Nmap Development mailing list archives
Re: hp laserjet telnet NSE script
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 4 Mar 2009 20:03:07 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 4 Mar 2009 11:26:32 -0800 Aaron Leininger <rilian4 () hotmail com> wrote:
This is my first humble attempt at functional NSE. I still really have no firm grasp over the language so please forgive any mistakes. The attached NSE script will connect to the telnet port on an HP laserjet and issue the commands /\r\n\r\n\r\n\r\n as a probe of sorts. This emulates the "/" command to display the default settings on the printer and the remaining carriage returns will grab the rest of the output. If you look at the output, you'll see a few places where it says "press return to continue"..That's what the extra carriage returns were for. Anyway, it is VERY rough and not nearly ready for any production use. Please modify as you wish. I'd love to see how to streamline it better. I'm very poor with LUA code. For example, it will run on any port 23 now. It probably should only run when an open port between 9100-9107(standard for laserJets) is found as well as the open port 23. Also, maybe there is a way to parse the more useful data out of the current rather large data dump. I just haven't been able to figure out how exactly to do either of those things, nor am I 100% sure which parts of the data the average nmapper might consider critical to have. Also attached is a text file containing sample output from the script in its current form. Personal details of my network have been obscured in the output. I used nmap 4.85beta3 to test this script. Thanks, Aaron
Aaron, It's great to see people looking at NSE and writing scripts so please take this positive feedback. Usually, a script that only requires a single probe with no interaction is best suited for Version Scanning rather than NSE. Your sample output suggests though that more information is returned in your probe that version scanning can express. Even so, we might want to add 'SlashLines' probe with a high rarity to nmap-service-probes so that match lines can be easily made for HP printers who's telnet daemon isn't already matched. Right now your script uses portrule and doesn't make any attempt to determine if the target host really is a HP printer. You might think about making the script use hostrule instead. You can then check for more telltale signs of a HP printer. This would avoid printing the data for each of the telnet daemons that may be listening. You could just try a list of ports, say, 23, 23000, 9999, etc, and stop once you get info or run out of open ports to try. You can look at nbstat.nse for a well-documented example of how to check multiple parameters of a host. Also, even with a pretty good "HP printer" heuristic, your probe invariably will be run against non-HP printers. You might try matching some text in the returned string to make sure what you get back actually looks like printer output. Take a look at skypev2-version.nse for a decent example of how to apply matching logic against returned text. Finally, string parsing can be really hard but probably want to extract out just the interesting portions of the telnet output. This would allow you to avoid printing text like "Press RETURN to continue:" or telnet control chars. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmu3oEACgkQqaGPzAsl94ImUQCeMIF0cwwnmhr0TYlXxuILxQQf TwoAoKEgnJd8xWhzD++i2ISXji3ldkbT =2VJx -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- hp laserjet telnet NSE script Aaron Leininger (Mar 04)
- Re: hp laserjet telnet NSE script Brandon Enright (Mar 04)
- Re: hp laserjet telnet NSE script Ron (Mar 04)