Re: Undocumented telnet access to Brother HL-2280DW
On Mon, 30 Dec 2013 00:00:51 +0400 Reco recovery...@gmail.com wrote: On Sun, 29 Dec 2013 13:52:13 -0500 Celejar cele...@gmail.com wrote: This: http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF gave me an idea - they run telnet, but they use some variation of tcp wrappers which forbids any telnet connections (possibly other services too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or 169.254.0.0/16). What did you see there (what page)? Nothing in particular, just a guess. Manufacturers like to do stuff like this. Best of them think 'like, everyone and their dog uses 192.168.0.0/24 for the home network, let's secure our product by denying access from anyone outside'. Of course, to hardcode 192.168.0.0/24 is the easiest these guys can do. So, I browsed that pdf, searched for IPs, and sure enough, there was 192.168.0.1 as a default gateway example and 192.168.0.5 as a printer example, and some explanation of LLNR. I tried telnetting from my router, an OpenWrt box with address 192.168.0.1, and I get: Entering character mode Escape character is '^]'. And then pretty much the same thing: no response, and eventual disconnect after several carriage returns. So, no luck. Maybe it requires some engineering password first. Can you dump the firmware from the printer? Not sure - even the process to upload new firmware doesn't give a firmware file, just an .exe upload tool - don't know if the firmware is embedded therein, or if it tries to download it from somewhere. I ran strings against it, but couldn't find anything for '23' or 'telnet': http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=usc=us_otlang=enprod=hl2280dw_ustype2=4os=allflang=alldlid= Reco Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131230071749.d22e369e2b6a18a566b9f...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On 29/12/2013 20:00, Reco wrote: So, no luck. Maybe it requires some engineering password first. I used to have a Brother inkjet MFP, and had also considered a laser-based MFP. Both the devices I looked at stated, in their manuals, that Telnet could be used, seemingly in the context of 'changing' the device's already assigned IP address. (This info was in the 'advanced users' troubleshooting section, perhaps because making a mistake when changing an IP address of something being accessed could lead to problems ... ) The manual set out these steps for using Telnet: Type TELNET ipaddress at the command prompt. When you are connected, press Enter to receive the '#' prompt, and enter the password 'access' (ie, just the letters, not the ' symbols), the password will not appear on the screen. You will be prompted for a user name, enter anything in response. You will then get the prompt: Local Type SET IP ADDRESS ipaddress (ipaddress is the 'new' IP address you want the printer to have), for example: SET IP ADDRESS 192.168.1.3 and you can (would need to, actually) set the subnet mask as well with SET IP SUBNET subnetmask, for example: SET IP SUBNET 255.255.255.0 You can set up a gateway address with SET IP ROUTER routeraddress, eg: SET IP ROUTER 192.168.1.4 You can force this static IP setting method to be remembered with SET IP METHOD STATIC To verify that your settings are correct, you can type SHOW IP (though this surprises me - at some point, the IP address will have changed, but the manual does not say when that change occurs. Hopefully, it only occurs on switch off/on, so that Telnet connectivity is retained during this process, but I'm not sure.) Finally, you can exit the Telnet session with EXIT It seems that there is a Telnet server on Brother machines, and its primary use seems to be setting IP addresses, especially after an IP might have been set by an ARP method (for security, Brother only allow 'ARP-set method' to take place once, so any IP change away from an IP set by ARP has to be by another method). regards, Ron -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52c16b84.1020...@tesco.net
Re: Undocumented telnet access to Brother HL-2280DW
