NSE PJL proof of concept

[Aaron Leininger <rilian4 () hotmail com>]

A few months back, there was a discussion on list about HP printers and detection using nmap. It came up in the 
discussion that HP LaserJets allow a lot of access w/o any password protection. As a way to try and figure out how to 
do some simple things using NSE, I have tried to write a proof of concept script that will alter the display message on 
a LaserJet. The PJL command to do this is very simple. You can telnet into port 9100 on a LaserJet and issue: @PJL 
RDYMSG DISPLAY = "Test Message" and the words TEST MESSAGE will show on the printer's display immediately. 

I have an NSE script that appears to run and send the correct string to the printer but the display does not change. I 
am hoping one of you gurus can help me along and tell me what I am doing wrong or missing. Below is my code and the 
output generated by nmap when run w/ script-trace enabled. I am using nmap4.85beta10 on SuSe linux. 

Thank you!
Aaron

Here is my code: 

id="Printer display setting script"
description="Proof of concept that will change the display message on the target printer"
author = "Aaron Leininger <rilian4 () hotmail com>" 
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"intrusive"}

require "nmap"
require "shortport"
portrule = shortport.port_or_service(9100, "jetdirect")

action = function(host, port)
    local rdymsg="@PJL RDYMSG DISPLAY = \"Test Message\""
    local socket = nmap.new_socket()
    socket:set_timeout(1000)
    try = nmap.new_try(function() socket:close() end)
    try(socket:connect(host.ip, port.number))
    try(socket:send(rdymsg))
    socket:close()
    return(rdymsg)    
end
==================
output: (ip addresses anonymized)
#nmap -p9100 --script-trace --script=./hprdymsg.nse printerip

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-09 13:54 PDT
Warning: File ./nselib/ exists, but Nmap is using /usr/local/share/nmap/nselib/ for security and consistency reasons.  
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
NSOCK (0.1870s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (0.1870s) TCP connection requested to printerip:9100 (IOD #1) EID 8
NSOCK (0.1880s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1890s) Callback: CONNECT SUCCESS for EID 8 [10.4.10.72:9100]
NSE: TCP hostip:33066 > printerip:9100 | CONNECT
NSOCK (0.1900s) nsock_loop() started (timeout=50ms). 0 events pending
NSE: TCP hostip:33066 > printerip:9100 | @PJL RDYMSG DISPLAY = "Test Message"
NSOCK (0.1900s) Write request for 36 bytes to IOD #1 EID 19 [10.4.10.72:9100]: @PJL RDYMSG DISPLAY = "Test Message"
NSOCK (0.1900s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1900s) Callback: WRITE SUCCESS for EID 19 [printerip:9100]
NSOCK (0.1910s) nsock_loop() started (timeout=50ms). 0 events pending
NSE: TCP hostip:33066 > printerip:9100 | CLOSE
Interesting ports on ths-tigernet-p2.ttsd.k12.or.us (10.4.10.72):
PORT     STATE SERVICE
9100/tcp open  jetdirect
|_ hprdymsg: @PJL RDYMSG DISPLAY = "Test Message"

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds


_________________________________________________________________
Windows Live™ Hotmail®: Find, add, and share the best celeb pics, right from Hotmail. Check it out.
http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_celebrity_photos2_072009&cat=celebrity

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org