Undocumented telnet access to Brother HL-2280DW

[Celejar]

The Brother HL-2280DW (network printer) listens on port 23, but I
can't get a working telnet session going. Telnet option negotiation
seems to take place, but I get no login or any other sort of prompt.
Pressing enter a few times, with or without typing random text,
eventually results in the remote host disconnecting.

Here's a netcat dump of a session where I repeatedly press enter until
disconnection:

< 00000000 1b 5b 32 4a 1b 5b 31 3b 31 66 # .[2J.[1;1f
< 0000000a ff fb 01 ff fb 03 ff fd 03 # .........
> 00000000 0a # .
< 00000013 ff fb 01 ff fb 03 ff fd 03 # .........
< 0000001c 0d 0a # ..
> 00000001 0a # .
< 0000001e 0d 0a # ..
> 00000002 0a # .
< 00000020 0d 0a # ..
> 00000003 0a # .
< 00000022 0d 0a # ..
> 00000004 0a # .
< 00000024 0d 0a # ..
> 00000005 0a # .

If I understand this correctly, the first few lines are telnet option
negotiation, but nothing after that.

nmap reports:

23/tcp open telnet Brother/HP printer telnetd

but I don't know if it's just assuming that daemon, since the machine
is listening on port 23 and it's a Brother, or if it is actually
managing to connect

The documentation for this model doesn't seem to say anything about
telnet access, and I can find no mention of it in the web management
interface, which does list the other open ports / services, including
FTP, SNMP, POP3 and SMTP. I have tried connecting to these other
services, and they seem to work.

So what do we have here? Some sort of broken, half-baked telnet service
running, or am I doing something wrong?

Celejar


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20131227000046.0449...@gmail.com

[Shawn Wilson]

There's a framework for hacking printers (and maybe other networked hardware). I did a quick Google and didn't find it but that's what I'd suggest looking for.

Archive: http://lists.debian.org/8a9bbab8-5744-4c35...@email.android.com

[Reco]

Hi.

On Fri, 27 Dec 2013 00:00:46 -0500
Celejar <cel...@gmail.com> wrote:

> So what do we have here? Some sort of broken, half-baked telnet service
> running, or am I doing something wrong?

Try running nmap like this:

nmap -A -p 22,23 <printer>

This should give you a better idea about the nature of this service.

And, since the device in question supports SNMP, you probably can
inspect printer's services like this:

snmpnetstat -c public -v 2c <printer> -Can -Cf inet

Reco

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131227111818.c2f1...@gmail.com

[Celejar]

On Fri, 27 Dec 2013 11:18:18 +0400
Reco <recov...@gmail.com> wrote:

> Hi.
>
> On Fri, 27 Dec 2013 00:00:46 -0500
> Celejar <cel...@gmail.com> wrote:
>
> > So what do we have here? Some sort of broken, half-baked telnet service
> > running, or am I doing something wrong?
>
> Try running nmap like this:
>
> nmap -A -p 22,23 <printer>

Same information - my original run had the -A switch already.

> This should give you a better idea about the nature of this service.
>
> And, since the device in question supports SNMP, you probably can
> inspect printer's services like this:
>
> snmpnetstat -c public -v 2c <printer> -Can -Cf inet

Not sure what I'm looking for, but all I see is that the machine is
LISTENing on port 23.

> Reco

Thanks,
Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131229091713.a8c1...@gmail.com

[Celejar]

On Fri, 27 Dec 2013 00:22:48 -0500
Shawn Wilson <ag4v...@gmail.com> wrote:

> There's a framework for hacking printers (and maybe other networked
> hardware). I did a quick Google and didn't find it but that's what I'd
> suggest looking for.

Do you mean this?

http://www.irongeek.com/i.php?page=security/networkprinterhacking

I had encountered that page, but a cursory look doesn't indicate that
it's of much use here - it seems to presume that one can actually get a
telnet connection going.

Archive: http://lists.debian.org/20131229091911.3ad9...@gmail.com

[Reco]

Hi.

On Sun, 29 Dec 2013 09:17:13 -0500

Celejar <cel...@gmail.com> wrote:

> > > So what do we have here? Some sort of broken, half-baked telnet service
> > > running, or am I doing something wrong?
> >
> > Try running nmap like this:
> >
> > nmap -A -p 22,23 <printer>
>
> Same information - my original run had the -A switch already.

Ok. This suggests that it is a telnet actually (Multi-Protocol part
lists telnet as a supported service):

http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf

This:

http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF

gave me an idea - they run telnet, but they use some variation of tcp
wrappers which forbids any telnet connections (possibly other services
too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or
169.254.0.0/16).

