Some thought about network printers security

Network printers use a various amount of protocols and firmwares which differ from vendor to vendor and model to model.
Obviously, every firmware (and protocol) could be vulnerable and exploitable but, a printer could be an attack vector?

Why would I even want to target a printer in the first place?
Why not just target desktop or server environments with malware as usual?

Well, in some case exploiting a printer is more simple: printers uses GNU/Linux based embedded operating systems, in a lot of cases not updated for recent vulnerability.

Furthermore, sysadmins often uses less attention for security in this kind of devices, that they’re not usually seen as a real system with exploitable vulnerabilities.

Below some fundamentals (courtesy of


Printer uses different operating systems for embedded devices.

Some examples:

Network printing protocols

The most common printing protocols supported directly by network printers are LPD and IPP.
Some devices support printing over generic protocols such as FTP or HTTP file uploads as well.


LPD is short for ‘Line Printer Daemon’ protocol.
It runs on port 515/TCP and can be accessed by using ‘lpr’ over the CLI.
In order to start a print, the client sends a control file defining job/username and a data file containing the actual data to be printed.


IPP is a protocol based on HTTP, so it inherits all existing security features like basic authentication and SSL/TLS encryption.
For example CUPS is an IPP implementation, which is a default printing system in many Linux distributions and OSX.


Server Message Block is an application-layer network protocol, which handles file and printer sharing, used by default on Windows.

Port 9100

Also known as ‘raw printing’, is the default method used by CUPS and the Windows printing architecture: all data sent is directly processed by the printing device, just like a parallel connection over TCP.

Printer Control Languages

Printer control and management languages are designed to control not only a single print job but the device as a whole.


Simple Network Management Protocol listens on 161/UDP and was originally designed to manage network components


Printer Job Language can be used to manipulate general settings.
There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones.


Page Description Languages is one basically specifies how the actual document will look like appearance wise.

PostScript (PS)

Is well known and made by Adobe and is widely used as a PDL.
PS is capable of far more than just defining the appearance of the document and handling vector graphics though.


How can i check if my printer is secure?

Jens Mueller, in the scope of his Master’s Thesis at Ruhr University Bochum, has developed a python tool for printer security testing, named PRET:

It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device.

Here the full paper:


First, install third party modules needed for colored output and SNMP support:

# pip install colorama pysnmp

Then, for experimental, ‘driverless’ printing you need to install ImageMagick and GhostScript:

# apt-get install imagemagick ghostscript

Finally, clone the git repository:

$ git clone


usage: [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}

positional arguments:
  target                printer device or hostname
  {ps,pjl,pcl}          printing language to abuse

optional arguments:
  -h, --help            show this help message and exit
  -s, --safe            verify if language is supported
  -q, --quiet           suppress warnings and chit-chat
  -d, --debug           enter debug mode (show traffic)
  -i file, --load file  load and run commands from file
  -o file, --log file   log raw data sent to the target
Example usage:
$ ./ laserjet.lan ps
$ ./ /dev/usb/lp0 pjl