summaryrefslogtreecommitdiffstats
path: root/scripts/lexmark-config.nse
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/lexmark-config.nse88
1 files changed, 88 insertions, 0 deletions
diff --git a/scripts/lexmark-config.nse b/scripts/lexmark-config.nse
new file mode 100644
index 0000000..c951257
--- /dev/null
+++ b/scripts/lexmark-config.nse
@@ -0,0 +1,88 @@
+local dns = require "dns"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+
+description = [[
+Retrieves configuration information from a Lexmark S300-S400 printer.
+
+The Lexmark S302 responds to the NTPRequest version probe with its
+configuration. The response decodes as mDNS, so the request was modified
+to resemble an mDNS request as close as possible. However, the port
+(9100/udp) is listed as something completely different (HBN3) in
+documentation from Lexmark. See
+http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.
+]]
+
+
+---
+--@usage
+-- nmap -sU -p 9100 --script=lexmark-config <target>
+--@output
+-- Interesting ports on 192.168.1.111:
+-- PORT STATE SERVICE REASON
+-- 9100/udp unknown unknown unknown-response
+-- | lexmark-config:
+-- | IPADDRESS: 10.46.200.170
+-- | IPNETMASK: 255.255.255.0
+-- | IPGATEWAY: 10.46.200.2
+-- | IPNAME: "ET0020006E4A37"
+-- | MACLAA: "000000000000"
+-- | MACUAA: "0004007652EC"
+-- | MDNSNAME: "S300-S400 Series (32)"
+-- | ADAPTERTYPE: 2
+-- | IPADDRSOURCE: 1
+-- | ADAPTERCAP: "148FC000"
+-- | OEMBYTE: 1 0
+-- | PASSWORDSET: FALSE
+-- | NEWPASSWORDTYPE: TRUE
+-- | 1284STRID: 1 "S300-S400 Series"
+-- | CPDATTACHED: 1 1
+-- | SECUREMODE: FALSE
+-- | PRINTERVIDPID: 1 "043d0180"
+-- |_ product=(S300-S400: Series)
+
+-- Version 0.3
+-- Created 01/03/2010 - v0.1 - created by Patrik Karlsson
+-- Revised 01/13/2010 - v0.2 - revised script to use dns library
+-- Revised 01/23/2010 - v0.3 - revised script to use the proper ports
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+
+portrule = shortport.portnumber({5353,9100}, "udp")
+
+action = function( host, port )
+
+ local result = {}
+ local status, response = dns.query( "", { port = port.number, host = host.ip, dtype="PTR", retPkt=true} )
+ if ( not(status) ) then
+ return
+ end
+ local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )
+ if ( not(status) ) then
+ return
+ end
+
+ for _, v in ipairs( txtrecords ) do
+ if ( v:len() > 0 ) then
+ if v:find("PRINTERVIDPID") then
+ port.version.name="hbn3"
+ end
+ if not v:find("product=") then
+ v = v:gsub(" ", ": ", 1)
+ end
+ table.insert( result, v )
+ end
+ end
+
+ -- set port to open
+ nmap.set_port_state(host, port, "open")
+ nmap.set_port_version(host, port)
+
+ return stdnse.format_output(true, result)
+end
+