Identifying HP Printers with NMAP and then using results in Python/Perl

Question

Great write up on network printer hacking at IronGeek's site here for anyone interested http://www.irongeek.com/i.php?page=security/networkprinterhacking.

Here's what I want to do: Scan the subnet for HP printers with port 9100 open. I know I can use OS fingerprinting and the port argument to filter it down. I want to export the IP addresses matching this criteria to a file or list, and then telnet to every one of those IPs and issue a command. Specifically: @PJL RDYMSG DISPLAY=”YOUR MESSAGE“. This will cause the printers to display a custom ready message.

Advice? Guidance? How would I go about doing this?

Answer 1

This functionality already exists in Nmap, in the pjl-ready-message NSE script. Here's an example usage:

nmap -p 9100 --script pjl-ready-message --script-args pjl_ready_message="your message here" 192.0.2.0/24

The script already checks for a real PJL service before sending the command, so you probably don't have to check for OS fingerprint results.

Answer 2

Looks like this could be facilitated by using NSE. Take for instance the following script (called hp.nse):

function portrule(host, port)
  if port.state == "open" then
    cmd = "echo " .. host.ip .. " >> targets.txt"
    os.execute(cmd)
  end
end

function hostrule(host)
end

function action()
end

If you run:

nmap -p 9100 -n --script=./hp.nse 192.168.1.*

Assuming that your network is 192.168.1.0/24, it will match every host that's online with port 9100 open. For every host that matches these rules, this script will echo its address to the targets.txt file. From there, you can adapt IronGeek's scripts to read from targets.txt and issue the respective telnet commands. Something like:

my $filename = "targets.txt";
open my $handle, $filename or die;
while(my $ip = <$handle>)  {   
    print $ip;
    # Declare socket for $ip.
    # Echo HP commands to that socket.
}
close $handle;

About the OS detection, I believe it will require more work to match the OS string with regular expressions (and risking missing a real HP printer) than if you simply try and send the HP commands to every host with port 9100 open. If you want to give it a try, here's the NSE's API.