Patrik KarlssonNMAP:LEXMARK-CONFIG.NSElexmark-config NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Retrieves configuration information from a Lexmark S300-S400 printer.
The Lexmark S302 responds to the NTPRequest version probe with its configuration. The response decodes as mDNS, so the request was modified to resemble an mDNS request as close as possible. However, the port (9100/udp) is listed as something completely different (HBN3) in documentation from Lexmark. See <http://www.lexmark.com/vgn/images/portal/Security Features of Lexmark MFPs v1_1.pdf>.
Example Usage
nmap -sU -p 9100 --script=lexmark-config <target>
Script Output
Interesting ports on 192.168.1.111:
PORT STATE SERVICE REASON
9100/udp unknown unknown unknown-response
| lexmark-config:
| IPADDRESS: 10.46.200.170
| IPNETMASK: 255.255.255.0
| IPGATEWAY: 10.46.200.2
| IPNAME: "ET0020006E4A37"
| MACLAA: "000000000000"
| MACUAA: "0004007652EC"
| MDNSNAME: "S300-S400 Series (32)"
| ADAPTERTYPE: 2
| IPADDRSOURCE: 1
| ADAPTERCAP: "148FC000"
| OEMBYTE: 1 0
| PASSWORDSET: FALSE
| NEWPASSWORDTYPE: TRUE
| 1284STRID: 1 "S300-S400 Series"
| CPDATTACHED: 1 1
| SECUREMODE: FALSE
| PRINTERVIDPID: 1 "043d0180"
|_ product=(S300-S400: Series)
Requires
local dns = require "dns"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
description = [[
Retrieves configuration information from a Lexmark S300-S400 printer.
The Lexmark S302 responds to the NTPRequest version probe with its
configuration. The response decodes as mDNS, so the request was modified
to resemble an mDNS request as close as possible. However, the port
(9100/udp) is listed as something completely different (HBN3) in
documentation from Lexmark. See
http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.
]]
---
--@usage
-- nmap -sU -p 9100 --script=lexmark-config <target>
--@output
-- Interesting ports on 192.168.1.111:
-- PORT STATE SERVICE REASON
-- 9100/udp unknown unknown unknown-response
-- | lexmark-config:
-- | IPADDRESS: 10.46.200.170
-- | IPNETMASK: 255.255.255.0
-- | IPGATEWAY: 10.46.200.2
-- | IPNAME: "ET0020006E4A37"
-- | MACLAA: "000000000000"
-- | MACUAA: "0004007652EC"
-- | MDNSNAME: "S300-S400 Series (32)"
-- | ADAPTERTYPE: 2
-- | IPADDRSOURCE: 1
-- | ADAPTERCAP: "148FC000"
-- | OEMBYTE: 1 0
-- | PASSWORDSET: FALSE
-- | NEWPASSWORDTYPE: TRUE
-- | 1284STRID: 1 "S300-S400 Series"
-- | CPDATTACHED: 1 1
-- | SECUREMODE: FALSE
-- | PRINTERVIDPID: 1 "043d0180"
-- |_ product=(S300-S400: Series)
-- Version 0.3
-- Created 01/03/2010 - v0.1 - created by Patrik Karlsson
-- Revised 01/13/2010 - v0.2 - revised script to use dns library
-- Revised 01/23/2010 - v0.3 - revised script to use the proper ports
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
portrule = shortport.portnumber({5353,9100}, "udp")
action = function( host, port )
local result = {}
local status, response = dns.query( "", { port = port.number, host = host.ip, dtype="PTR", retPkt=true} )
if ( not(status) ) then
return
end
local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )
if ( not(status) ) then
return
end
for _, v in ipairs( txtrecords ) do
if ( v:len() > 0 ) then
if v:find("PRINTERVIDPID") then
port.version.name="hbn3"
end
if not v:find("product=") then
v = v:gsub(" ", ": ", 1)
end
table.insert( result, v )
end
end
-- set port to open
nmap.set_port_state(host, port, "open")
nmap.set_port_version(host, port)
return stdnse.format_output(true, result)
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%