https://github.com/RUB-NDS/PRET
PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party modules need to be installed:
# pip install colorama pysnmp
If running on a Windows console and Unicode characters are not displayed correctly, install the win_unicode_console module:
# pip install win_unicode_console
For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:
# apt-get install imagemagick ghostscript
get clone https://github.com/RUB-NDS/PRET.git
usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target printer device or hostname
{ps,pjl,pcl} printing language to abuse
optional arguments:
-h, --help show this help message and exit
-s, --safe verify if language is supported
-q, --quiet suppress warnings and chit-chat
-d, --debug enter debug mode (show traffic)
-i file, --load file load and run commands from file
-o file, --log file log raw data sent to the target
The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0 for a local USB printer.
# HP LaserJet 4250
# HP LaserJet M3027 MFP
# Lexmark X792
# Brother MFC-7860DW
shodan检索语句:
# product:"xxx" port:9100
# product:"hp LaserJet 4200" port:9100
root@kali2018:/IoT-Tools/PRET# ./pret.py 192.168.74.100 ps
________________
_/_______________/|
/___________/___//|| PRET | Printer Exploitation Toolkit v0.40
|=== |----| || by Jens Mueller <jens.a.mueller@rub.de>
| | ô| ||
|___________| ô| ||
| ||/.´---.|| | || 「 pentesting tool that made
|-||/_____||-. | |´ dumpster diving obsolete‥ 」
|_||=L==H==||_|__|/
(ASCII art by
Jan Foerster)
Connection to 192.168.74.100 established
Command execution failed (timed out)
Forcing reconnect. Connection closed.
Connection to 192.168.74.100 established
No feedback (Printer busy, non-ps or silent)
Device: hp LaserJet 4200
Welcome to the pret shell. Type help or ? to list commands.
192.168.74.100:/> help
Available commands (type help <topic>):
=======================================
append date discover get loop put set version
capture debug dump hang ls pwd shell
cat delete edit help mirror rename site
cd destroy exit hold mkdir replace timeout
chvol devices find id open reset touch
close df format known overlay resource traversal
config dicts free load pagecount restart unlock
cross disable fuzz lock print search uptime
参考资料
- 打印机安全研究(一):不容乐观的网络打印机安全状况
https://www.freebuf.com/articles/terminal/126259.html
- 打印机安全研究(二):打印机攻击测试方法和利用工具
https://www.freebuf.com/articles/terminal/126455.html
https://paper.seebug.org/549/