Nmap Development mailing list archives

Re: Lexmark matches

From: Patrik Karlsson <patrik () labb1 com>
Date: Tue, 12 Jan 2010 22:35:41 +0100


On 12 jan 2010, at 21.59, David Fifield wrote:

On Mon, Jan 04, 2010 at 11:05:46AM +0100, Patrik Karlsson wrote:

Hi,

I recently purchased a new Lexmark printer. I have added match lines for FTP and port 9100/udp that gets detected by 
the NTPRequest probe. Port 9100/udp should be running the hbn3 protocol according to:
http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf


Hmm, this HBN3 protocol is mysterious.


Indeed.


"Lexmark 7500 Series Printer - GPL?"
http://blog.trumpton.org.uk/2008/12/lexmark-x7500-multi-function-printer.html
"Lexmark Reverse Engineering Project"
http://www.awakecoding.com/index.php?view=article&id=9
"Lexmark x4690 Reverse Engineering"
http://www.binrev.com/forums/index.php/topic/40882-lexmark-x4690-reverse-engineering/

As best as I can tell, the "HBN3" running on TCP and UDP is different.
The web pages say that 9100/tcp looks like JetDirect and you've found
that 9100/udp looks like mDNS.

Yes, the protocols on tcp and udp are different, but I have not done that much digging to be quite honest.
I left tcpdump running when installing the drivers just to see how discovery was done.
What I do know is that 9100/tcp is also used when scanning over the network.

I committed your patch. I used your provisional name of hbn3 for the
servive, but if it turns out to really be mDNS then we can relabel it.


Sounds good!

That's one of the things I like about Nmap, when it can cut through the
marketing speak and determine that some whiz-bang administrative
protocol is really Telnet or something like that.


I agree, that really is impressive. I also like how probes for a particular protocol end up triggering responses for 
some completely different protocol.

I'm looking at the HBN3 script now.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik
--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Lexmark matches and script Patrik Karlsson (Jan 04)
- Re: Lexmark matches David Fifield (Jan 12)
  - Re: Lexmark matches Patrik Karlsson (Jan 12)
- Re: Lexmark script David Fifield (Jan 12)
  - Re: Lexmark script Patrik Karlsson (Jan 13)
    - Re: Lexmark script David Fifield (Jan 22)
    - Re: Lexmark script Patrik Karlsson (Jan 23)
    - Re: Lexmark script David Fifield (Jan 29)