On Mon, 30 Dec 2013 07:17:49 -0500 Celejar cele...@gmail.com wrote: Not sure - even the process to upload new firmware doesn't give a firmware file, just an .exe upload tool - don't know if the firmware is embedded therein, or if it tries to download it from somewhere. I ran strings against it, but couldn't find anything for '23' or 'telnet': http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=usc=us_otlang=enprod=hl2280dw_ustype2=4os=allflang=alldlid= The file itself, BrMain480.exe, is a self-extracting rar archive. FirmwareUpdater.exe it contains is a simple downloader (does not include anything which looks like a firmware, judging by objdump output). Configuration xml res/BrUpdSys.xml seems to contain the actual download link, namely: FileGet_URLhttps://firmverup.brother.co.jp/kne_bh7_update_nt_ssl/ifax2.asmx/fileUpdate/FileGet_URL That url apparently needs some additional parameters (printer model?), but I can see no hints on what they could be. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131230185301.1e62c6fcb4f58eaa9d01a...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
Thanks; I'd encountered similar instructions, but they don't work here. I don't get any prompt no matter what I do, and typing 'access' blind (no prompt or echo) doesn't do anything, either. On Mon, 30 Dec 2013 12:48:04 + Ron Leach ronle...@tesco.net wrote: On 29/12/2013 20:00, Reco wrote: So, no luck. Maybe it requires some engineering password first. I used to have a Brother inkjet MFP, and had also considered a laser-based MFP. Both the devices I looked at stated, in their manuals, that Telnet could be used, seemingly in the context of 'changing' the device's already assigned IP address. (This info was in the 'advanced users' troubleshooting section, perhaps because making a mistake when changing an IP address of something being accessed could lead to problems ... ) The manual set out these steps for using Telnet: Type TELNET ipaddress at the command prompt. When you are connected, press Enter to receive the '#' prompt, and enter the password 'access' (ie, just the letters, not the ' symbols), the password will not appear on the screen. You will be prompted for a user name, enter anything in response. You will then get the prompt: Local Type SET IP ADDRESS ipaddress (ipaddress is the 'new' IP address you want the printer to have), for example: SET IP ADDRESS 192.168.1.3 and you can (would need to, actually) set the subnet mask as well with SET IP SUBNET subnetmask, for example: SET IP SUBNET 255.255.255.0 You can set up a gateway address with SET IP ROUTER routeraddress, eg: SET IP ROUTER 192.168.1.4 You can force this static IP setting method to be remembered with SET IP METHOD STATIC To verify that your settings are correct, you can type SHOW IP (though this surprises me - at some point, the IP address will have changed, but the manual does not say when that change occurs. Hopefully, it only occurs on switch off/on, so that Telnet connectivity is retained during this process, but I'm not sure.) Finally, you can exit the Telnet session with EXIT It seems that there is a Telnet server on Brother machines, and its primary use seems to be setting IP addresses, especially after an IP might have been set by an ARP method (for security, Brother only allow 'ARP-set method' to take place once, so any IP change away from an IP set by ARP has to be by another method). regards, Ron -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52c16b84.1020...@tesco.net Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131230233519.b829a28d1f1a7edac3672...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Mon, 30 Dec 2013 18:53:01 +0400 Reco recovery...@gmail.com wrote: On Mon, 30 Dec 2013 07:17:49 -0500 Celejar cele...@gmail.com wrote: Not sure - even the process to upload new firmware doesn't give a firmware file, just an .exe upload tool - don't know if the firmware is embedded therein, or if it tries to download it from somewhere. I ran strings against it, but couldn't find anything for '23' or 'telnet': http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=usc=us_otlang=enprod=hl2280dw_ustype2=4os=allflang=alldlid= The file itself, BrMain480.exe, is a self-extracting rar archive. FirmwareUpdater.exe it contains is a simple downloader (does not include anything which looks like a firmware, judging by objdump output). Configuration xml res/BrUpdSys.xml seems to contain the actual download link, namely: FileGet_URLhttps://firmverup.brother.co.jp/kne_bh7_update_nt_ssl/ifax2.asmx/fileUpdate/FileGet_URL That url apparently needs some additional parameters (printer model?), but I can see no hints on what they could be. Thanks much for the help; I'm at an impasse here, but am willing to try further suggestions. Reco Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131230233649.e834190fd2d73e9e79244...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Fri, 27 Dec 2013 11:18:18 +0400 Reco recovery...@gmail.com wrote: Hi. On Fri, 27 Dec 2013 00:00:46 -0500 Celejar cele...