Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Closed
Grizzly2000 opened this issue Jan 25, 2021 · 3 comments
Closed

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Grizzly2000 opened this issue Jan 25, 2021 · 3 comments
Labels
Nmap

Comments

@Grizzly2000
Copy link

Grizzly2000 commented Jan 25, 2021
edited

Hi !! :)

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Expected behavior
Aggressive option '-A' on printers should not print. (like the version 7.80+dfsg1-2build1 of nmap)

Version info :

  • Output of 'uname -a'
Linux hive 5.4.88-1-lts #1 SMP Sat, 09 Jan 2021 14:02:47 +0000 x86_64 GNU/Linux
  • Output of nmap --version:
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-1.1.1h libssh2-1.9.0 libz-1.2.11 libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Debug output of nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:12 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
Initiating ARP Ping Scan at 17:12
Scanning X.X.X.34 [1 port]
Completed ARP Ping Scan at 17:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:12
Scanning X.X.X.34 [1 port]
Discovered open port 9100/tcp on X.X.X.34
Completed SYN Stealth Scan at 17:12, 0.09s elapsed (1 total ports)
Initiating Service scan at 17:12
Initiating OS detection (try #1) against X.X.X.34
NSE: Script scanning X.X.X.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72     i   e  U   r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4    /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d      9       0  
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02  , *            
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03                 
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02                     

NSOCK INFO [2.3680s] nsock_write(): Write request for 110 bytes to IOD #1 EID 19 [X.X.X.34:9100]
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | SEND
NSOCK INFO [2.3680s] nsock_read(): Read request from IOD #1 [X.X.X.34:9100] (timeout: 7000ms) EID 26
NSOCK INFO [9.3680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CLOSE
NSOCK INFO [9.3680s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [9.3680s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [9.3680s] nsock_connect_tcp(): TCP connection requested to X.X.X.34:9100 (IOD #2) EID 32
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba     S   O  ?G   
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 ,   `~    {    w
00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16     <= o  n  (  
00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63      f     e d c
00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11  b a `          
00000050: 00 08 00 06 00 03 01 00                                 

NSOCK INFO [9.3710s] nsock_write(): Write request for 88 bytes to IOD #2 EID 43 [X.X.X.34:9100]
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | SEND
NSOCK INFO [9.3710s] nsock_read(): Read request from IOD #2 [X.X.X.34:9100] (timeout: 7000ms) EID 50
NSOCK INFO [16.3710s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 50 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CLOSE
NSOCK INFO [16.3710s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 17:13, 14.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Nmap scan report for X.X.X.34
Host is up, received arp-response (0.0022s latency).
Scanned at 2021-01-25 17:12:58 CET for 16s

PORT     STATE SERVICE    REASON         VERSION
9100/tcp open  jetdirect? syn-ack ttl 64 Excluded from version scan
MAC Address: 3C:2A:F4:35:4D:82 (Brother Industries)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/25%OT=9100%CT=%CU=37458%PV=Y%DS=1%DC=D%G=N%M=3C2AF4%
OS:TM=600EEE1A%P=x86_64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=10E%II=I%TS=A
OS:)OPS(O1=M5B4NW0NNSNNT11%O2=M578NW0NNSNNT11%O3=M280NW0NNT11%O4=M5B4NW0NNS
OS:NNT11%O5=M218NW0NNSNNT11%O6=M109NNSNNT11)WIN(W1=21F0%W2=2088%W3=2258%W4=
OS:21F0%W5=20C0%W6=209D)ECN(R=Y%DF=N%T=40%W=2238%O=M5B4NW0NNS%CC=N%Q=)T1(R=
OS:Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 2.974 days (since Fri Jan 22 17:50:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE
HOP RTT     ADDRESS
1   2.20 ms X.X.X.34

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds
           Raw packets sent: 24 (1.850KB) | Rcvd: 16 (1.042KB)

Thank you for your tools!
Thank you in advance !
@dmiller-nmap
Copy link

Thanks for this report. Because of the risk of printing garbage data from our version detection probes, Nmap specifically excludes ports 9100-9107 from being probed with -sV. The data printed in your case is coming from further probing within the ssl-* NSE scripts, which attempt their own probes if -sV did not do so. I will correct this to check whether the port ought to be excluded from probing like this.

@b1gy7
Copy link

b1gy7 commented Nov 22, 2023

Well i have the same problem as of nmap version 7.94SVN. When i scan printers with the -A option i get the same behaviour as described above . (The printer starts printing about 70 or more Pages with binary and http data on it). I fixed it temporarly by not using the -A option.

@b1gy7
Copy link

b1gy7 commented Dec 11, 2023

I found out that this bug does not have anything in common with the options used in the nmap command . This behaviour happens when Nmap Scans the RAW-Ports of a printer (Vendor specific , in my case 9100-9109 and/or 9112-9116 ) If you exclude those ports the behaviour will not get triggered. This happens because of the functionality and the initial design of those ports. If they are not secured / filtered they will print anything you send to that/those specific port/s. (For example netcatting a Postscript with a simple "Hello World" output in it). It will be very usefull if nmap could check this scenario before targetting those ports. Doesn't make any sense to scan those ports if anything send to those specific ports gets printed out or If I may be wrong I'll glady accept a better explanation of why that should be the case .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Nmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dmiller-nmap @Grizzly2000 @b1gy7 and others