Re: hp laserjet telnet NSE script

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 4 Mar 2009 11:26:32 -0800
Aaron Leininger <rilian4 () hotmail com> wrote:

> This is my first humble attempt at functional NSE. I still really
> have no firm grasp over the language so please forgive any mistakes. 
>
> The attached NSE script will connect to the telnet port on an HP
> laserjet and issue the commands /\r\n\r\n\r\n\r\n as a probe of
> sorts. This emulates the "/" command to display the default settings
> on the printer and the remaining carriage returns will grab the rest
> of the output. If you look at the output, you'll see a few places
> where it says "press return to continue"..That's what the extra
> carriage returns were for. 
>
> Anyway, it is VERY rough and not nearly ready for any production use.
> Please modify as you wish. I'd love to see how to streamline it
> better. I'm very poor with LUA code. For example, it will run on any
> port 23 now. It probably should only run when an open port between
> 9100-9107(standard for laserJets) is found as well as the open port
> 23. Also, maybe there is a way to parse the more useful data out of
> the current rather large data dump. I just haven't been able to
> figure out how exactly to do either of those things, nor am I 100%
> sure which parts of the data the average nmapper might consider
> critical to have. Also attached is a text file containing sample
> output from the script in its current form. Personal details of my
> network have been obscured in the output. I used nmap 4.85beta3 to
> test this script. 
>
> Thanks,
> Aaron

Aaron,

It's great to see people looking at NSE and writing scripts so please
take this positive feedback.

Usually, a script that only requires a single probe with no interaction
is best suited for Version Scanning rather than NSE.  Your sample
output suggests though that more information is returned in your probe
that version scanning can express.  Even so, we might want to add
'SlashLines' probe with a high rarity to nmap-service-probes so that
match lines can be easily made for HP printers who's telnet daemon
isn't already matched.

Right now your script uses portrule and doesn't make any attempt to
determine if the target host really is a HP printer.  You might think
about making the script use hostrule instead.  You can then check for
more telltale signs of a HP printer.  This would avoid printing the
data for each of the telnet daemons that may be listening.  You could
just try a list of ports, say, 23, 23000, 9999, etc, and stop once you
get info or run out of open ports to try.

You can look at nbstat.nse for a well-documented example of how to
check multiple parameters of a host.

Also, even with a pretty good "HP printer" heuristic, your probe
invariably will be run against non-HP printers.  You might try matching
some text in the returned string to make sure what you get back
actually looks like printer output.  Take a look at skypev2-version.nse
for a decent example of how to apply matching logic against returned
text.

Finally, string parsing can be really hard but probably want to extract
out just the interesting portions of the telnet output.  This would
allow you to avoid printing text like "Press RETURN to continue:" or
telnet control chars.

Brandon



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmu3oEACgkQqaGPzAsl94ImUQCeMIF0cwwnmhr0TYlXxuILxQQf
TwoAoKEgnJd8xWhzD++i2ISXji3ldkbT
=2VJx
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org