When scanning Toshiba MFP, many pages of garbage print gets produced. Ideally, we’d be able to scan them for their vulnerabilities without the print. Is there a way to accomplish this?
Also, I have 50± scheduled tasks, and about as many of these MFPs. How can I exclude the copiers without recreating all of the tasks? Other things will come up along the way. Recreating tasks isn’t really a viable solution.
Thanks and be well,
Ken
Answering this question currently requires some additional background on printer scans and why this is happening:
Generally a Full and Fast scan excludes a known and previous detected printer from a scan by default. Scanning a printer requires the setting Exclude printers from scan in the following VT set to no:
Global variable settings (OID: 1.3.6.1.4.1.25623.1.0.12288)
As noted previously this requires that the printer is detected. If you havn’t changed this setting then it is very likely that the printer wasn’t detected at all, please see the end of this posting for some more information for this case.
Most printers are exposing one or more specific PJL / Raw printing ports (TCP) which are often configurable by the user. Every VT and/or nmap service probe sending some data to the PJL / Raw printing port(s) will cause your printer to print out the data sent to it.
To avoid the situations of 2. the following VT:
Do not print on AppSocket and socketAPI printers (OID: 1.3.6.1.4.1.25623.1.0.12241)
tries to exclude some common known ports (namely 9100-9107 and 9112-9116) if a printer was detected.
Depending on your printer and the exposed ports you might need to add / update the ports to exclude in that VT.
It could be also possible that this VT is not detecting your printer at all (See 1. above). Then we could update it to detect it, for this every info like:
etc. could help.
This seems like very useful information. I’m relatively new to OpenVAS so, I’m not 100% sure I understand. This gives me some things to poke around at, though.
Thanks for the input. More to follow…
No worries. Please don’t hesitate to ask here again if something isn’t that clear or if you have further questions (e.g. how to get the mentioned banner info etc.).
Thanks, how to I apply the second solution?
How do I determine which VT is causing the issue? I see a couple of pages of text that are somewhat readable. It appears that the scan that caused the printing was on port 9100. The only VT that it looks like would have caused this was “Unknown OS and Service Banner Reporting”. I created a new scan config including only that VT and it didn’t cause the MFP to print.
Unfortunately this highly depends on the services (e.g. FTP, SNMP, HTTP) the printer is exposing and if the exposed data is helping us to detect the printer.
But basically you can try to run the following calls (Linux system required) to see if they are giving you any output and post the output in here after removing any sensitive data:
Telnet:
nc -vvv $ipofprinter 23
FTP:
nc -vvv $ipofprinter 21
SNMP:
snmpwalk -v 2c -c public $ipofprinter
HTTP:
curl -i http://$ipofprinter
In this case it is not a matter of which VT is causing the issue as every VT (there might be hundreds) sending some data to that port will cause your printer to print out some text. If you have a linux system at hand you can even print some text from command line like e.g.:
echo "Hello world" | nc -vvv $ipofprinter 9100
and your printer will start to print out this text.
Hi @dunnken ,
unfortunately we haven’t received any examples / banners for the Toshiba MFPs since my last post.
But in the meantime various detection VTs for Toshiba MFPs (the e-STUDIO) based on the following protocols were implemented:
SNMP
HTTP
FTP
PJL (only specific models)
Finger
which should be available in the feed in the next few days. Those should improve this situation for you as well.