PJL (Printer Job Language) - Port 9100

Basic info

What is Port 9100?

Port 9100 (JetDirect/AppSocket/Raw Printing) is a bidirectional TCP channel used for direct printer communication. Unlike LPD, IPP, or SMB printing protocols, port 9100 provides:

• Direct data stream - No protocol overhead

• Bidirectional communication - Immediate feedback

• PJL command support - Printer configuration and control

• PostScript/PCL processing - Document rendering

• File system access - Read/write printer storage

Key Characteristics:

• No authentication by default

• Plaintext communication

• Supported by virtually all network printers

• Used by Windows, Linux (CUPS), and macOS

Printing Protocols Overview

Printer Job Language (PJL)

PJL is a command language that extends PCL and PostScript:

• Printer configuration - Settings, modes, passwords

• File system access - Read, write, delete files

• Information gathering - Status, environment, capabilities

• Job control - Print job management

• Security - Access control (when implemented)

PJL Command Format:

Common Command Categories:

1. INFO Commands - Gather information

2. FS Commands - File system operations

3. RDYMSG - Display messages

4. PASSWORD - Access control

5. USTATUS - Unsolicited status

PostScript (PS)

PostScript is a page description language:

• Device-independent

• Stack-based programming language

• Can execute arbitrary code

• File system access capabilities

Page Description Language (PCL)

PCL (Printer Control Language):

• HP's proprietary printer language

• Simpler than PostScript

• Less powerful but faster

• Embedded systems common

Default Port

Port 9100 - JetDirect/AppSocket

Additional Printer Ports:

• 515 - LPD (Line Printer Daemon)

• 631 - IPP (Internet Printing Protocol)

• 9220 - HP JetDirect alternative

• 161 - SNMP (printer management)

Reconnaissance & Enumeration

Port Scanning

Basic Nmap Scan

Sample Output:

Service Fingerprinting

Banner Grabbing

PJL Information Commands

Shodan Queries

Manual PJL Exploitation

Basic Information Gathering

Device Information

Configuration Details

File System Operations

List Directory

Download File

Upload File

Delete File

Display Messages

Ready Message Manipulation

Memory Operations

Dump Memory (Some Models)

PostScript Exploitation

PostScript File Operations

Send PostScript via Port 9100

Automated Exploitation with PRET

PRET (Printer Exploitation Toolkit)

Installation

Basic Usage

PRET Commands

Nmap Scripts

Metasploit Modules

Available Modules

Example Usage

Data Exfiltration Attacks

Print Job Capture

Capture Print Jobs via Port Mirroring

PostScript Print Job Interception

Memory Dump Attacks

Dump NVRAM

Access Print Job Storage

Credential Harvesting

SNMP Community Strings

Web Interface Credentials

Advanced Exploitation Techniques

Canon TrueType VM RCE (2025)

Vulnerability Overview

Affected: Canon ImageCLASS printers

Impact: Remote Code Execution via malicious TrueType fonts

CVE: Not assigned at time of research

Attack Vector:

1. Send XPS document with malicious TrueType font

2. Font hinting bytecode exploits VM stack

3. Achieve arbitrary code execution

Exploitation Steps

1. Create Malicious XPS Document

2. Create Malicious TrueType Font

3. Package XPS File

4. Send to Printer

Technical Details:

• CINDEX bug: Out-of-bounds stack read → info leak

• DELTAP1 bug: Unchecked stack pivot → controlled writes

• Exploitation: Leak stack pointer, pivot, write to function pointer

• Result: PC (program counter) control → RCE

Permanent Denial of Service

Disable Printing

Factory Reset

Network Pivot

Discover Other Printers

Use Printer as Proxy

Persistence Mechanisms

Backdoor Accounts

Web Interface Backdoor

Firmware Backdoor

Replace Legitimate Files

Job Scheduling

Periodic Callback

Defense & Hardening

Network Segmentation

Isolate Printers

Disable Unnecessary Services

Printer Configuration

Disable PJL

Firmware Updates

Access Control

Printer Passwords

Monitoring & Detection

Network Monitoring

Log Analysis

Intrusion Detection

Physical Security

Tools & Scripts

Essential Tools

1. PRET - Printer Exploitation Toolkit

2. Metasploit - Printer modules

3. Nmap - Discovery and scanning

4. tcpdump/Wireshark - Traffic analysis

5. netcat - Manual PJL commands

Custom PJL Script

Cheat Sheet

Quick Reference

Key PJL Commands

Important File Paths

Conclusion

Network printers represent a critical attack surface that combines data theft, network pivoting, and even remote code execution capabilities. The combination of no authentication, powerful PJL commands, and sophisticated vulnerabilities like TrueType VM exploits makes exposed printers extremely dangerous.

Key Takeaways:

1. Never expose printers to internet - Internal network only

2. Network segmentation - Separate VLAN for printers

3. Disable raw printing - Use authenticated protocols (IPP)

4. Firmware updates - Regular patching critical

5. Monitor printer traffic - IDS rules for PJL

6. Physical security - Control access to printers

7. Secure print - PIN-based job release

8. Password protect - Enable PJL passwords where possible

9. Regular audits - Check configurations and access

10. Defense in depth - Multiple security layers

Attack Vectors:

• No authentication on port 9100

• PJL file system access

• Print job capture

• Memory dumps (NVRAM)

• PostScript code execution

• TrueType VM exploitation (RCE)

• Display message manipulation

• Network pivoting

• Credential harvesting

Remember to only perform these techniques during authorized security assessments. Unauthorized access is illegal and unethical.

Additional Resources

• Hacking Printers Wiki

• PRET GitHub

• Canon TrueType VM Exploit Analysis

• HP JetDirect Protocol Specification

• Printer Security Testing Cheat Sheet