Reco

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131229195205.3647...@gmail.com

[Celejar]

On Sun, 29 Dec 2013 19:52:05 +0400
Reco <recov...@gmail.com> wrote:

> Hi.
>
> On Sun, 29 Dec 2013 09:17:13 -0500
> Celejar <cel...@gmail.com> wrote:
>
> > > > So what do we have here? Some sort of broken, half-baked telnet service
> > > > running, or am I doing something wrong?
> > >
> > > Try running nmap like this:
> > >
> > > nmap -A -p 22,23 <printer>
> >
> > Same information - my original run had the -A switch already.
>
> Ok. This suggests that it is a telnet actually (Multi-Protocol part
> lists telnet as a supported service):
>
> http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf

Neat - thanks.

> This:
>
> http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF
>
> gave me an idea - they run telnet, but they use some variation of tcp
> wrappers which forbids any telnet connections (possibly other services
> too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or
> 169.254.0.0/16).

What did you see there (what page)?

I tried telnetting from my router, an OpenWrt box with address
192.168.0.1, and I get:

Entering character mode
Escape character is '^]'.

And then pretty much the same thing: no response, and eventual
disconnect after several carriage returns.

FWIW, other services seem to work fine (SMTP, FTP).

> Reco

Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131229135213.8ef3...@gmail.com

[Celejar]

On Sun, 29 Dec 2013 19:52:05 +0400
Reco <recov...@gmail.com> wrote:

> Hi.
>
> On Sun, 29 Dec 2013 09:17:13 -0500
> Celejar <cel...@gmail.com> wrote:
>
> > > > So what do we have here? Some sort of broken, half-baked telnet service
> > > > running, or am I doing something wrong?
> > >
> > > Try running nmap like this:
> > >
> > > nmap -A -p 22,23 <printer>
> >
> > Same information - my original run had the -A switch already.
>
> Ok. This suggests that it is a telnet actually (Multi-Protocol part
> lists telnet as a supported service):
>
> http://www.klbe.ca/docs/Black_Printers/HL-2280DW.pdf
>
> This:
>
> http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF
>
> gave me an idea - they run telnet, but they use some variation of tcp
> wrappers which forbids any telnet connections (possibly other services
> too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or
> 169.254.0.0/16).

Also note that the "Supported protocols" appendix of that second
document (p. 76) *doesn't* include telnet among the two dozen or so
supported protocols.

Thanks for the help.

> Reco

Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131229135519.903a...@gmail.com

[Reco]

On Sun, 29 Dec 2013 13:52:13 -0500
Celejar <cel...@gmail.com> wrote:

> > This:
> >
> > http://www.brother-usa.com/VirData/Content/en-US%5CPrinters%5CConsumer%5CNetworkUsersManual%5CNUM_DCP_7065DN_HL_2280DW_MFC_7360N_7460DN_7860DW_EN_2845.PDF
> >
> > gave me an idea - they run telnet, but they use some variation of tcp
> > wrappers which forbids any telnet connections (possibly other services
> > too) from anything except maybe 192.168.0.1 (or, 192.168.0.5, or
> > 169.254.0.0/16).
>
> What did you see there (what page)?

Nothing in particular, just a guess. Manufacturers like to do stuff
like this. Best of them think 'like, everyone and their dog uses
192.168.0.0/24 for the home network, let's secure our product by
denying access from anyone outside'. Of course, to hardcode
192.168.0.0/24 is the easiest these guys can do.

So, I browsed that pdf, searched for IPs, and sure enough, there was
192.168.0.1 as a default gateway example and 192.168.0.5 as a printer
example, and some explanation of LLNR.

> I tried telnetting from my router, an OpenWrt box with address
> 192.168.0.1, and I get:
>
> Entering character mode
> Escape character is '^]'.
>
> And then pretty much the same thing: no response, and eventual
> disconnect after several carriage returns.

So, no luck. Maybe it requires some engineering password first.
Can you dump the firmware from the printer?

Reco

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131230000051.0cd6...@gmail.com

[Celejar]

Not sure - even the process to upload new firmware doesn't give a
firmware file, just an .exe "upload tool" - don't know if the firmware
is embedded therein, or if it tries to download it from somewhere. I
ran strings against it, but couldn't find anything for '23' or 'telnet':

http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=us&c=us_ot&lang=en&prod=hl2280dw_us&type2=4&os=all&flang=all&dlid=

> Reco

Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131230071749.d22e...@gmail.com

[Ron Leach]

On 29/12/2013 20:00, Reco wrote:
>
> So, no luck. Maybe it requires some engineering password first.
>

I used to have a Brother inkjet MFP, and had also considered a
laser-based MFP. Both the devices I looked at stated, in their
manuals, that Telnet could be used, seemingly in the context of
'changing' the device's already assigned IP address. (This info was
in the 'advanced users' troubleshooting section, perhaps because
making a mistake when changing an IP address of something being
accessed could lead to problems ... )

The manual set out these steps for using Telnet:

Type TELNET ipaddress at the command prompt. When you are connected,
press Enter to receive the '#' prompt, and enter the password
'access' (ie, just the letters, not the ' symbols), the password will
not appear on the screen.