@gmail.com wrote: So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Try running nmap like this: nmap -A -p 22,23 printer Same information - my original run had the -A switch already. This should give you a better idea about the nature of this service. And, since the device in question supports SNMP, you probably can inspect printer's services like this: snmpnetstat -c public -v 2c printer -Can -Cf inet Not sure what I'm looking for, but all I see is that the machine is LISTENing on port 23. Reco Thanks, Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229091713.a8c156cbe482b0ab3e694...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Fri, 27 Dec 2013 00:22:48 -0500 Shawn Wilson ag4ve...@gmail.com wrote: There's a framework for hacking printers (and maybe other networked hardware). I did a quick Google and didn't find it but that's what I'd suggest looking for. Do you mean this? http://www.irongeek.com/i.php?page=security/networkprinterhacking I had encountered that page, but a cursory look doesn't indicate that it's of much use here - it seems to presume that one can actually get a telnet connection going. Celejar cele...@gmail.com wrote: The Brother HL-2280DW (network printer) listens on port 23, but I can't get a working telnet session going. Telnet option negotiation seems to take place, but I get no login or any other sort of prompt. Pressing enter a few times, with or without typing random text, eventually results in the remote host disconnecting. Here's a netcat dump of a session where I repeatedly press enter until disconnection: 1b 5b 32 4a 1b 5b 31 3b 31 66 # .[2J.[1;1f 000a ff fb 01 ff fb 03 ff fd 03 # . 0a # . 0013 ff fb 01 ff fb 03 ff fd 03 # . 001c 0d 0a # .. 0001 0a # . 001e 0d 0a # .. 0002 0a # . 0020 0d 0a # .. 0003 0a # . 0022 0d 0a # .. 0004 0a # . 0024 0d 0a # .. 0005 0a # . If I understand this correctly, the first few lines are telnet option negotiation, but nothing after that. nmap reports: 23/tcp open telnet Brother/HP printer telnetd but I don't know if it's just assuming that daemon, since the machine is listening on port 23 and it's a Brother, or if it is actually managing to connect The documentation for this model doesn't seem to say anything about telnet access, and I can find no mention of it in the web management interface, which does list the other open ports / services, including FTP, SNMP, POP3 and SMTP. I have tried connecting to these other services, and they seem to work. So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Celejar Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229091911.3ad99728fb19e26c41957...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
Hi. On Sun, 29 Dec 2013 09:17:13 -0500 Celejar cele...@gmail.com wrote: So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Try running nmap like this: nmap -A -p 22,23 printer Same information - my original run had the -A switch already. Ok. This suggests that it is a telnet actually (Multi-Protocol part lists telnet as a supported service): http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf This: http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF gave me an idea - they run telnet, but they use some variation of tcp wrappers which forbids any telnet connections (possibly other services too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or 169.254.0.0/16). Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229195205.36470bb39b2013da402ad...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Sun, 29 Dec 2013 19:52:05 +0400 Reco recovery...@gmail.com wrote: Hi. On Sun, 29 Dec 2013 09:17:13 -0500 Celejar cele...@gmail.com wrote: So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Try running nmap like this: nmap -A -p 22,23 printer Same information - my original run had the -A switch already. Ok. This suggests that it is a telnet actually (Multi-Protocol part lists telnet as a supported service): http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf Neat - thanks. This: http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF gave me an idea - they run telnet, but they use some variation of tcp wrappers which forbids any telnet connections (possibly other services too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or 169.254.0.0/16). What did you see there (what page)? I tried telnetting from my router, an OpenWrt box with address 192.168.0.1, and I get: Entering character mode Escape character is '^]'. And then pretty much the same thing: no response, and eventual disconnect after several carriage returns. FWIW, other services seem to work fine (SMTP, FTP). Reco Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229135213.8ef35b22441b4e56cdf11...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Sun, 29 Dec 2013 19:52:05 +0400 Reco recovery...