PRET - Printer Exploitation Toolkit
How do I find my Canon printer model name to download drivers by just knowing the serial number? HP LaserJet, HP PageWide Enterprise - How to locate the model na.PageWide Enterprise - How to locate the model name, product number, and serial number This document describes how to find the model name, product number. Learn how to locate the model number, product number, and serial number on your HP product. For other helpful videos go to hp.com/supportvideos or youtube.com.
Is your printer secure? Check before someone else does...
PRET is a new tool for printer security testing developed in the scope of a Master's Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.
The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.
Installation
PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party modules need to be installed:
If running on a Windows console and Unicode characters are not displayed correctly, install the win_unicode_console module:
For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:
Usage
Example usage:
Positional Arguments:
PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0
for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:
The printer language to be abused must be one of ps
, pjl
or pcl
. Not all languages are supported by every printer, so you may wan't to switch languages if you don't receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.
Find Hp Printer Model By Serial Number Generator
Optional Arguments:
--safe
tries to check via IPP, HTTP and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail.
--quit
suppresses printer model determination, intro message and some other chit-chat.
--debug
shows the datastream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use wireshark. Debugging can also be switched on/off within a PRET session using the debug
command
--load filename
reads and executes PRET commands from a text file. This is usefull for automation. Command files can also be invoked later within a PRET session via the load
command.
--log filename
writes a copy of the raw datastream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from USB drive.
Generic Commands
After connecting to a printer device, you will see the PRET shell and can execute various commands:
A list of generic PRET commands is given below:
Generic file system operations with a PS/PJL/PCL specific implementation are:
Commands in PS mode
Not all commands are supported by every printer. Especially Brother and Kyocera devices use their own PostScript clones – Br-Script and KPDL – instead of licensing original ‘Adobe PostScript’. Such flavours of the PostScript language may not be 100% compatible, especially concerning security sensitive features like capturing print jobs. Access to the file system is supported by most printers, however usually limited to a certain, sandboxed directory.
Commands in PJL mode
Some commands are supported exclusively by HP printers, because other vendors have only implemented a subset of the PJL standard. This is especially true for PML based commands like restart
or reset
. Enabling long-term job retention via the hold
command seems to be possible for some Epson devices only. NVRAM access via the nvram
command is a proprietary feature of Brother printers. Limited access to the file system is supported by various HP, OKI, Konica, Xerox, Epson and Ricoh devices.
Commands in PCL mode
PCL is a very limited page description language without access to the file system. The get
/put
/ls
commands therefore use a virtual file system based on PCL macros, implemented mostly for the hack value. This proof-of-concept shows that even a device which supports only minimalist languages like PCL can be used to store arbitrary files like copyright infringing material. Although such a file sharing service is not a security vulnerability per se, it might apply as ‘misuse of service’ depending on the corporate policy
File Listing
pret.py
- Executable main programcapabilities.py
- Routines to check for printer langauge supportdiscovery.py
- Routines to list printers using SNMP broadcastprinter.py
- Generic code to describe a printing devicepostscript.py
- PS spezific code (inherits from class printer)pjl.py
- PJL spezific code (inherits from class printer)pcl.py
- PCL spezific code (inherits from class printer)helper.py
- Help functions for output, logging, sockets, etc.codebook.py
- Static table of PJL status/error codesfuzzer.py
- Constants for file system fuzzingmibs/*
- Printer specific SNMP MIBsdb/*
- database of supported modelslpd/*
- Scripts for LPD fuzzing
Getting Started
Given the features and various proprietary extensions in printing languages like PostScript and PJL, conducting a pentest on printers is not a trivial job. PRET can help to assist and verify known issues in the language. Once you have played around with the tool, you may want to perform a systematic printer security analysis. A good starting point is the Printer Security Testing Cheat Sheet.
Happy Hacking!
I'm looking for a VBScript or any other utility available to get the serial number of Lexmark printers.I already have this little script that gives me other details of a specific printer
Dim objWMIService, objItem, colItems, strComputer
strComputer ='??????'
Hp Printer Serial Number Decoder
strprinter = InputBox('Enter Printer Name')If strprinter = ' Then
wscript.quit
End If
Printer = '%' & ucase(strprinter) & '%'
Set objWMIService = GetObject('winmgmts:' & strComputer & 'rootCIMV2')
Set colItems = objWMIService.ExecQuery('SELECT * FROM Win32_Printer where Name like ' & printer & ' and Local=TRUE',,48)
For Each objItem In colItems
WScript.Echo objItem.name & VbCr & _
' & VbCr & _
'Availability: ' & objItem.Availability & VbCr & _
'Description: ' & objItem.Description & VbCr & _
'Printer: ' & objItem.DeviceID & VbCr & _
'Driver Name: ' & objItem.DriverName & VbCr & _
'Port Name: ' & objItem.PortName & VbCr & _
'Printer State: ' & objItem.PrinterState & VbCr & _
'Printer Status: ' & objItem.PrinterStatus & VbCr & _
'PrintJobDataType: ' & objItem.PrintJobDataType & VbCr & _
'Print Processor: ' & objItem.PrintProcessor & VbCr & _
'Spool Enabled: ' & objItem.SpoolEnabled & VbCr & _
'Separator File: ' & objItem.SeparatorFile & VbCr & _
'Queued: ' & objItem.Queued & VbCr & _
'Status: ' & objItem.Status & VbCr & _
'StatusInfo: ' & objItem.StatusInfo & VbCr & _
'Published: ' & objItem.Published & VbCr & _
'Shared: ' & objItem.Shared & VbCr & _
'ShareName: ' & objItem.ShareName & VbCr & _
'Direct: ' & objItem.Direct & VbCr & _
'Location: ' & objItem.Location & VbCr & _
'Priority: ' & objItem.Priority & VbCr & _
'Work Offline: ' & objItem.WorkOffline & VbCr & _
'Horizontal Res: ' & objItem.HorizontalResolution & VbCr & _
'Vertical Res: ' & objItem.VerticalResolution & VbCr & _
'
Next
WScript.Quit