Re: Request for testing of HP PJL service probe

[Vijay Sankar <vsankar () foretell ca>]

David Fifield wrote:
> On Thu, Aug 27, 2009 at 03:13:52PM -0600, David Fifield wrote:
> > In r15334 I added Brandon Enright's Printer Job Language service probe
> > from http://seclists.org/nmap-dev/2009/q1/0560.html. I would like it to
> > have wider testing.
> >
> > The probe as it stands is inactive because its ports (9100-9107) are the
> > same as the Exclude ports. So you will have to do a little extra work to
> > test it. Open the nmap-service-probes file and comment out this line
> > near the top:
> >
> > Exclude T:9100-9107
> >
> > It should look like this when you're done:
> >
> > # Exclude T:9100-9107
> >
> > Then, run this scan over a network with a printer or anything listening
> > on ports 9100-9107:
> >
> > nmap --datadir . -PS9100-9107 -sV -p 9100-9107 <network>
> >
> > The --datadir argument is important to make sure Nmap is using your
> > edited nmap-service-probes. We are interested in positive and negative
> > results. If the probe identified all your printers correctly, please let
> > us know. If you got back a service fingerprint, send it in. If the probe
> > messed up your printer and you have to reboot it, or if it printed
> > anything, that's particularly noteworthy. Check to make sure you can
> > still print after running after the scan.
> >
> > I really don't think there will be problems with the probe. I just want
> > to be extra careful considering that it's potentially using a physical
> > resource.
>
> I ran this against a D-Link DP-G310 wireless print server connected to a
> non-networked printer. The probe caused the printer to go into its reset
> state, with a blinking warning light. Here is the relevant output:
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-02 22:12 MDT
> Initiating Service scan at 22:12
> Overriding exclude ports option! Some undesirable ports may be version scanned!
> Scanning 1 service on 192.168.1.8
> NSOCK (0.3660s) TCP connection requested to 192.168.1.8:9100 (IOD #1) EID 8
> NSOCK (0.3660s) nsock_loop() started (no timeout). 1 events pending
> NSOCK (0.3690s) Callback: CONNECT SUCCESS for EID 8 [192.168.1.8:9100]
> Service scan sending probe NULL to 192.168.1.8:9100 (tcp)
> NSOCK (0.3690s) Read request from IOD #1 [192.168.1.8:9100] (timeout: 6000ms) EID 18
> NSOCK (6.3680s) Callback: READ TIMEOUT for EID 18 [192.168.1.8:9100]
> Service scan sending probe hp-pjl to 192.168.1.8:9100 (tcp)
> NSOCK (6.3680s) Write request for 34 bytes to IOD #1 EID 27 [192.168.1.8:9100]: .%-12345X@PJL INFO ID...%-12345X..
> NSOCK (6.3680s) Read request from IOD #1 [192.168.1.8:9100] (timeout: 5000ms) EID 34
> NSOCK (6.3680s) Callback: WRITE SUCCESS for EID 27 [192.168.1.8:9100]
> NSOCK (11.3680s) Callback: READ TIMEOUT for EID 34 [192.168.1.8:9100]
> NSOCK (11.3680s) TCP connection requested to 192.168.1.8:9100 (IOD #2) EID 40
> NSOCK (11.3740s) Callback: CONNECT ERROR [Connection refused (61)] for EID 40 [192.168.1.8:9100]
> Completed Service scan at 22:12, 11.01s elapsed (1 service on 1 host)
> Host 192.168.1.8 is up (0.086s latency).
> Interesting ports on 192.168.1.8:
> PORT     STATE SERVICE    VERSION
> 9100/tcp open  jetdirect?
> MAC Address: 00:0F:3D:53:61:76 (D-Link)
>
> Read data files from: /usr/local/share/nmap
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.48 seconds
>            Raw packets sent: 2 (86B) | Rcvd: 2 (86B)
>
> Can anyone else reproduce this with a print server? If it's going to be
> common I think we should keep ports 9100–9107 excluded. The command to
> run is this:
>
> nmap --allports --datadir . -PS9100-9107 -sV -p 9100-9107 <target>
>
> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

Good day,

I did a regular ./configure, gmake, and sudo gmake install on OpenBSD 
4.5 -stable.

.
.
.
running install_data
running install_egg_info
NMAP SUCCESSFULLY INSTALLED

Tried the following against a Brother 5250N Printer

server11$ nmap --allports --datadir . -PS9100-9107 -sV -p 9100-9107 
10.0.0.51

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-12 22:56 CDT
Interesting ports on printer1.sankars.local (10.0.0.51):
PORT     STATE  SERVICE    VERSION
9100/tcp open   jetdirect?
9101/tcp closed jetdirect
9102/tcp closed jetdirect
9103/tcp closed jetdirect
9104/tcp closed jetdirect
9105/tcp closed jetdirect
9106/tcp closed jetdirect
9107/tcp closed jetdirect

Service detection performed. Please report any incorrect results at 
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.89 seconds

After the scan, the printer started printing pages -- most of the pages 
have some gibberish, but some are blank. I turned off the printer and 
restarted it and then was able to send real print jobs.

I tried the same against an HP OfficeJet Pro 7780 printer and got the 
following results.

server11$ nmap --allports --datadir . -PS9100-9107 -sV -p 9100-9107 
10.0.0.56

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-12 23:00 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, 
try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds

The printer was up during this time and I am not sure why the scan is 
not working (pings etc. work)

If useful, I can try this again using OpenBSD 4.6 simce I recently 
received those CDs and report back to the list if it works differently. 
It may take me a few days to find a spare machine. Please let me know.

Thanks,

Vijay

--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsankar () foretell ca

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org