You will be prompted for a user name, enter anything in response.

You will then get the prompt:
Local>

Type SET IP ADDRESS ipaddress (ipaddress is the 'new' IP address you
want the printer to have), for example:

SET IP ADDRESS 192.168.1.3

and you can (would need to, actually) set the subnet mask as well with

SET IP SUBNET subnetmask, for example:

SET IP SUBNET 255.255.255.0

You can set up a gateway address with

SET IP ROUTER routeraddress, eg:

SET IP ROUTER 192.168.1.4

You can force this static IP setting method to be remembered with

SET IP METHOD STATIC

To verify that your settings are correct, you can type

SHOW IP

(though this surprises me - at some point, the IP address will have
changed, but the manual does not say when that change occurs.
Hopefully, it only occurs on switch off/on, so that Telnet
connectivity is retained during this process, but I'm not sure.)

Finally, you can exit the Telnet session with

EXIT

It seems that there is a Telnet server on Brother machines, and its
primary use seems to be setting IP addresses, especially after an IP
might have been set by an ARP method (for security, Brother only allow
'ARP-set method' to take place once, so any IP change away from an IP
set by ARP has to be by another method).

regards, Ron

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/52C16B84...@tesco.net

[Reco]

On Mon, 30 Dec 2013 07:17:49 -0500
Celejar <cel...@gmail.com> wrote:
>
> Not sure - even the process to upload new firmware doesn't give a
> firmware file, just an .exe "upload tool" - don't know if the firmware
> is embedded therein, or if it tries to download it from somewhere. I
> ran strings against it, but couldn't find anything for '23' or 'telnet':
>
> http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=us&c=us_ot&lang=en&prod=hl2280dw_us&type2=4&os=all&flang=all&dlid=
>

The file itself, BrMain480.exe, is a self-extracting rar archive.
FirmwareUpdater.exe it contains is a simple downloader (does not
include anything which looks like a firmware, judging by objdump
output).
Configuration xml res/BrUpdSys.xml seems to contain the actual download
link, namely:
<FileGet_URL>https://firmverup.brother.co.jp/kne_bh7_update_nt_ssl/ifax2.asmx/fileUpdate</FileGet_URL>

That url apparently needs some additional parameters (printer model?),
but I can see no hints on what they could be.

Reco

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131230185301.1e62...@gmail.com

[Celejar]

On Mon, 30 Dec 2013 18:53:01 +0400
Reco <recov...@gmail.com> wrote:

> On Mon, 30 Dec 2013 07:17:49 -0500
> Celejar <cel...@gmail.com> wrote:
> >
> > Not sure - even the process to upload new firmware doesn't give a
> > firmware file, just an .exe "upload tool" - don't know if the firmware
> > is embedded therein, or if it tries to download it from somewhere. I
> > ran strings against it, but couldn't find anything for '23' or 'telnet':
> >
> > http://welcome.solutions.brother.com/bsc/public/us/us_ot/en/dlf/download_index.html?reg=us&c=us_ot&lang=en&prod=hl2280dw_us&type2=4&os=all&flang=all&dlid=
> >
>
> The file itself, BrMain480.exe, is a self-extracting rar archive.
> FirmwareUpdater.exe it contains is a simple downloader (does not
> include anything which looks like a firmware, judging by objdump
> output).
> Configuration xml res/BrUpdSys.xml seems to contain the actual download
> link, namely:
> <FileGet_URL>https://firmverup.brother.co.jp/kne_bh7_update_nt_ssl/ifax2.asmx/fileUpdate</FileGet_URL>
>
> That url apparently needs some additional parameters (printer model?),
> but I can see no hints on what they could be.

Thanks much for the help; I'm at an impasse here, but am willing to try
further suggestions.

> Reco

Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131230233649.e834...@gmail.com

[Celejar]

Thanks; I'd encountered similar instructions, but they don't work here.
I don't get any prompt no matter what I do, and typing 'access' blind
(no prompt or echo) doesn't do anything, either.

Celejar

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20131230233519.b829...@gmail.com