@gmail.com wrote: Hi. On Sun, 29 Dec 2013 09:17:13 -0500 Celejar cele...@gmail.com wrote: So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Try running nmap like this: nmap -A -p 22,23 printer Same information - my original run had the -A switch already. Ok. This suggests that it is a telnet actually (Multi-Protocol part lists telnet as a supported service): http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf This: http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF gave me an idea - they run telnet, but they use some variation of tcp wrappers which forbids any telnet connections (possibly other services too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or 169.254.0.0/16). Also note that the Supported protocols appendix of that second document (p. 76) *doesn't* include telnet among the two dozen or so supported protocols. Thanks for the help. Reco Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131229135519.903a2cde9722f14eb7b49...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
On Sun, 29 Dec 2013 13:52:13 -0500 Celejar cele...@gmail.com wrote: This: http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF gave me an idea - they run telnet, but they use some variation of tcp wrappers which forbids any telnet connections (possibly other services too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or 169.254.0.0/16). What did you see there (what page)? Nothing in particular, just a guess. Manufacturers like to do stuff like this. Best of them think 'like, everyone and their dog uses 192.168.0.0/24 for the home network, let's secure our product by denying access from anyone outside'. Of course, to hardcode 192.168.0.0/24 is the easiest these guys can do. So, I browsed that pdf, searched for IPs, and sure enough, there was 192.168.0.1 as a default gateway example and 192.168.0.5 as a printer example, and some explanation of LLNR. I tried telnetting from my router, an OpenWrt box with address 192.168.0.1, and I get: Entering character mode Escape character is '^]'. And then pretty much the same thing: no response, and eventual disconnect after several carriage returns. So, no luck. Maybe it requires some engineering password first. Can you dump the firmware from the printer? Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2013123051.0cd6507ae360156306f7a...@gmail.com
Re: Undocumented telnet access to Brother HL-2280DW
There's a framework for hacking printers (and maybe other networked hardware). I did a quick Google and didn't find it but that's what I'd suggest looking for. Celejar cele...@gmail.com wrote: The Brother HL-2280DW (network printer) listens on port 23, but I can't get a working telnet session going. Telnet option negotiation seems to take place, but I get no login or any other sort of prompt. Pressing enter a few times, with or without typing random text, eventually results in the remote host disconnecting. Here's a netcat dump of a session where I repeatedly press enter until disconnection: 1b 5b 32 4a 1b 5b 31 3b 31 66 # .[2J.[1;1f 000a ff fb 01 ff fb 03 ff fd 03 # . 0a # . 0013 ff fb 01 ff fb 03 ff fd 03 # . 001c 0d 0a # .. 0001 0a # . 001e 0d 0a # .. 0002 0a # . 0020 0d 0a # .. 0003 0a # . 0022 0d 0a # .. 0004 0a # . 0024 0d 0a # .. 0005 0a # . If I understand this correctly, the first few lines are telnet option negotiation, but nothing after that. nmap reports: 23/tcp open telnet Brother/HP printer telnetd but I don't know if it's just assuming that daemon, since the machine is listening on port 23 and it's a Brother, or if it is actually managing to connect The documentation for this model doesn't seem to say anything about telnet access, and I can find no mention of it in the web management interface, which does list the other open ports / services, including FTP, SNMP, POP3 and SMTP. I have tried connecting to these other services, and they seem to work. So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8a9bbab8-5744-4c35-ab21-64b00cd22...@email.android.com
Re: Undocumented telnet access to Brother HL-2280DW
Hi. On Fri, 27 Dec 2013 00:00:46 -0500 Celejar cele...@gmail.com wrote: So what do we have here? Some sort of broken, half-baked telnet service running, or am I doing something wrong? Try running nmap like this: nmap -A -p 22,23 printer This should give you a better idea about the nature of this service. And, since the device in question supports SNMP, you probably can inspect printer's services like this: snmpnetstat -c public -v 2c printer -Can -Cf inet Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131227111818.c2f14ebd66ab975a0...@gmail.com