### Hacking Printers best reference
{% embed url="https://hacking-printers.net/wiki/index.php/File\_system\_access" %}
## **Shodan**
* `pjl port:9100`
Reference in New Issue View Git Blame Copy Permalink